Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://eshoradebitcoin.com/3.dat

Overview

General Information

Sample URL:https://eshoradebitcoin.com/3.dat
Analysis ID:1429002
Infos:

Detection

PureLog Stealer, zgRAT
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected PureLog Stealer
Yara detected zgRAT
Machine Learning detection for dropped file
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 7152 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 3128 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1992,i,2771170727428028237,18400158983486350545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 6152 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://eshoradebitcoin.com/3.dat" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • OpenWith.exe (PID: 4368 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Downloads\3.dat.crdownloadJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    C:\Users\user\Downloads\3.dat.crdownloadJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      dropped/chromecache_61JoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        dropped/chromecache_61JoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Users\user\Downloads\3.dat.crdownloadAvira: detection malicious, Label: TR/Dropper.Gen
          Source: /opt/package/joesandbox/database/analysis/1429002/temp/droppedscan/chromecache_61Avira: detection malicious, Label: TR/Dropper.Gen
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\Downloads\3.dat (copy)ReversingLabs: Detection: 87%
          Source: C:\Users\user\Downloads\3.dat.crdownloadReversingLabs: Detection: 87%
          Source: Chrome Cache Entry: 61ReversingLabs: Detection: 87%
          Machine Learning detection for dropped file
          Source: C:\Users\user\Downloads\3.dat.crdownloadJoe Sandbox ML: detected
          Source: /opt/package/joesandbox/database/analysis/1429002/temp/droppedscan/chromecache_61Joe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49714 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 184.31.62.93
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /3.dat HTTP/1.1Host: eshoradebitcoin.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
          Source: unknownDNS traffic detected: queries for: eshoradebitcoin.com
          Source: unknownHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713568951032&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
          Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownHTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49714 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49715 version: TLS 1.2
          Source: ab6c8f49-01ae-497c-a189-3be0203beff6.tmp.0.drStatic PE information: No import functions for PE file found
          Source: ab6c8f49-01ae-497c-a189-3be0203beff6.tmp.0.drStatic PE information: Data appended to the last section found
          Source: 3.dat.crdownload.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: chromecache_61.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal76.troj.win@18/11@4/4
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
          Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
          Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1992,i,2771170727428028237,18400158983486350545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://eshoradebitcoin.com/3.dat"
          Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1992,i,2771170727428028237,18400158983486350545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: Google Drive.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: YouTube.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Sheets.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Gmail.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Slides.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Docs.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: 3.dat.crdownload.0.drStatic PE information: section name: .text entropy: 7.743688791524453
          Source: chromecache_61.2.drStatic PE information: section name: .text entropy: 7.743688791524453
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\3.dat.crdownloadJump to dropped file
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: Chrome Cache Entry: 61Jump to dropped file
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\ab6c8f49-01ae-497c-a189-3be0203beff6.tmpJump to dropped file
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\3.dat (copy)Jump to dropped file
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: Chrome Cache Entry: 61
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: Chrome Cache Entry: 61Jump to dropped file
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
          Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: 3.dat.crdownload.0.dr, chromecache_61.2.drBinary or memory string: AilOgfBfMfOHEGniCcN.kmLJbnBRHGr3PRMqMOc+xfaiMJ1LKHgFS5Jr3j0+I6K0ZZ1iJX3hE6vOgRe`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
          Source: 3.dat.crdownload.0.dr, chromecache_61.2.drBinary or memory string: xfaiMJ1LKHgFS5Jr3j0
          Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
          Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected PureLog Stealer
          Source: Yara matchFile source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
          Source: Yara matchFile source: dropped/chromecache_61, type: DROPPED
          Yara detected zgRAT
          Source: Yara matchFile source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
          Source: Yara matchFile source: dropped/chromecache_61, type: DROPPED

          Remote Access Functionality

          barindex
          Yara detected PureLog Stealer
          Source: Yara matchFile source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
          Source: Yara matchFile source: dropped/chromecache_61, type: DROPPED
          Yara detected zgRAT
          Source: Yara matchFile source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
          Source: Yara matchFile source: dropped/chromecache_61, type: DROPPED

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          Registry Run Keys / Startup Folder          		1
          Process Injection          		11
          Masquerading          		OS Credential Dumping11
          Security Software Discovery          		Remote ServicesData from Local System1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Registry Run Keys / Startup Folder          		1
          Process Injection          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		1
          Obfuscated Files or Information          		Security Account Manager11
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
          Software Packing          		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\Downloads\3.dat.crdownload100%AviraTR/Dropper.Gen
          /opt/package/joesandbox/database/analysis/1429002/temp/droppedscan/chromecache_61100%AviraTR/Dropper.Gen
          C:\Users\user\Downloads\3.dat.crdownload100%Joe Sandbox ML
          /opt/package/joesandbox/database/analysis/1429002/temp/droppedscan/chromecache_61100%Joe Sandbox ML
          C:\Users\user\Downloads\ab6c8f49-01ae-497c-a189-3be0203beff6.tmp100%Joe Sandbox ML
          C:\Users\user\Downloads\3.dat (copy)88%ReversingLabsWin32.Spyware.Rhadamanthys
          C:\Users\user\Downloads\3.dat.crdownload88%ReversingLabsWin32.Spyware.Rhadamanthys
          Chrome Cache Entry: 6188%ReversingLabsWin32.Spyware.Rhadamanthys

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          eshoradebitcoin.com
          		78.24.180.93
          		truefalse
            		unknown
            edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
            		217.20.50.36
            		truefalse
              		unknown
              www.google.com
              		172.253.124.147
              		truefalse
                		high
                fp2e7a.wpc.phicdn.net
                		192.229.211.108
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://eshoradebitcoin.com/3.datfalse
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    239.255.255.250
                    		unknownReserved
                    		unknownunknownfalse
                    78.24.180.93
                    		eshoradebitcoin.comRussian Federation
                    		35377TRN-TELECOM-ASRUfalse
                    172.253.124.147
                    		www.google.comUnited States
                    		15169GOOGLEUSfalse

                    Private

                    IP
                    192.168.2.5

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1429002
                    Start date and time:2024-04-20 01:21:57 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 3m 50s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:browseurl.jbs
                    Sample URL:https://eshoradebitcoin.com/3.dat
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal76.troj.win@18/11@4/4
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 142.250.9.94, 142.250.105.84, 64.233.176.139, 64.233.176.101, 64.233.176.138, 64.233.176.113, 64.233.176.100, 64.233.176.102, 34.104.35.123, 13.85.23.86, 23.40.205.73, 23.40.205.51, 192.229.211.108, 13.95.31.18, 20.166.126.56, 40.127.169.103, 74.125.138.94, 20.12.23.50, 217.20.50.36
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, update.googleapis.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: https://eshoradebitcoin.com/3.dat

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    01:24:04API Interceptor1x Sleep call for process: OpenWith.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                    Category:dropped
                    Size (bytes):2677
                    Entropy (8bit):3.9805603972866095
                    Encrypted:false
                    SSDEEP:48:82d3TvDaHyidAKZdA19ehwiZUklqehhy+3:8en7iy
                    MD5:2F7F3CBE26F8F123D8CE2C143A1E0E83
                    SHA1:CAFE33BF3198E6236390E1774B46C207D336228F
                    SHA-256:062DB634F873ABAE711AA6EBD7D2251DF744232D043912B4692D3029302E0101
                    SHA-512:A3267F5F67EA78C8B1D2BAFF7495A532D79F717F3CF57A14282F49850D75CB9A1CFFF44731B5DF284F2C8B12869102CF51F0585DEF58931D1A97625C7D51AD14
                    Malicious:false
                    Reputation:low
                    Preview:L..................F.@.. ...$+.,....D.x}....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............F......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                    Category:dropped
                    Size (bytes):2679
                    Entropy (8bit):3.9962972489092916
                    Encrypted:false
                    SSDEEP:48:8Sd3TvDaHyidAKZdA1weh/iZUkAQkqehSy+2:8CnJ9Q/y
                    MD5:49F85D6EDE969C503CD8D7DB59A79367
                    SHA1:0F5ECEDF7B675E82E71DADA32B0FA51DD2C00878
                    SHA-256:1576EBE0028778604B449F0697F5D93E7EB427344FCBAD37D6E6A8DB271B09CF
                    SHA-512:AF977C45A74AC0A403358170F12A69A3E68EE6B604E2E3FFE93B4299415772DF3CA11EB40474BF02FAA2D49F14D6EA3E8F256C009E5FB0E11C2A30B51D7179A1
                    Malicious:false
                    Reputation:low
                    Preview:L..................F.@.. ...$+.,.....Nm}....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............F......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                    Category:dropped
                    Size (bytes):2693
                    Entropy (8bit):4.008139868611802
                    Encrypted:false
                    SSDEEP:48:8xcd3TvDsHyidAKZdA14tseh7sFiZUkmgqeh7sgy+BX:8xcnznmy
                    MD5:52210EC4608EE6DFF00021BA96E04B5F
                    SHA1:4A82D73FCDD6ABB4F699FA134ED3CEE46B8F783B
                    SHA-256:D9AD242CDD6257BE5E160B7FBAA6E61E123A21BBADDB18ECC9FD9E6F840E0A64
                    SHA-512:4DAF14302C96FF514C779C14F72B6E62B43DE3ACA1B14E3A20FDEA5CE15FE92584328908BFD05ADF08DE1AA409CC062BFBF80AE0980AA313E61A9CA131BA778F
                    Malicious:false
                    Reputation:low
                    Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............F......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                    Category:dropped
                    Size (bytes):2681
                    Entropy (8bit):3.99729783002844
                    Encrypted:false
                    SSDEEP:48:8dd3TvDaHyidAKZdA1vehDiZUkwqehuy+R:8HnKoy
                    MD5:05DDC2F969D2F4A9E8559B9238FD383D
                    SHA1:230907B440125C39E0B9992E9DAA84FF6A51BA3E
                    SHA-256:99F9FDC09756B13A7EF9D9C0F84F39A018EAAC7A48B70AAAA8DF372B359E03F3
                    SHA-512:C1F6E284C3739D6BD29CA4212BA2FF73E5139365EFE222A7DB2CA9F3A9BF06157E9C8FE67A7A719042D3C6319C95A9338B1E292D9D1F5992788CEA754A333D83
                    Malicious:false
                    Reputation:low
                    Preview:L..................F.@.. ...$+.,......g}....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............F......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                    Category:dropped
                    Size (bytes):2681
                    Entropy (8bit):3.9857391373062585
                    Encrypted:false
                    SSDEEP:48:8Gd3TvDaHyidAKZdA1hehBiZUk1W1qehEy+C:8unq9ky
                    MD5:E716A68C513A3C12AF63DC20DE617B84
                    SHA1:FE0B97FFEE4DFCC6331C55208042539F11BB1360
                    SHA-256:EE66062B93CD535EEBF0A229278C4B02AB00654C49DF82FF543AEA4C4E43859B
                    SHA-512:9F5CA324A40E5D29EEC59C2D2DC7A6CD628623E54DA17A49D17D81D5AF698F6DD06776BAE783966D1FF1CBF2DF118ED60677F7376B804EC44130BF603C9E3AAB
                    Malicious:false
                    Reputation:low
                    Preview:L..................F.@.. ...$+.,......r}....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............F......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                    Category:dropped
                    Size (bytes):2683
                    Entropy (8bit):3.9962722207396566
                    Encrypted:false
                    SSDEEP:48:8ld3TvDaHyidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbmy+yT+:8/n0T/TbxWOvTbmy7T
                    MD5:9BFE233EF9734EC6A2034F4BE2642F3E
                    SHA1:458B1149CA48D7C3C4BA17BB510FCAA7E4DCC56B
                    SHA-256:690446C0662AF84EE5A1058D3B67918B9FF2B5DE04FE3F810A81CED20610926B
                    SHA-512:23B35013D1436A34025B130CBC47C440E3FBF1FB75FB1F5DAD23131259CF69EC5F11D500003AF45F6624BD1A0619A039CA14D2C2D86F80012D8D777C9797EE8D
                    Malicious:false
                    Reputation:low
                    Preview:L..................F.@.. ...$+.,......\}....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............F......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                    C:\Users\user\Downloads\3.dat (copy)

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):793088
                    Entropy (8bit):7.735549177639494
                    Encrypted:false
                    SSDEEP:12288:rypQrulqgXsBry3Bd/7f9b7ekLKOXlpGtaKksX5VjofTYj2LMVUxa7dSItGx:xrGbcByj7fBektXlpGLJJ+C2wu0xtGx
                    MD5:B68CED78E1348DE3AF3FB2052AA4F1A1
                    SHA1:C974C8857A1AECBA0347280C3F6EFF561A2F3FB5
                    SHA-256:C829BE0E78641329583DE11672027A67CB3FC2BA31059E258A87001953B8F4AC
                    SHA-512:DA54D1E31D0DC20730DFF2ECA07EA8517812986BB337335078F189B3008F49360C09C0B38006827984023A79256C7F0EEDC334FCADFB26C05DCB962C28E8F479
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 88%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..f................................. ...@....@.. ....................................@.................................`...K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@....reloc.......`......................@..B........................H.......,z..............,.......-......................................B(F...~....(....*....0..H.......+.(..QQ ........8........E........|...J...R... .......................8....*.~....(......... ....8.....~....(.... ....~j...{c...:....& ....8......~....(.... ... ....b ....a~j...{[...a~....(....~....(....~....(.......~....(....& ....~j...{m...:!...& ....8......9\... ....8....8 ... ....~j...{....:....& ....8......~....(.... .F. ga..a .wX.a~j...{W...a~....(....~....(....~...

                    C:\Users\user\Downloads\3.dat.crdownload

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):793088
                    Entropy (8bit):7.735549177639494
                    Encrypted:false
                    SSDEEP:12288:rypQrulqgXsBry3Bd/7f9b7ekLKOXlpGtaKksX5VjofTYj2LMVUxa7dSItGx:xrGbcByj7fBektXlpGLJJ+C2wu0xtGx
                    MD5:B68CED78E1348DE3AF3FB2052AA4F1A1
                    SHA1:C974C8857A1AECBA0347280C3F6EFF561A2F3FB5
                    SHA-256:C829BE0E78641329583DE11672027A67CB3FC2BA31059E258A87001953B8F4AC
                    SHA-512:DA54D1E31D0DC20730DFF2ECA07EA8517812986BB337335078F189B3008F49360C09C0B38006827984023A79256C7F0EEDC334FCADFB26C05DCB962C28E8F479
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\Downloads\3.dat.crdownload, Author: Joe Security
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Downloads\3.dat.crdownload, Author: Joe Security
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 88%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..f................................. ...@....@.. ....................................@.................................`...K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@....reloc.......`......................@..B........................H.......,z..............,.......-......................................B(F...~....(....*....0..H.......+.(..QQ ........8........E........|...J...R... .......................8....*.~....(......... ....8.....~....(.... ....~j...{c...:....& ....8......~....(.... ... ....b ....a~j...{[...a~....(....~....(....~....(.......~....(....& ....~j...{m...:!...& ....8......9\... ....8....8 ... ....~j...{....:....& ....8......~....(.... .F. ga..a .wX.a~j...{W...a~....(....~....(....~...

                    C:\Users\user\Downloads\ab6c8f49-01ae-497c-a189-3be0203beff6.tmp

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):32550
                    Entropy (8bit):5.03312126196928
                    Encrypted:false
                    SSDEEP:384:KijCfWD+c2pzgbanokVtoMKsbNpAtGkhPArFu/AJYc3ns+w6i+pf9OLq5VqmiIAs:/B2yUsV9A9bnyv+p12q/pi4oS6MtF
                    MD5:093086E5281EB4F794DBA81AE29C8D44
                    SHA1:0880AFE9FEE361A25276C5684BDC0D72205DEC12
                    SHA-256:5A133E22D7BFFFBB2D4662DEB9B08704244814589CA74BF46624528F9BE3EE83
                    SHA-512:8C449E9F7527AF3476846C5F1383DDB4C618A3C2D34B2D5C830F464CDD69251347D4FF9A7782619A8BD8C30CE78ED8A0D4FB2017A77ABB280B13B8C85358B675
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..f................................. ...@....@.. ....................................@.................................`...K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@....reloc.......`......................@..B........................H.......,z..............,.......-......................................B(F...~....(....*....0..H.......+.(..QQ ........8........E........|...J...R... .......................8....*.~....(......... ....8.....~....(.... ....~j...{c...:....& ....8......~....(.... ... ....b ....a~j...{[...a~....(....~....(....~....(.......~....(....& ....~j...{m...:!...& ....8......9\... ....8....8 ... ....~j...{....:....& ....8......~....(.... .F. ga..a .wX.a~j...{W...a~....(....~....(....~...

                    Chrome Cache Entry: 61

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:downloaded
                    Size (bytes):793088
                    Entropy (8bit):7.735549177639494
                    Encrypted:false
                    SSDEEP:12288:rypQrulqgXsBry3Bd/7f9b7ekLKOXlpGtaKksX5VjofTYj2LMVUxa7dSItGx:xrGbcByj7fBektXlpGLJJ+C2wu0xtGx
                    MD5:B68CED78E1348DE3AF3FB2052AA4F1A1
                    SHA1:C974C8857A1AECBA0347280C3F6EFF561A2F3FB5
                    SHA-256:C829BE0E78641329583DE11672027A67CB3FC2BA31059E258A87001953B8F4AC
                    SHA-512:DA54D1E31D0DC20730DFF2ECA07EA8517812986BB337335078F189B3008F49360C09C0B38006827984023A79256C7F0EEDC334FCADFB26C05DCB962C28E8F479
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 88%
                    Reputation:low
                    URL:https://eshoradebitcoin.com/3.dat
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..f................................. ...@....@.. ....................................@.................................`...K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@....reloc.......`......................@..B........................H.......,z..............,.......-......................................B(F...~....(....*....0..H.......+.(..QQ ........8........E........|...J...R... .......................8....*.~....(......... ....8.....~....(.... ....~j...{c...:....& ....8......~....(.... ... ....b ....a~j...{[...a~....(....~....(....~....(.......~....(....& ....~j...{m...:!...& ....8......9\... ....8....8 ... ....~j...{....:....& ....8......~....(.... .F. ga..a .wX.a~j...{W...a~....(....~....(....~...

                    Static File Info

                    No static file info

                    File Icon

                    Icon Hash:00b29a8e86828200

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 20, 2024 01:22:41.421072960 CEST49674443192.168.2.523.1.237.91
                    Apr 20, 2024 01:22:41.421148062 CEST49675443192.168.2.523.1.237.91
                    Apr 20, 2024 01:22:41.530297995 CEST49673443192.168.2.523.1.237.91
                    Apr 20, 2024 01:22:48.813095093 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:48.813189030 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:48.813283920 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:48.813463926 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:48.813493013 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:48.813543081 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:48.813802958 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:48.813821077 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:48.813960075 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:48.813997030 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.471673965 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.472132921 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.472157001 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.473603964 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.473679066 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.474854946 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.474955082 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.475184917 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.475207090 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.487375021 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.487623930 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.487696886 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.489418983 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.489497900 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.490480900 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.490571976 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.528683901 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.543215036 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.543243885 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.587568998 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.910675049 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910707951 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910717964 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910749912 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910759926 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.910773039 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910784006 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910804033 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910816908 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.910818100 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910832882 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910832882 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.910856009 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910865068 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.910872936 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:49.910885096 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:49.910933971 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.125366926 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.125396013 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.125505924 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.125518084 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.125565052 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.125736952 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.125758886 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.125806093 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.125812054 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.125844002 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.125854015 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.126167059 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.126180887 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.126229048 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.126235008 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.126271963 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.126285076 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.226294994 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:22:50.226324081 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:22:50.226391077 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:22:50.226885080 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:22:50.226901054 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:22:50.340008974 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.340029955 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.340080023 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.340096951 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.340137005 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.340152025 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.340955973 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.340971947 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.341017962 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.341023922 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.341059923 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.341367006 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.341381073 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.341422081 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.341428995 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.341464043 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.341892958 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.341907978 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.341945887 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.341950893 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.341975927 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.342000008 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.342293978 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.342308044 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.342364073 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.342372894 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.342407942 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.343055010 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.343070030 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.343111038 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.343117952 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.343142033 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.343159914 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.443897009 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:22:50.447904110 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:22:50.447918892 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:22:50.448899984 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:22:50.448955059 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:22:50.453064919 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:22:50.453128099 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:22:50.493488073 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:22:50.493498087 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:22:50.540519953 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:22:50.554373980 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.554385900 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.554420948 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.554505110 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.554522991 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.554584026 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.554728031 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.554748058 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.554805994 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.554814100 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.555103064 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.555919886 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.555933952 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.556022882 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.556029081 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.556071997 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.556953907 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.556969881 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.557056904 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.557061911 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.557104111 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.557379961 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.557394981 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.557463884 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.557471991 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.557511091 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.557917118 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.557931900 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.557995081 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.558000088 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.558038950 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.558588028 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.558604002 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.558681011 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.558687925 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.558726072 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.559003115 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.559017897 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.559073925 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.559081078 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.559119940 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.559477091 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.559492111 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.559577942 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.559583902 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.559631109 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.560012102 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.560025930 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.560102940 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.560108900 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.560159922 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.560571909 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.560586929 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.560655117 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.560662031 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.560725927 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.561084986 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.561100006 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.561156988 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.561163902 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.561208010 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.561625004 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.561639071 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.561687946 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.561696053 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.561754942 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.769206047 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.769216061 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.769249916 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.769289017 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.769299030 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.769356012 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.769684076 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.769700050 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.769748926 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.769754887 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.769798994 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.770162106 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.770179033 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.770231962 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.770239115 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.770286083 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.770685911 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.770703077 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.770787001 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.770792007 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.770836115 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.771323919 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.771338940 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.771405935 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.771413088 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.771455050 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.771858931 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.771872997 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.771924973 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.771929979 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.771975040 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.772310972 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.772325993 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.772378922 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.772386074 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.772429943 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.772861958 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.772878885 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.772931099 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.772937059 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.772978067 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.773351908 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.773366928 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.773426056 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.773432970 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.773475885 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.773900032 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.773914099 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.773974895 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.773983002 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.774023056 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.774378061 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.774391890 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.774461985 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.774467945 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.774511099 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.775115013 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.775129080 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.775213957 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.775221109 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.775270939 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.775643110 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.775657892 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.775718927 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.775724888 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.775778055 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.776181936 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.776201963 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.776251078 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.776257038 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.776297092 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.776369095 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.776609898 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.776623964 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.776690006 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.776696920 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.777004004 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.777029991 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.777106047 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.777106047 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.777112007 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.777750969 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.777764082 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.777825117 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.777832031 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.778322935 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.778347015 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.778405905 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.778413057 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.778477907 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.778815031 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.778831005 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.778875113 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.778881073 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.778918982 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.779406071 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.779428005 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.779463053 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.779469967 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.779536009 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.780113935 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.780128002 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.780174971 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.780179977 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.780230045 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.780313015 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.780328989 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.780361891 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.780369043 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.780422926 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.780838966 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.780952930 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.780966997 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.781027079 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.781033039 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.781505108 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.781523943 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.781558037 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.781564951 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.781615019 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.781776905 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.781831980 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.781837940 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.781883955 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:50.781932116 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.783093929 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.783298016 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.786729097 CEST49711443192.168.2.578.24.180.93
                    Apr 20, 2024 01:22:50.786739111 CEST4434971178.24.180.93192.168.2.5
                    Apr 20, 2024 01:22:51.024307966 CEST49675443192.168.2.523.1.237.91
                    Apr 20, 2024 01:22:51.024312019 CEST49674443192.168.2.523.1.237.91
                    Apr 20, 2024 01:22:51.133690119 CEST49673443192.168.2.523.1.237.91
                    Apr 20, 2024 01:22:51.723995924 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:51.724034071 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:51.724129915 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:51.726279020 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:51.726299047 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:51.943855047 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:51.943939924 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:51.985388994 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:51.985423088 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:51.985730886 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.029767990 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.220081091 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.268115044 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.324835062 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.324896097 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.325054884 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.325054884 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.325054884 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.375989914 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.376066923 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.376199961 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.377068996 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.377135992 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.510678053 CEST4434970323.1.237.91192.168.2.5
                    Apr 20, 2024 01:22:52.510773897 CEST49703443192.168.2.523.1.237.91
                    Apr 20, 2024 01:22:52.555229902 CEST49714443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.555258036 CEST44349714184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.589303017 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.589416981 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.591897964 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.591926098 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.592168093 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.593523979 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.636204958 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.799104929 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.799185038 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.799406052 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.800786972 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.800827026 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:22:52.800858974 CEST49715443192.168.2.5184.31.62.93
                    Apr 20, 2024 01:22:52.800875902 CEST44349715184.31.62.93192.168.2.5
                    Apr 20, 2024 01:23:00.469044924 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:00.469105959 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:00.469163895 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:23:00.787766933 CEST49713443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:23:00.787810087 CEST44349713172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:02.629206896 CEST49703443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.629286051 CEST49703443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.629590988 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.629626989 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:02.629684925 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.629973888 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.629985094 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:02.781449080 CEST4434970323.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:02.781466961 CEST4434970323.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:02.944235086 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:02.944302082 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.978565931 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.978584051 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:02.978946924 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:02.979002953 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.980107069 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.980127096 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:02.981734991 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:02.981740952 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:03.293174982 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:03.293226004 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:03.293504953 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:03.293554068 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:03.293556929 CEST4434972123.1.237.91192.168.2.5
                    Apr 20, 2024 01:23:03.293603897 CEST49721443192.168.2.523.1.237.91
                    Apr 20, 2024 01:23:34.558104038 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:23:34.558134079 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:23:49.271363974 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:23:49.271538019 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:23:49.271621943 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:23:50.156699896 CEST49710443192.168.2.578.24.180.93
                    Apr 20, 2024 01:23:50.156712055 CEST49726443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:23:50.156737089 CEST4434971078.24.180.93192.168.2.5
                    Apr 20, 2024 01:23:50.156790972 CEST44349726172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:50.156932116 CEST49726443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:23:50.157167912 CEST49726443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:23:50.157200098 CEST44349726172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:50.376851082 CEST44349726172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:50.377177000 CEST49726443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:23:50.377213955 CEST44349726172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:50.378290892 CEST44349726172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:50.378771067 CEST49726443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:23:50.378948927 CEST44349726172.253.124.147192.168.2.5
                    Apr 20, 2024 01:23:50.431504011 CEST49726443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:24:00.373832941 CEST44349726172.253.124.147192.168.2.5
                    Apr 20, 2024 01:24:00.374008894 CEST44349726172.253.124.147192.168.2.5
                    Apr 20, 2024 01:24:00.374092102 CEST49726443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:24:00.760114908 CEST49726443192.168.2.5172.253.124.147
                    Apr 20, 2024 01:24:00.760171890 CEST44349726172.253.124.147192.168.2.5

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 20, 2024 01:22:46.516186953 CEST53628181.1.1.1192.168.2.5
                    Apr 20, 2024 01:22:46.517715931 CEST53583761.1.1.1192.168.2.5
                    Apr 20, 2024 01:22:47.165168047 CEST53617441.1.1.1192.168.2.5
                    Apr 20, 2024 01:22:48.637576103 CEST5982253192.168.2.51.1.1.1
                    Apr 20, 2024 01:22:48.637713909 CEST5483853192.168.2.51.1.1.1
                    Apr 20, 2024 01:22:48.791414022 CEST53598221.1.1.1192.168.2.5
                    Apr 20, 2024 01:22:48.810391903 CEST53548381.1.1.1192.168.2.5
                    Apr 20, 2024 01:22:50.119669914 CEST5851653192.168.2.51.1.1.1
                    Apr 20, 2024 01:22:50.120349884 CEST5600353192.168.2.51.1.1.1
                    Apr 20, 2024 01:22:50.224603891 CEST53585161.1.1.1192.168.2.5
                    Apr 20, 2024 01:22:50.224836111 CEST53560031.1.1.1192.168.2.5
                    Apr 20, 2024 01:23:04.459247112 CEST53517561.1.1.1192.168.2.5
                    Apr 20, 2024 01:23:23.451486111 CEST53570021.1.1.1192.168.2.5
                    Apr 20, 2024 01:23:45.796040058 CEST53650881.1.1.1192.168.2.5
                    Apr 20, 2024 01:23:46.264144897 CEST53611931.1.1.1192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Apr 20, 2024 01:22:48.637576103 CEST192.168.2.51.1.1.10x73d3Standard query (0)eshoradebitcoin.comA (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:48.637713909 CEST192.168.2.51.1.1.10xa828Standard query (0)eshoradebitcoin.com65IN (0x0001)false
                    Apr 20, 2024 01:22:50.119669914 CEST192.168.2.51.1.1.10x6292Standard query (0)www.google.comA (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:50.120349884 CEST192.168.2.51.1.1.10xb713Standard query (0)www.google.com65IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Apr 20, 2024 01:22:48.791414022 CEST1.1.1.1192.168.2.50x73d3No error (0)eshoradebitcoin.com78.24.180.93A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:50.224603891 CEST1.1.1.1192.168.2.50x6292No error (0)www.google.com172.253.124.147A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:50.224603891 CEST1.1.1.1192.168.2.50x6292No error (0)www.google.com172.253.124.104A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:50.224603891 CEST1.1.1.1192.168.2.50x6292No error (0)www.google.com172.253.124.105A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:50.224603891 CEST1.1.1.1192.168.2.50x6292No error (0)www.google.com172.253.124.106A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:50.224603891 CEST1.1.1.1192.168.2.50x6292No error (0)www.google.com172.253.124.103A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:50.224603891 CEST1.1.1.1192.168.2.50x6292No error (0)www.google.com172.253.124.99A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:22:50.224836111 CEST1.1.1.1192.168.2.50xb713No error (0)www.google.com65IN (0x0001)false
                    Apr 20, 2024 01:23:02.410715103 CEST1.1.1.1192.168.2.50x67edNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                    Apr 20, 2024 01:23:02.410715103 CEST1.1.1.1192.168.2.50x67edNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:23:15.366935015 CEST1.1.1.1192.168.2.50x299No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                    Apr 20, 2024 01:23:15.366935015 CEST1.1.1.1192.168.2.50x299No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:23:38.544236898 CEST1.1.1.1192.168.2.50x21d9No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                    Apr 20, 2024 01:23:38.544236898 CEST1.1.1.1192.168.2.50x21d9No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:24:03.157783031 CEST1.1.1.1192.168.2.50x45f7No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.50.36A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:24:03.157783031 CEST1.1.1.1192.168.2.50x45f7No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.48.34A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:24:03.157783031 CEST1.1.1.1192.168.2.50x45f7No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.63.35A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:24:03.157783031 CEST1.1.1.1192.168.2.50x45f7No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.53.35A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:24:03.157783031 CEST1.1.1.1192.168.2.50x45f7No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.50.34A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:24:03.157783031 CEST1.1.1.1192.168.2.50x45f7No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.51.41A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:24:03.157783031 CEST1.1.1.1192.168.2.50x45f7No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.50.25A (IP address)IN (0x0001)false
                    Apr 20, 2024 01:24:03.157783031 CEST1.1.1.1192.168.2.50x45f7No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.50.99A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • eshoradebitcoin.com
                    • fs.microsoft.com
                    • https:
                      • www.bing.com

                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.54971178.24.180.934433128C:\Program Files\Google\Chrome\Application\chrome.exe
                    TimestampBytes transferredDirectionData
                    2024-04-19 23:22:49 UTC667OUTGET /3.dat HTTP/1.1
                    Host: eshoradebitcoin.com
                    Connection: keep-alive
                    sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                    sec-ch-ua-mobile: ?0
                    sec-ch-ua-platform: "Windows"
                    Upgrade-Insecure-Requests: 1
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                    Sec-Fetch-Site: none
                    Sec-Fetch-Mode: navigate
                    Sec-Fetch-User: ?1
                    Sec-Fetch-Dest: document
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en;q=0.9
                    2024-04-19 23:22:49 UTC218INHTTP/1.1 200 OK
                    Server: nginx/1.24.0
                    Date: Fri, 19 Apr 2024 23:22:49 GMT
                    Content-Length: 793088
                    Connection: close
                    Last-Modified: Sat, 13 Apr 2024 15:03:07 GMT
                    ETag: "c1a00-615fbaf97811a"
                    Accept-Ranges: bytes
                    2024-04-19 23:22:49 UTC16166INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 9c 1a 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 10 0c 00 00 08 00 00 00 00 00 00 ae 2e 0c 00 00 20 00 00 00 40 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00
                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELPf. @@ @
                    2024-04-19 23:22:49 UTC16384INData Raw: 00 00 00 20 2f 00 00 00 20 38 00 00 00 58 9c 20 8c 00 00 00 20 2e 00 00 00 59 fe 0e 1b 00 fe 0c 01 00 20 03 00 00 00 fe 0c 1b 00 9c fe 0c 01 00 20 03 00 00 00 20 d6 00 00 00 20 04 00 00 00 58 9c 20 b3 00 00 00 20 3b 00 00 00 59 fe 0e 1b 00 fe 0c 01 00 20 04 00 00 00 fe 0c 1b 00 9c fe 0c 01 00 20 04 00 00 00 20 b8 00 00 00 20 3d 00 00 00 59 9c fe 0c 01 00 20 04 00 00 00 20 c8 00 00 00 20 42 00 00 00 59 9c 20 df 00 00 00 20 4a 00 00 00 59 fe 0e 1b 00 fe 0c 01 00 20 04 00 00 00 fe 0c 1b 00 9c fe 0c 01 00 20 04 00 00 00 20 65 00 00 00 20 65 00 00 00 58 9c 20 bc 00 00 00 20 26 00 00 00 58 fe 0e 1b 00 fe 0c 01 00 20 04 00 00 00 fe 0c 1b 00 9c 20 82 00 00 00 20 2b 00 00 00 59 fe 0e 1b 00 fe 0c 01 00 20 05 00 00 00 fe 0c 1b 00 9c fe 0c 01 00 20 05 00 00 00 20 2f
                    Data Ascii: / 8X .Y X ;Y =Y BY JY e eX &X +Y /
                    2024-04-19 23:22:50 UTC16384INData Raw: 00 00 00 59 fe 0e 0d 00 20 aa 00 00 00 28 f9 01 00 06 39 5d d1 ff ff 26 20 e8 00 00 00 38 52 d1 ff ff 1f 0a 8d 0d 00 00 01 13 0b 20 11 00 00 00 28 fa 01 00 06 3a 3a d1 ff ff 26 20 3d 00 00 00 38 2f d1 ff ff fe 0c 67 00 20 1d 00 00 00 fe 0c 0d 00 9c 20 5f 00 00 00 38 17 d1 ff ff 20 d3 00 00 00 20 46 00 00 00 59 fe 0e 0d 00 20 2d 02 00 00 38 fe d0 ff ff fe 0c 64 00 20 0a 00 00 00 fe 0c 68 00 9c 20 2e 01 00 00 28 fa 01 00 06 39 e1 d0 ff ff 26 20 a5 00 00 00 38 d6 d0 ff ff fe 0c 64 00 20 01 00 00 00 20 11 00 00 00 20 6f 00 00 00 58 9c 20 56 02 00 00 38 b7 d0 ff ff fe 0c 67 00 20 00 00 00 00 fe 0c 0d 00 9c 20 1c 00 00 00 38 9f d0 ff ff fe 0c 67 00 20 08 00 00 00 20 a0 00 00 00 20 35 00 00 00 59 9c 20 f5 00 00 00 28 f9 01 00 06 3a 7b d0 ff ff 26 20 f2 00 00 00
                    Data Ascii: Y (9]& 8R (::& =8/g _8 FY -8d h .(9& 8d oX V8g 8g 5Y (:{&
                    2024-04-19 23:22:50 UTC16384INData Raw: 28 89 00 00 0a 2a 2a fe 09 00 00 6f 78 00 00 0a 2a 00 2a fe 09 00 00 6f 8a 00 00 0a 2a 00 1e 00 28 36 01 00 06 2a 3a fe 09 00 00 fe 09 01 00 6f 8b 00 00 0a 2a 00 4a fe 09 00 00 fe 09 01 00 fe 09 02 00 6f 8c 00 00 0a 2a 00 1e 00 28 52 01 00 06 2a 5a fe 09 00 00 fe 09 01 00 fe 09 02 00 fe 09 03 00 6f 86 00 00 0a 2a 00 2a fe 09 00 00 6f 8d 00 00 0a 2a 00 2e 00 fe 09 00 00 28 53 01 00 06 2a 2a fe 09 00 00 6f 87 00 00 0a 2a 00 2a fe 09 00 00 6f 8e 00 00 0a 2a 00 3e 00 fe 09 00 00 fe 09 01 00 28 8f 00 00 0a 2a 16 14 14 fe 01 2a 00 00 0a 14 2a 00 1e 00 28 44 02 00 06 2a 2e 00 fe 09 00 00 28 19 00 00 0a 2a 2e 00 fe 09 00 00 28 14 00 00 0a 2a 2a fe 09 00 00 6f 76 00 00 0a 2a 00 2a fe 09 00 00 6f 88 00 00 0a 2a 00 1e 00 28 90 00 00 0a 2a 2e 00 fe 09 00 00 28 91 00
                    Data Ascii: (**ox**o*(6*:o*Jo*(R*Zo**o*.(S**o**o*>(***(D*.(*.(**ov**o*(*.(
                    2024-04-19 23:22:50 UTC16384INData Raw: 00 59 9c 20 18 00 00 00 38 4a cc ff ff 20 d1 00 00 00 20 45 00 00 00 59 fe 0e 22 00 20 03 00 00 00 28 65 02 00 06 3a 2c cc ff ff 26 20 3f 00 00 00 38 21 cc ff ff 20 5d 00 00 00 20 2a 00 00 00 58 fe 0e 06 00 20 5e 00 00 00 28 65 02 00 06 39 03 cc ff ff 26 20 47 00 00 00 38 f8 cb ff ff fe 0c 1c 00 20 04 00 00 00 20 12 00 00 00 20 7a 00 00 00 58 9c 20 6e 00 00 00 28 65 02 00 06 3a d4 cb ff ff 26 20 1b 01 00 00 38 c9 cb ff ff 20 a5 00 00 00 20 76 00 00 00 59 fe 0e 0a 00 20 12 01 00 00 38 b0 cb ff ff fe 0c 1c 00 20 0d 00 00 00 20 12 00 00 00 20 06 00 00 00 59 9c 20 64 01 00 00 28 64 02 00 06 3a 8c cb ff ff 26 20 33 00 00 00 38 81 cb ff ff 16 13 27 20 64 00 00 00 38 74 cb ff ff 20 a3 00 00 00 20 36 00 00 00 59 fe 0e 22 00 20 01 00 00 00 28 65 02 00 06 3a 56 cb
                    Data Ascii: Y 8J EY" (e:,& ?8! ] *X ^(e9& G8 zX n(e:& 8 vY 8 Y d(d:& 38' d8t 6Y" (e:V
                    2024-04-19 23:22:50 UTC16384INData Raw: 00 00 46 2b 05 28 4a 8e 43 5c 0e 01 0e 00 6f 36 07 00 06 2a 00 00 42 28 46 01 00 06 d0 d9 00 00 02 28 3d 01 00 06 2a 00 00 00 46 2b 05 28 3c 46 66 54 0e 01 0e 00 6f 3a 07 00 06 2a 00 00 42 28 46 01 00 06 d0 da 00 00 02 28 3d 01 00 06 2a 00 00 00 46 2b 05 28 fe 4a 7d 3d 0e 01 0e 00 6f 3e 07 00 06 2a 00 00 42 28 46 01 00 06 d0 db 00 00 02 28 3d 01 00 06 2a 00 00 00 4e 2b 05 28 d0 dd 0b 42 0e 02 0e 00 0e 01 6f 42 07 00 06 2a 42 28 46 01 00 06 d0 dc 00 00 02 28 3d 01 00 06 2a 00 00 00 46 2b 05 28 df ce 01 32 0e 01 0e 00 6f 46 07 00 06 2a 00 00 42 28 46 01 00 06 d0 dd 00 00 02 28 3d 01 00 06 2a 00 00 00 46 2b 05 28 cf 17 0c 3d 0e 01 0e 00 6f 4a 07 00 06 2a 00 00 42 28 46 01 00 06 d0 de 00 00 02 28 3d 01 00 06 2a 00 00 00 46 2b 05 28 95 36 53 53 0e 01 0e 00 6f
                    Data Ascii: F+(JC\o6*B(F(=*F+(<FfTo:*B(F(=*F+(J}=o>*B(F(=*N+(BoB*B(F(=*F+(2oF*B(F(=*F+(=oJ*B(F(=*F+(6SSo
                    2024-04-19 23:22:50 UTC16384INData Raw: 81 02 03 00 14 87 81 02 03 00 37 87 81 02 03 00 5a 87 81 02 03 00 7d 87 81 02 03 00 a0 87 81 02 03 00 c3 87 81 02 03 00 e6 87 81 02 03 00 09 88 81 02 03 00 2c 88 81 02 03 00 4f 88 81 02 03 00 72 88 81 02 03 00 95 88 81 02 03 00 b8 88 81 02 03 00 db 88 81 02 03 00 fe 88 81 02 03 00 21 89 81 02 03 00 44 89 81 02 03 00 67 89 81 02 03 00 8a 89 81 02 03 00 ad 89 81 02 03 00 d0 89 81 02 03 00 f3 89 81 02 03 00 16 8a 81 02 03 00 39 8a 81 02 03 00 5c 8a 81 02 03 00 7f 8a 81 02 03 00 a2 8a 81 02 03 00 c5 8a 81 02 03 00 e8 8a 81 02 03 00 0b 8b 81 02 03 00 2e 8b 81 02 03 00 51 8b 81 02 03 00 74 8b 81 02 03 00 97 8b 81 02 03 00 ba 8b 81 02 03 00 dd 8b 81 02 03 00 00 8c 81 02 03 00 23 8c 81 02 03 00 46 8c 81 02 03 00 69 8c 81 02 03 00 8c 8c 81 02 03 00 af 8c 81 02 03
                    Data Ascii: 7Z},Or!Dg9\.Qt#Fi
                    2024-04-19 23:22:50 UTC16384INData Raw: 43 02 00 00 00 00 00 00 c6 05 28 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 33 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 3e 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 49 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 54 61 ed 0d 43 02 00 00 00 00 00 00 c6 05 5f 61 ed 0d 43 02 00 00 00 00 00 00 c6 05 6a 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 75 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 80 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 8b 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 96 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 a1 61 e7 0d 43 02 00 00 00 00 00 00 c6 05 ac 61 ed 0d 43 02 00 00 00 00 00 00 c6 05 b7 61 ed 0d 43 02 00 00 00 00 00 00 c6 05 c2 61 f3 0d 43 02 00 00 00 00 00 00 c6 05 cd 61 f3 0d 43 02 00 00 00 00 00 00 c6 05 d8 61 f3 0d 43 02 00 00 00 00 00 00 c6 05 e3 61 f9 0d 43 02 00
                    Data Ascii: C(aC3aC>aCIaCTaC_aCjaCuaCaCaCaCaCaCaCaCaCaCaC
                    2024-04-19 23:22:50 UTC16384INData Raw: 00 00 03 00 46 00 f1 3c c2 0f d8 03 10 6b 01 00 08 00 16 00 1b 8f 8c 21 d8 03 00 00 00 00 03 00 06 18 7a 00 df 03 d8 03 24 6b 01 00 08 00 10 18 e4 25 e0 00 d8 03 00 00 00 00 03 00 46 00 f1 3c 99 21 d8 03 38 6b 01 00 08 00 16 00 1b 8f a0 21 d8 03 00 00 00 00 03 00 06 18 7a 00 df 03 d8 03 50 6b 01 00 08 00 10 18 e4 25 e0 00 d8 03 00 00 00 00 03 00 46 00 f1 3c af 21 d8 03 64 6b 01 00 08 00 16 00 1b 8f b5 21 d8 03 00 00 00 00 03 00 06 18 7a 00 df 03 d8 03 78 6b 01 00 08 00 10 18 e4 25 e0 00 d8 03 00 00 00 00 03 00 46 00 f1 3c 59 1b d8 03 8c 6b 01 00 08 00 16 00 1b 8f c3 21 d8 03 00 00 00 00 03 00 06 18 7a 00 df 03 d8 03 a0 6b 01 00 08 00 10 18 e4 25 e0 00 d8 03 00 00 00 00 03 00 46 00 f1 3c d2 21 d8 03 b4 6b 01 00 08 00 16 00 1b 8f d8 21 d8 03 00 00 00 00 03
                    Data Ascii: F<k!z$k%F<!8k!zPk%F<!dk!zxk%F<Yk!zk%F<!k!
                    2024-04-19 23:22:50 UTC16384INData Raw: 64 50 43 65 54 4a 66 38 34 67 00 78 36 46 30 6e 77 6b 4d 74 67 72 75 74 41 43 39 45 6f 36 00 52 51 72 45 5a 53 6b 64 52 4a 46 46 61 6d 62 57 6f 43 78 00 6b 6c 47 39 4c 4c 6b 43 49 73 35 72 66 69 68 44 6c 72 63 00 55 67 67 31 6e 4f 6b 4f 68 43 37 59 59 53 72 59 53 4a 4a 00 68 49 39 4c 63 49 6b 30 69 34 67 39 4c 61 48 67 55 6f 51 00 70 5a 62 74 64 71 6b 75 34 4c 67 63 45 66 77 33 77 54 79 00 63 70 51 5a 74 34 6b 55 79 52 74 44 59 32 56 62 49 62 4e 00 57 67 76 6d 70 30 6b 74 38 38 33 58 61 35 44 73 75 6f 62 00 75 79 58 6d 71 35 6b 54 71 48 56 51 4a 34 4a 79 6a 4c 62 00 77 64 70 54 4c 64 6b 6d 62 35 71 34 4d 5a 38 49 46 52 75 00 53 42 43 72 32 39 6b 36 45 37 39 6c 30 42 71 41 75 71 6f 00 74 71 4d 44 5a 59 6b 59 6f 35 41 42 62 70 64 35 58 31 42 00 66 68 44 73
                    Data Ascii: dPCeTJf84gx6F0nwkMtgrutAC9Eo6RQrEZSkdRJFFambWoCxklG9LLkCIs5rfihDlrcUgg1nOkOhC7YYSrYSJJhI9LcIk0i4g9LaHgUoQpZbtdqku4LgcEfw3wTycpQZt4kUyRtDY2VbIbNWgvmp0kt883Xa5DsuobuyXmq5kTqHVQJ4JyjLbwdpTLdkmb5q4MZ8IFRuSBCr29k6E79l0BqAuqotqMDZYkYo5ABbpd5X1BfhDs


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.549714184.31.62.93443
                    TimestampBytes transferredDirectionData
                    2024-04-19 23:22:52 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                    Connection: Keep-Alive
                    Accept: */*
                    Accept-Encoding: identity
                    User-Agent: Microsoft BITS/7.8
                    Host: fs.microsoft.com
                    2024-04-19 23:22:52 UTC467INHTTP/1.1 200 OK
                    Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                    Content-Type: application/octet-stream
                    ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                    Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                    Server: ECAcc (chd/079C)
                    X-CID: 11
                    X-Ms-ApiVersion: Distribute 1.2
                    X-Ms-Region: prod-eus-z1
                    Cache-Control: public, max-age=114029
                    Date: Fri, 19 Apr 2024 23:22:52 GMT
                    Connection: close
                    X-CID: 2


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.549715184.31.62.93443
                    TimestampBytes transferredDirectionData
                    2024-04-19 23:22:52 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                    Connection: Keep-Alive
                    Accept: */*
                    Accept-Encoding: identity
                    If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                    Range: bytes=0-2147483646
                    User-Agent: Microsoft BITS/7.8
                    Host: fs.microsoft.com
                    2024-04-19 23:22:52 UTC805INHTTP/1.1 200 OK
                    ApiVersion: Distribute 1.1
                    Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                    ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                    Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                    Server: ECAcc (chd/0778)
                    X-CID: 11
                    X-CCC: US
                    X-Azure-Ref-OriginShield: Ref A: 52EA27DBDE0C4533B819423583F6692E Ref B: CH1AA2040902052 Ref C: 2023-07-09T23:10:08Z
                    X-MSEdge-Ref: Ref A: 528BB8D443C042AA9AEA4EC3F75C7762 Ref B: CHI30EDGE0111 Ref C: 2023-07-09T23:11:11Z
                    Content-Type: application/octet-stream
                    X-Azure-Ref: 01uvbYwAAAACkqWtaEMjWQL/4cpisZkorTUVNMzBFREdFMDgxMQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y=
                    Cache-Control: public, max-age=114050
                    Date: Fri, 19 Apr 2024 23:22:52 GMT
                    Content-Length: 55
                    Connection: close
                    X-CID: 2
                    2024-04-19 23:22:52 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                    Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                    Session IDSource IPSource PortDestination IPDestination Port
                    3192.168.2.54972123.1.237.91443
                    TimestampBytes transferredDirectionData
                    2024-04-19 23:23:02 UTC2148OUTPOST /threshold/xls.aspx HTTP/1.1
                    Origin: https://www.bing.com
                    Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                    Accept: */*
                    Accept-Language: en-CH
                    Content-type: text/xml
                    X-Agent-DeviceId: 01000A410900D492
                    X-BM-CBT: 1696428841
                    X-BM-DateFormat: dd/MM/yyyy
                    X-BM-DeviceDimensions: 784x984
                    X-BM-DeviceDimensionsLogical: 784x984
                    X-BM-DeviceScale: 100
                    X-BM-DTZ: 120
                    X-BM-Market: CH
                    X-BM-Theme: 000000;0078d7
                    X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E
                    X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22
                    X-Device-isOptin: false
                    X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}
                    X-Device-OSSKU: 48
                    X-Device-Touch: false
                    X-DeviceID: 01000A410900D492
                    X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh
                    X-MSEdge-ExternalExpType: JointCoord
                    X-PositionerType: Desktop
                    X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                    X-Search-CortanaAvailableCapabilities: None
                    X-Search-SafeSearch: Moderate
                    X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time
                    X-UserAgeClass: Unknown
                    Accept-Encoding: gzip, deflate, br
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
                    Host: www.bing.com
                    Content-Length: 2484
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713568951032&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
                    2024-04-19 23:23:02 UTC1OUTData Raw: 3c
                    Data Ascii: <
                    2024-04-19 23:23:02 UTC2483OUTData Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49
                    Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
                    2024-04-19 23:23:03 UTC476INHTTP/1.1 204 No Content
                    Access-Control-Allow-Origin: *
                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                    X-MSEdge-Ref: Ref A: 8A353DD6F1B844CA81B232859A306DBA Ref B: CO1EDGE2620 Ref C: 2024-04-19T23:23:03Z
                    Date: Fri, 19 Apr 2024 23:23:03 GMT
                    Connection: close
                    Alt-Svc: h3=":443"; ma=93600
                    X-CDN-TraceID: 0.57ed0117.1713568983.13b26a55


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:01:22:40
                    Start date:20/04/2024
                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
                    Imagebase:0x7ff715980000
                    File size:3'242'272 bytes
                    MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:2
                    Start time:01:22:44
                    Start date:20/04/2024
                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1992,i,2771170727428028237,18400158983486350545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                    Imagebase:0x7ff715980000
                    File size:3'242'272 bytes
                    MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:3
                    Start time:01:22:47
                    Start date:20/04/2024
                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://eshoradebitcoin.com/3.dat"
                    Imagebase:0x7ff715980000
                    File size:3'242'272 bytes
                    MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:7
                    Start time:01:24:04
                    Start date:20/04/2024
                    Path:C:\Windows\System32\OpenWith.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                    Imagebase:0x7ff785e70000
                    File size:123'984 bytes
                    MD5 hash:E4A834784FA08C17D47A1E72429C5109
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    Disassembly

                    No disassembly