Create Interactive Tour

Windows Analysis Report
ntladlklthawd.exe

Overview

General Information

Sample name:ntladlklthawd.exe
Analysis ID:1646207
MD5:6458162bb12fe032d99795e4301c1c49
SHA1:41e42ecd45f58b6cea1ee4891afd60fb913831b7
SHA256:fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899
Tags:exeuser-tcains1
Infos:

Detection

Salat Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Salat Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Uses 32bit PE files
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • ntladlklthawd.exe (PID: 7680 cmdline: "C:\Users\user\Desktop\ntladlklthawd.exe" MD5: 6458162BB12FE032D99795E4301C1C49)
    • ntladlklthawd.exe (PID: 8124 cmdline: "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" - MD5: 6458162BB12FE032D99795E4301C1C49)
  • rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)
  • tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.2457055619.0000000001337000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_SalatStealerYara detected Salat StealerJoe Security
    00000007.00000002.1234252663.0000000001467000.00000040.00000001.01000000.00000008.sdmpJoeSecurity_SalatStealerYara detected Salat StealerJoe Security
      00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: ntladlklthawd.exe PID: 7680JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            7.2.ntladlklthawd.exe.c90000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              7.2.ntladlklthawd.exe.c90000.0.unpackJoeSecurity_SalatStealerYara detected Salat StealerJoe Security
                0.2.ntladlklthawd.exe.b60000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.ntladlklthawd.exe.b60000.0.unpackJoeSecurity_SalatStealerYara detected Salat StealerJoe Security
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: ntladlklthawd.exeAvira: detected
                    Source: https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/8text/html;Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/text/html;Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/ehttps://sa1at.ru/sa1at/etext/html;Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html;Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/etext/html;Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/8text/html;Avira URL Cloud: Label: malware
                    Source: https://sa1at.ru/sa1at/8https://sa1at.ru/sa1at/Avira URL Cloud: Label: malware
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeReversingLabs: Detection: 52%
                    Source: ntladlklthawd.exeVirustotal: Detection: 65%Perma Link
                    Source: ntladlklthawd.exeReversingLabs: Detection: 52%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: ntladlklthawd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeDirectory created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeJump to behavior
                    Source: ntladlklthawd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                    Source: Joe Sandbox ViewIP Address: 172.67.191.102 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002352000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crthttp://crl3.digicert.com/DigiCertGlobalRootG2.cr
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                    Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                    Source: ntladlklthawd.exe, 00000007.00000002.1236677545.0000000001888000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
                    Source: ntladlklthawd.exe, 00000007.00000002.1236677545.0000000001888000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl(c)
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                    Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0H
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crlhttp://crl4.digicert.com/DigiCertG
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl00
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt0-
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002352000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crt0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crtGlobalSign
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yak
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yak0%
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crt
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0Q
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comDigiCert
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B5E000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                    Source: ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B44000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018DE000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                    Source: ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B44000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.orgChambers
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018D2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                    Source: ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: https://1.1.1.1/dns-query?name=failed
                    Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B5E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/8https://sa1at.ru/sa1at/
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/8text/html;
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/ehttps://sa1at.ru/sa1at/etext/html;
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/etext/html;
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/8text/html;
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html;
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htm
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/text/html;
                    Source: ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unsafe.Pointerreflect.Value.RCodeNameErrorResourceHeaderunreachable: Accept-CharsetDkim-Signatureneed more dataREQUEST_METHODInstEmptyWidthmax-age=604800NO_VIABLE_PATHpacing limitedsqlite3_errstrsqlite3_errmsggo_commit_hookgo_update_hookgo_vtab_creatego_vtab_updatego_vtab_renamego_vtab_commitunixepoch_fracunixepoch_nano15:04:05Z07:00mime/multipartmutable-globalgo_sector_sizego_shm_barrierf32.demote_f64i32.extend16_si64.extend16_si64.extend32_sv128.load8x8_sv128.load8x8_uv128.bitselecti8x16.all_truei16x8.all_truei32x4.all_truei64x2.all_trueread block: %wfunc[%s.%s] %winvalid %s: %wunknown memoryalready closedI32WrapFromI64read value: %vsection %s: %vglobal[%d]: %wProcess32FirstWDispatchMessageSetWinEventHookHarmonyOutdatedchunk confirmedunzipping file winsta0\defaultgot dExec code:found tg:// urlActive window: Build Version: Browsers\Token_Network\Cookieszipinsecurepathrecord overflowbad certificatePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512ClientAuthType(client finishedserver finishedunknown versionmissing address/etc/mdns.allowunknown networknegative updateaccept-encodingaccept-languagex-forwarded-forAccept-Encodingrecv_rststream_Idempotency-KeyPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandlenegative offsetGetMonitorInfoW476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWUnmapViewOfFileFailed to load Failed to find : cannot parse ,M3.2.0,M11.1.0general failuredata before FINbad close code ExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreatePopupMenuCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetRawInputDataInsertMenuItemWIsWindowEnabledIsWindowVisiblePostQuitMessageSetActiveWindowTrackMouseEventWindowFromPointDrawThemeTextExGetSecurityInfoImpersonateSelfOpenThreadTokenSetSecurityInfoAddDllDirectoryFindNextVolumeWFindVolumeCloseGetCommTimeoutsIsWow64Process2QueryDosDeviceWSetCommTimeoutsSetVolumeLabelWRtlDefaultNpAclCLSIDFromStringStringFromGUID2IsWindowUnicodetimeBeginPeriodNTSTATUS 0x%08xRegCreateKeyExWRegDeleteValueWx509usepoliciesnothing to packIgnoring Retry.invalid boolean0601021504Z0700non-minimal tagunknown Go typeHanifi_RohingyaPsalter_Pahlavireflectlite.Set is unavailableallocmRInternalwrite heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockmalloc deadlockruntime error: elem size wrong with GC progmemstr_d4364461-3
                    Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
                    Source: ntladlklthawd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.winEXE@3/2@0/2
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\WEBR_7V2IMQ37RRTG
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile created: C:\Users\user\AppData\Local\Temp\30adc6d5-a2d0-cb85-059e-e9cb3c09d5a2Jump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: ntladlklthawd.exe, 00000000.00000002.2478764369.0000000026DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479088032.000000002CDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000000.00000002.2478981217.000000002ADFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000003.1251149342.0000000030E00000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002D92000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478662879.0000000024DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478872702.0000000028DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479280576.000000002EDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: ntladlklthawd.exe, 00000000.00000002.2478764369.0000000026DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479088032.000000002CDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000000.00000002.2478981217.000000002ADFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000003.1251149342.0000000030E00000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002D92000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478662879.0000000024DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478872702.0000000028DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479280576.000000002EDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: ntladlklthawd.exe, 00000000.00000002.2478764369.0000000026E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: ntladlklthawd.exe, 00000000.00000002.2478764369.0000000026DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479088032.000000002CDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000000.00000002.2478981217.000000002ADFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000003.1251149342.0000000030E00000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002D92000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478662879.0000000024DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478872702.0000000028DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479280576.000000002EDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: ntladlklthawd.exeVirustotal: Detection: 65%
                    Source: ntladlklthawd.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile read: C:\Users\user\Desktop\ntladlklthawd.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\ntladlklthawd.exe "C:\Users\user\Desktop\ntladlklthawd.exe"
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -Jump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeDirectory created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeJump to behavior
                    Source: ntladlklthawd.exeStatic file information: File size 3227136 > 1048576
                    Source: ntladlklthawd.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x313a00
                    Source: ntladlklthawd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: ntladlklthawd.exeStatic PE information: section name: UPX2
                    Source: ntladlklthawd.exe.0.drStatic PE information: section name: UPX2
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeJump to dropped file
                    Source: C:\Windows\System32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\WdfJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select TotalPhysicalMemory from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor
                    Source: ntladlklthawd.exe, 00000000.00000003.1248694520.0000000000A68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: ntladlklthawd.exe, 00000000.00000002.2456275793.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1233987861.000000000081E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\drivers\tsusbhub.sysSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeProcess created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -Jump to behavior
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000473A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.00000000039DA000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager'
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: USUSProgram Manager'
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000049AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7i08f7clVH7QzAWkhT50sj5euv%2BZB5WnEaWt9t2O4rJCkT6g30EKBMUDnN%{"1":"5","2":"30adc6d5a2d0cb85059ee9cb3c0944b2","3":"Program Manager","4":"1"}
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000473A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.00000000039DA000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000004900000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Sun, 23 Mar 2025 15:39:46 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:56 GMTProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:09 GMTSun, 23 Mar 2025 15:40:15 GMTSun, 23 Mar 2025 15:40:19 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:48 GMTSun, 23 Mar 2025 15:40:50 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:41:00 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:41:05 GMT
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BhProgram Managerh
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000004900000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: XLmHProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:36 GMT
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000039DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BlProgram Manager
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 'Program ManagerSun, 23 Mar 2025 15:39:38 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:58 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:05 GMTSun, 23 Mar 2025 15:40:07 GMTSun, 23 Mar 2025 15:40:08 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:25 GMTlProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:38 GMTlSun, 23 Mar 2025 15:40:39 GMTnalProgram ManagerSun, 23 Mar 2025 15:40:44 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:53 GMTProgram ManagerSun, 23 Mar 2025 15:40:59 GMTi32i32i32i32i32i32i32_i32n%
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DGlobalSign Root CA"Program Manager"https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OS_CRYPTENCRYPTED_KEYJUSUSProgram ManagerKUSLMProgram ManagerN
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "Program Manager"
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:41:13 GMT500 Internal Server ErrorProgram Manager
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000473A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program ManagerH
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qProgram ManagerProgram Manageri32i32i32i32i32i32i32i32i32_v
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000486E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\Roamingdd^bSun, 23 Mar 2025 15:39:17 GMTSun, 23 Mar 2025 15:39:17 GMTProgram ManagerSun, 23 Mar 2025 15:39:22 GMTSun, 23 Mar 2025 15:39:27 GMTProgram ManagerProgram Manager
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000473A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BjProgram Manager
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BgProgram Managerg
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000004900000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RProgram ManagerProgram ManagerProgram Manager%
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Sun, 23 Mar 2025 15:39:35 GMTSun, 23 Mar 2025 15:39:37 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:41 GMTProgram ManagerSun, 23 Mar 2025 15:39:51 GMTProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:59 GMTProgram ManagerSun, 23 Mar 2025 15:40:01 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:05 GMTProgram ManagerSun, 23 Mar 2025 15:40:10 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:20 GMTSun, 23 Mar 2025 15:40:20 GMTSun, 23 Mar 2025 15:40:29 GMTSun, 23 Mar 2025 15:40:29 GMTSun, 23 Mar 2025 15:40:31 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:34 GMTSun, 23 Mar 2025 15:40:39 GMTProgram ManagerSun, 23 Mar 2025 15:40:49 GMTProgram ManagerSun, 23 Mar 2025 15:40:49 GMTProgram ManagerSun, 23 Mar 2025 15:40:52 GMTProgram ManagerProgram ManagerProgram ManagerProgram Manager
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program ManagerSun, 23 Mar 2025 15:41:10 GMTi32i32i32i32i32i32i32i32i32_i32Program ManagerSun, 23 Mar 2025 15:41:15 GMTSun, 23 Mar 2025 15:41:15 GMTi32i32i32i32i32i32i32i32_v
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000039DA000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BiProgram Manager
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000049AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: +{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7i08f7clVH7QzAWkhT50sj5euv%2BZB5WnEaWt9t2O4rJCkT6g30EKBMUDnN%{"1":"5","2":"30adc6d5a2d0cb85059ee9cb3c0944b2","3":"Program Manager","4":"1"}
                    Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000004900000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager:
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Last Browser VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\Desktop\ntladlklthawd.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AmountExtractionHeuristicRegexes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\HistorySearch VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OpenCookieDatabase VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\PKIMetadata VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\OriginTrials VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 7.2.ntladlklthawd.exe.c90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ntladlklthawd.exe.b60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2457055619.0000000001337000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1234252663.0000000001467000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntladlklthawd.exe PID: 7680, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ntladlklthawd.exe PID: 8124, type: MEMORYSTR
                    Source: ntladlklthawd.exe, 00000000.00000003.1243768227.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
                    Source: ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: : ` %#xPUT103503*/*302403421425getackanyenvneti32i64f32f64nopu32u64s32s64EqzAddSubMulClzCtzDivRemAndXorShlShrAbsNegMinMaxBUG:%dstrJaxxCoreEverMathNamiTronUranEdgesent.zip-q:vtrue%s%cLAltRAltLWinRWinAppsDownLeftHomeNum0Num1Num2Num3Num4Num5Num6Num7Num8Num9Num*Num+Num-Num.Num/bibawinv.exedataOS: IP: .jpg.txtTRUEopen/PIDwmiccallPATH:443readnullbooljson'\''eEpPRGBAGrayCMYKjpeg
                    Source: ntladlklthawd.exe, 00000000.00000003.1241951511.0000000000A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
                    Source: ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:sse41sse42ssse3int16int32int64uint8slicekind= (at ClassRetryparseutf-8%s*%dtext/bad nmatchrune 0-RTT1-RTTclear15:04tableblockbr_if%d Ki%d Mi%d Gi%d TilabelLoad8StoreFloorTrunc%s %d%s %s%s.%s%s %fI8x16I16x8I32x4I64x2F32x4F64x2stdin%#x: Attr(ArmoryExodusGuardaBitappCoin98FewchaFinnieIconexKaikasOxygenPontemSaturnSolletWombatXMR.PTXinPayChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsc.execreatedeletestart $temp\chunk!audio=video=LShiftRShiftPageUpInsertDelete[AFK] 0.22.4acceptAnswer GB
                    Source: ntladlklthawd.exe, 00000000.00000003.1241951511.0000000000A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
                    Source: ntladlklthawd.exe, 00000000.00000003.1238913173.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
                    Source: ntladlklthawd.exe, 00000000.00000003.1241951511.0000000000A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgoJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofoJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgogJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfndJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmaloJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.dbJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbhJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjcaJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhccJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiiooljJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiiiJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieafJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkibJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfkJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmjJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnkJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpnJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfkJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkkJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehmJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jblndlipeogpafnldhgmapagcccfchpiJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkeckeJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhbJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\ntladlklthawd.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
                    Source: Yara matchFile source: 7.2.ntladlklthawd.exe.c90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ntladlklthawd.exe.b60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntladlklthawd.exe PID: 7680, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ntladlklthawd.exe PID: 8124, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 7.2.ntladlklthawd.exe.c90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ntladlklthawd.exe.b60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2457055619.0000000001337000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1234252663.0000000001467000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntladlklthawd.exe PID: 7680, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ntladlklthawd.exe PID: 8124, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                    Windows Management Instrumentation
                    1
                    Windows Service
                    1
                    Windows Service
                    2
                    Masquerading
                    1
                    OS Credential Dumping
                    121
                    Security Software Discovery
                    Remote Services11
                    Input Capture
                    Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    LSASS Driver
                    12
                    Process Injection
                    2
                    Virtualization/Sandbox Evasion
                    11
                    Input Capture
                    2
                    Virtualization/Sandbox Evasion
                    Remote Desktop Protocol3
                    Data from Local System
                    Junk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading
                    1
                    LSASS Driver
                    12
                    Process Injection
                    Security Account Manager2
                    Process Discovery
                    SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading
                    1
                    Obfuscated Files or Information
                    NTDS1
                    File and Directory Discovery
                    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Software Packing
                    LSA Secrets24
                    System Information Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading
                    Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1646207 Sample: ntladlklthawd.exe Startdate: 23/03/2025 Architecture: WINDOWS Score: 100 25 Antivirus detection for URL or domain 2->25 27 Antivirus detection for dropped file 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 4 other signatures 2->31 6 ntladlklthawd.exe 15 2 2->6         started        11 rdpdr.sys 8 2->11         started        13 rdpvideominiport.sys 4 2->13         started        15 tsusbhub.sys 3 2->15         started        process3 dnsIp4 21 1.1.1.1, 443, 60643, 60644 CLOUDFLARENETUS Australia 6->21 23 172.67.191.102, 443, 60645 CLOUDFLARENETUS United States 6->23 19 C:\Program Filesbehaviorgraphoogle\...\ntladlklthawd.exe, PE32 6->19 dropped 33 Found many strings related to Crypto-Wallets (likely being stolen) 6->33 35 Tries to harvest and steal browser information (history, passwords, etc) 6->35 37 Tries to steal Crypto Currency Wallets 6->37 17 ntladlklthawd.exe 6->17         started        file5 signatures6 process7

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    ntladlklthawd.exe66%VirustotalBrowse
                    ntladlklthawd.exe53%ReversingLabsWin32.Trojan.GenSteal
                    ntladlklthawd.exe100%AviraTR/Crypt.XPACK.Gen
                    SourceDetectionScannerLabelLink
                    C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe100%AviraTR/Crypt.XPACK.Gen
                    C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe53%ReversingLabsWin32.Trojan.GenSteal
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/8text/html;100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/text/html;100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/ehttps://sa1at.ru/sa1at/etext/html;100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html;100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/etext/html;100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/8text/html;100%Avira URL Cloudmalware
                    https://sa1at.ru/sa1at/8https://sa1at.ru/sa1at/100%Avira URL Cloudmalware
                    http://crl.chambersign.org/chambersroot.crl0%Avira URL Cloudsafe
                    http://www.chambersign.org0%Avira URL Cloudsafe

                    Download Network PCAP: filteredfull

                    No contacted domains info
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crl.xrampsecurity.com/XGCA.crlntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmpfalse
                      high
                      https://1.1.1.1/dns-query?name=failedntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmpfalse
                        high
                        https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://crl.chambersign.org/chambersroot.crl0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpfalse
                          high
                          http://o.pki.goog/s/we1/Yak0%ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpfalse
                            high
                            https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            https://repository.luxtrust.lu0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B5E000.00000004.00001000.00020000.00000000.sdmpfalse
                              high
                              http://cps.chambersign.org/cps/chambersroot.html0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpfalse
                                high
                                http://i.pki.goog/r4.crtGlobalSignntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                  high
                                  http://i.pki.goog/we1.crt0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpfalse
                                    high
                                    http://c.pki.goog/r/gsr1.crl0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpfalse
                                      high
                                      http://www.chambersign.org1ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018DE000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpfalse
                                        high
                                        https://sa1at.ru/sa1at/ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmpfalse
                                          high
                                          http://c.pki.goog/r/r4.crlntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                            high
                                            http://www.chambersign.orgChambersntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B44000.00000004.00001000.00020000.00000000.sdmpfalse
                                              high
                                              http://repository.swisssign.com/0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B5E000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                high
                                                https://sa1at.ru/sa1at/ehttps://sa1at.ru/sa1at/etext/html;ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                unknown
                                                https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htmntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  high
                                                  http://c.pki.goog/we1/2DqfS24kcdI.crlntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    high
                                                    http://i.pki.goog/gsr1.crtntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ocsp.quovadisoffshore.comntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        high
                                                        https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html;ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        unknown
                                                        http://crl.securetrust.com/STCA.crl0ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018C4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          high
                                                          https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            high
                                                            https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            unknown
                                                            http://crl.securetrust.com/STCA.crlntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              high
                                                              https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/text/html;ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              http://www.quovadisglobal.com/cps0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018D2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                high
                                                                http://i.pki.goog/gsr1.crt0-ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://c.pki.goog/r/r4.crl0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002352000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://crl.xrampsecurity.com/XGCA.crl0ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018CC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://sa1at.ru/sa1at/8text/html;ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      unknown
                                                                      https://sa1at.ru/sa1at/etext/html;ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      unknown
                                                                      http://i.pki.goog/r4.crt0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002352000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://www.quovadis.bm0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://c.pki.goog/r/gsr1.crlntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/8text/html;ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              unknown
                                                                              http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crlntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://ocsp.quovadisoffshore.com0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://sa1at.ru/sa1at/8https://sa1at.ru/sa1at/ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  unknown
                                                                                  http://o.pki.goog/s/we1/Yakntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://c.pki.goog/we1/2DqfS24kcdI.crl0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://crl.chambersign.org/chambersroot.crlntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      http://www.chambersign.orgntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B44000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      http://i.pki.goog/we1.crtntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crtntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://policy.camerfirma.com0ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs
                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            1.1.1.1
                                                                                            unknownAustralia
                                                                                            13335CLOUDFLARENETUSfalse
                                                                                            172.67.191.102
                                                                                            unknownUnited States
                                                                                            13335CLOUDFLARENETUSfalse
                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                            Analysis ID:1646207
                                                                                            Start date and time:2025-03-23 16:38:09 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 4m 48s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:15
                                                                                            Number of new started drivers analysed:3
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:ntladlklthawd.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.winEXE@3/2@0/2
                                                                                            EGA Information:Failed
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            • Number of executed functions: 0
                                                                                            • Number of non-executed functions: 0
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe
                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 23.204.23.20, 204.79.197.222, 20.12.23.50
                                                                                            • Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            TimeTypeDescription
                                                                                            11:39:10API Interceptor4x Sleep call for process: ntladlklthawd.exe modified
                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            1.1.1.1watchdog.elfGet hashmaliciousXmrigBrowse
                                                                                            • 1.1.1.1:8080/
                                                                                            6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 1.1.1.1/ctrl/playback.php
                                                                                            PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                            • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                                                            AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                                                            • 1.1.1.1/
                                                                                            172.67.191.102ktkhkawkdtykg6ta.exeGet hashmaliciousSalat StealerBrowse
                                                                                              fffffffsa.exeGet hashmaliciousSalat StealerBrowse
                                                                                                KoaguarLoader.exeGet hashmaliciousSalat Stealer, XWormBrowse
                                                                                                  SecuriteInfo.com.Win32.Evo-gen.3212.25037.exeGet hashmaliciousSalat StealerBrowse
                                                                                                    hf9tYzF.exeGet hashmaliciousSalat StealerBrowse
                                                                                                      noytjhjsefsae.exeGet hashmaliciousUnknownBrowse
                                                                                                        flilphbvd.exeGet hashmaliciousUnknownBrowse
                                                                                                          No context
                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          CLOUDFLARENETUSSecuriteInfo.com.Win64.Evo-gen.11723.19544.exeGet hashmaliciousSkuld StealerBrowse
                                                                                                          • 172.67.74.152
                                                                                                          http://nzoc.687528.visualizingportugal.com/rd/4ToofA5868OIkN622gzjkvfrpol7063XIAYRDEKUOPDYMP135953VFSU40170l13Get hashmaliciousPhisherBrowse
                                                                                                          • 104.21.9.91
                                                                                                          Client-built.exeGet hashmaliciousDiscord RatBrowse
                                                                                                          • 162.159.136.234
                                                                                                          SynovaDarkX.exeGet hashmaliciousXWormBrowse
                                                                                                          • 162.159.129.233
                                                                                                          Client-built.exeGet hashmaliciousDiscord RatBrowse
                                                                                                          • 162.159.130.234
                                                                                                          Test(1).exeGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          Version_64.exeGet hashmaliciousLummaC Stealer, RHADAMANTHYSBrowse
                                                                                                          • 104.21.89.125
                                                                                                          GreenHat (1).zipGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.203.114
                                                                                                          1eXH2alpsb.batGet hashmaliciousUnknownBrowse
                                                                                                          • 104.21.96.1
                                                                                                          dupe script.batGet hashmaliciousUnknownBrowse
                                                                                                          • 104.21.96.1
                                                                                                          CLOUDFLARENETUSSecuriteInfo.com.Win64.Evo-gen.11723.19544.exeGet hashmaliciousSkuld StealerBrowse
                                                                                                          • 172.67.74.152
                                                                                                          http://nzoc.687528.visualizingportugal.com/rd/4ToofA5868OIkN622gzjkvfrpol7063XIAYRDEKUOPDYMP135953VFSU40170l13Get hashmaliciousPhisherBrowse
                                                                                                          • 104.21.9.91
                                                                                                          Client-built.exeGet hashmaliciousDiscord RatBrowse
                                                                                                          • 162.159.136.234
                                                                                                          SynovaDarkX.exeGet hashmaliciousXWormBrowse
                                                                                                          • 162.159.129.233
                                                                                                          Client-built.exeGet hashmaliciousDiscord RatBrowse
                                                                                                          • 162.159.130.234
                                                                                                          Test(1).exeGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          Version_64.exeGet hashmaliciousLummaC Stealer, RHADAMANTHYSBrowse
                                                                                                          • 104.21.89.125
                                                                                                          GreenHat (1).zipGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.203.114
                                                                                                          1eXH2alpsb.batGet hashmaliciousUnknownBrowse
                                                                                                          • 104.21.96.1
                                                                                                          dupe script.batGet hashmaliciousUnknownBrowse
                                                                                                          • 104.21.96.1
                                                                                                          No context
                                                                                                          No context
                                                                                                          Process:C:\Users\user\Desktop\ntladlklthawd.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                          Category:modified
                                                                                                          Size (bytes):3227136
                                                                                                          Entropy (8bit):7.999885603947816
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:98304:Ag011QHFHJzHonSPYG3BqEa1vIwrza9OrlbDlj:AgRHNhUSAGIE0ai
                                                                                                          MD5:6458162BB12FE032D99795E4301C1C49
                                                                                                          SHA1:41E42ECD45F58B6CEA1EE4891AFD60FB913831B7
                                                                                                          SHA-256:FDF471649EF052E9A1C5B1F10C7C15F43F6DF548E3CAD8299FF5317ABFFB3899
                                                                                                          SHA-512:1D5F3725FAFFB97C3651E29F8EF2F987D9143CBA0128424120BA81D23253FD81521D5FEDB6513BF7EB1FF88014C3BF516E1B87581F1F150DE751D36F2861FBA5
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 53%
                                                                                                          Reputation:low
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................@1......p..P.............@......................................@.........................................................................................................................................................UPX0.....p..............................UPX1.....@1......:1.................@...UPX2.................<1.............@...4.10.UPX!....Q.=..(.....0,1.....&$.@...E..g..58.y..<]7{=. ......QE*@.1E....6.&.o...M...%b.....J"._....H.Ax(...\..u;.\..Nf..g..'._Fw..a.yd.....).?....\..xO-H..a.>^i.(......S[...1.*..yA...g.K|...h...h.**O(.+....p..Rg.$...?.|...S#..+.,....;Z.D...HM..LI.(.h9?H..o;....+...>..>*?6(s.i....?..........8..Yr...>&..D.*...V)..y']../.7.$.).c)X?......gEI.k.l......x.X.\%....T........\.9'=."Y.....2..$0g:i......_\R..B.....C....f\.X......1....E..h.3Ff.W.(...[S..8....7..|.+n..'..-.^+..PN....Z.s].
                                                                                                          Process:C:\Users\user\Desktop\ntladlklthawd.exe
                                                                                                          File Type:GLS_BINARY_LSB_FIRST
                                                                                                          Category:dropped
                                                                                                          Size (bytes):116
                                                                                                          Entropy (8bit):4.053374040827532
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:rmHD/tH//lllLGlA1yqGlgZty:rmH2oty
                                                                                                          MD5:080E701E8B8E2E9C68203C150AC7C6B7
                                                                                                          SHA1:4EF041621388B805758AE1D3B122F9D364705223
                                                                                                          SHA-256:FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
                                                                                                          SHA-512:C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:........t.......................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......,..l..@E............
                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                          Entropy (8bit):7.999885603947816
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                                                          • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:ntladlklthawd.exe
                                                                                                          File size:3'227'136 bytes
                                                                                                          MD5:6458162bb12fe032d99795e4301c1c49
                                                                                                          SHA1:41e42ecd45f58b6cea1ee4891afd60fb913831b7
                                                                                                          SHA256:fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899
                                                                                                          SHA512:1d5f3725faffb97c3651e29f8ef2f987d9143cba0128424120ba81d23253fd81521d5fedb6513bf7eb1ff88014c3bf516e1b87581f1f150de751d36f2861fba5
                                                                                                          SSDEEP:98304:Ag011QHFHJzHonSPYG3BqEa1vIwrza9OrlbDlj:AgRHNhUSAGIE0ai
                                                                                                          TLSH:22E533385B960BB4EEA4DF7F1F0758450F40ADA004ED645AC24CF799B5332ADBDD828A
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................@1......p..P.............@.......................................@................................
                                                                                                          Icon Hash:90cececece8e8eb0
                                                                                                          Entrypoint:0xf3ac50
                                                                                                          Entrypoint Section:UPX1
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:6
                                                                                                          OS Version Minor:1
                                                                                                          File Version Major:6
                                                                                                          File Version Minor:1
                                                                                                          Subsystem Version Major:6
                                                                                                          Subsystem Version Minor:1
                                                                                                          Import Hash:6ed4f5f04d62b18d96b26d6db7c18840
                                                                                                          Instruction
                                                                                                          pushad
                                                                                                          mov esi, 00C28015h
                                                                                                          lea edi, dword ptr [esi-00827015h]
                                                                                                          push edi
                                                                                                          mov ebp, esp
                                                                                                          lea ebx, dword ptr [esp-00003E80h]
                                                                                                          xor eax, eax
                                                                                                          push eax
                                                                                                          cmp esp, ebx
                                                                                                          jne 00007F591CDADC8Dh
                                                                                                          inc esi
                                                                                                          inc esi
                                                                                                          push ebx
                                                                                                          push 00B38EF6h
                                                                                                          push edi
                                                                                                          add ebx, 04h
                                                                                                          push ebx
                                                                                                          push 00312C2Eh
                                                                                                          push esi
                                                                                                          add ebx, 04h
                                                                                                          push ebx
                                                                                                          push eax
                                                                                                          mov dword ptr [ebx], 00020003h
                                                                                                          push ebp
                                                                                                          push edi
                                                                                                          push esi
                                                                                                          push ebx
                                                                                                          sub esp, 7Ch
                                                                                                          mov edx, dword ptr [esp+00000090h]
                                                                                                          mov dword ptr [esp+74h], 00000000h
                                                                                                          mov byte ptr [esp+73h], 00000000h
                                                                                                          mov ebp, dword ptr [esp+0000009Ch]
                                                                                                          lea eax, dword ptr [edx+04h]
                                                                                                          mov dword ptr [esp+78h], eax
                                                                                                          mov eax, 00000001h
                                                                                                          movzx ecx, byte ptr [edx+02h]
                                                                                                          mov ebx, eax
                                                                                                          shl ebx, cl
                                                                                                          mov ecx, ebx
                                                                                                          dec ecx
                                                                                                          mov dword ptr [esp+6Ch], ecx
                                                                                                          movzx ecx, byte ptr [edx+01h]
                                                                                                          shl eax, cl
                                                                                                          dec eax
                                                                                                          mov dword ptr [esp+68h], eax
                                                                                                          mov eax, dword ptr [esp+000000A8h]
                                                                                                          movzx esi, byte ptr [edx]
                                                                                                          mov dword ptr [ebp+00h], 00000000h
                                                                                                          mov dword ptr [esp+60h], 00000000h
                                                                                                          mov dword ptr [eax], 00000000h
                                                                                                          mov eax, 00000300h
                                                                                                          mov dword ptr [esp+64h], esi
                                                                                                          mov dword ptr [esp+5Ch], 00000001h
                                                                                                          mov dword ptr [esp+58h], 00000001h
                                                                                                          mov dword ptr [esp+54h], 00000001h
                                                                                                          mov dword ptr [esp+50h], 00000001h
                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb3c0000x88UPX2
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb3c0880xcUPX2
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          UPX00x10000x8270000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          UPX10x8280000x3140000x313a00152f8ba6bc352806226fbd26e06b838funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          UPX20xb3c0000x10000x2004ce37912b1ab5cf465de26b9802f2621False0.21484375data1.4657272498218852IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          DLLImport
                                                                                                          KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

                                                                                                          Download Network PCAP: filteredfull

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Mar 23, 2025 16:39:09.300596952 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.398093939 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.398542881 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.398730993 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.398770094 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.398807049 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.398844957 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.399349928 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.402029037 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.402065992 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.405837059 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.405966997 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.406006098 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.502513885 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.502553940 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.503022909 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.503057003 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.503475904 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.503598928 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.503635883 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.503784895 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.505990982 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.536371946 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.602408886 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.604723930 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.605232000 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.605319023 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.605575085 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.605614901 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.605649948 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.606338024 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.608663082 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.608696938 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.609839916 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.609905005 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.609930038 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.708117962 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.708156109 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.708188057 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.708220959 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.708487988 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.708525896 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:09.805175066 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.948374987 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:09.961312056 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:09.993377924 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:10.059154987 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.061773062 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.061913013 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.061969042 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.062058926 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.062804937 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:10.063293934 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:10.105467081 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:10.106878996 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:10.203135014 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.203178883 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.203274965 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.203309059 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.204988003 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.205198050 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:10.209202051 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:10.306644917 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.468456984 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:10.487684965 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:11.500158072 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:11.500210047 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:11.598114014 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:11.799052000 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:11.817949057 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:12.314979076 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:12.314979076 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:12.415148020 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:12.416188955 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:12.602885008 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:12.626812935 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:12.815845013 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:12.914387941 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:12.915185928 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:13.017035007 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:13.097543001 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:13.145612001 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.206892967 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.206979990 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.206979990 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.207032919 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.207032919 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.207135916 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.207205057 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.207206011 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.207329035 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.207329035 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.207437038 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.225797892 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.225960970 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.226048946 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.226217985 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.226265907 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.226265907 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.226324081 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.226324081 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.226373911 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.226819038 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.263231039 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.263273001 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.263314962 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.263588905 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.263634920 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.263658047 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.263698101 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.263891935 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.264041901 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.264075994 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.264111996 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.294233084 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.303936958 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.303992987 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.304099083 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.304416895 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.304807901 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.304949045 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.323383093 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.323421001 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.323576927 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.323776960 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.323824883 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.323858976 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.323894024 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.323999882 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.324031115 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.324385881 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.346328020 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346432924 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346474886 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346476078 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346497059 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346522093 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346543074 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346564054 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346632004 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346925020 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346956015 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.346981049 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.347014904 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.347033024 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.360887051 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.360939026 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.360991955 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.361025095 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.361062050 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.361094952 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.361129045 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.361160040 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.361380100 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.361450911 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.362375975 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.362560034 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.362591028 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.362612009 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.362674952 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.362695932 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.362714052 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.362740993 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.379504919 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.379543066 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.379580975 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.379611969 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.392163992 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.393346071 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.393376112 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.445619106 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.445656061 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.446150064 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446187973 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446212053 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446240902 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446269035 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446291924 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446337938 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446363926 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446382999 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446609974 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.446644068 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.461484909 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.461522102 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.461555004 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.461675882 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.461730003 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.461849928 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.462802887 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.479178905 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.479213953 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.479531050 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.479531050 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.479593992 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.479693890 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.479875088 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.495914936 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.496536016 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.544929028 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.544980049 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545013905 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545047045 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545080900 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545238018 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545272112 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545466900 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545511961 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.545576096 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.545588970 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545620918 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545723915 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.545762062 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.545780897 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.545813084 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.545826912 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.545826912 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.545855999 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.545936108 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.546168089 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.546197891 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.563146114 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.563612938 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.577649117 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.577682972 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.577789068 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.577963114 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.578006029 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.578269005 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.578298092 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.594578028 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.594921112 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.647597075 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.647634983 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.647667885 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.647703886 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.647735119 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.647768974 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.647802114 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.648097992 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.648243904 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.663372040 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.676059008 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.676495075 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.676527977 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.686212063 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.686260939 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.686260939 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.686300993 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.686336994 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.686357021 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.686393023 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.686412096 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.686453104 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.689694881 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.689735889 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.689764977 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.693881989 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.694473028 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.786046982 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.786252022 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.786286116 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.786319971 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.786334991 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.786587000 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.786601067 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.786678076 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.786686897 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.786711931 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.786802053 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.786875963 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.790597916 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.790632010 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.790666103 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.791030884 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.791062117 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.791098118 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.799844980 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.800187111 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.800215960 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.884911060 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.884946108 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.884978056 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.885010958 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.885044098 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.885699987 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.885783911 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.885816097 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.885840893 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.889281988 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.889317036 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.889517069 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:16.889610052 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.900885105 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.900922060 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.985131025 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.985168934 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:16.988646030 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:17.165055037 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:17.262979984 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:17.538837910 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:17.539021015 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:17.666220903 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:17.792017937 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:19.614576101 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:19.614684105 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:19.711674929 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:19.949649096 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:19.949742079 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:20.046576977 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:22.301362038 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:22.399702072 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:22.593105078 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:22.625375032 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:27.097719908 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:27.198174000 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:27.392671108 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:27.392726898 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:27.393140078 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:29.710834980 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:29.710834980 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:29.808121920 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:29.808191061 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:30.044641972 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:30.044936895 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:30.141325951 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:30.141807079 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:31.907268047 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:31.907423973 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:32.005779028 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:32.206187963 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:32.228744030 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:35.637840986 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:35.740353107 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:35.929958105 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:35.962368965 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:36.698261023 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:36.796211958 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:36.938905001 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:36.982422113 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:36.999037027 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:37.040884018 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:37.227582932 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:37.259902000 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:38.229420900 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:38.328356981 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:38.526279926 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:38.543068886 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:39.528520107 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:39.632107973 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:39.814812899 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:39.815243959 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:39.815340996 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:39.831536055 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:39.911413908 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:39.912708044 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:40.149255037 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:40.149360895 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:40.246068954 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:40.246128082 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:41.484963894 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:41.584980011 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:41.780273914 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:41.813057899 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:46.311383963 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:46.409616947 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:46.610800982 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:46.627862930 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:49.930042982 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:49.930042982 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:50.026767015 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:50.026830912 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:50.386749983 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:50.386837006 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:39:50.485358000 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:50.485718012 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:39:51.161536932 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:51.259251118 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:51.449026108 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:51.481571913 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:55.960679054 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:55.960680008 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:56.059205055 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:56.249836922 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:56.282311916 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:57.971599102 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:58.069468975 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:58.268079042 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:58.300434113 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:59.270176888 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:59.270297050 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:39:59.368927956 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:59.566308022 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:39:59.600289106 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:00.101021051 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:00.199063063 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:00.483540058 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:00.580167055 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:00.773027897 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:00.871453047 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:01.072477102 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:01.104984045 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:05.596379042 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:05.690579891 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:05.698462963 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:05.789001942 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:05.890611887 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:05.923314095 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:05.975065947 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:06.007596016 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:06.977737904 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:07.075778008 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:07.275613070 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:07.308196068 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:08.282419920 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:08.380345106 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:08.582192898 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:08.623424053 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:09.625509024 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:09.723764896 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:09.917898893 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:09.952698946 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:10.203754902 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:10.301048040 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:10.412303925 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:10.511394024 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:10.577318907 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:10.674115896 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:10.706986904 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:10.739525080 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:15.222970963 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:15.325066090 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:15.530626059 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:15.563211918 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:18.988362074 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:19.086318970 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:19.286974907 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:19.319936037 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:20.040369987 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:20.040462017 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:20.138782978 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:20.302792072 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:20.319577932 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:20.321288109 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:20.353904963 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:20.400948048 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:20.417294025 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:20.603272915 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:20.620351076 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:20.683759928 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:20.782366991 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:24.836497068 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:24.936384916 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:25.131289959 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:25.160582066 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:29.633471966 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:29.672804117 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:29.731976032 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:29.770776987 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:29.918874025 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:29.951879025 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:29.987854958 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:30.036922932 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:30.135385036 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:30.180145979 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:30.431787014 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:30.530600071 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:30.924253941 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:31.009171963 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:31.021302938 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:31.107414961 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:31.298605919 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:31.333900928 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:34.429840088 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:34.527923107 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:34.728087902 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:34.760353088 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:38.326179028 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:38.424532890 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:38.628740072 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:38.652630091 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:39.233622074 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:39.331415892 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:39.522810936 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:39.522866011 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:39.523435116 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:39.633800030 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:39.633881092 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:39.633881092 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:39.731817961 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:39.919836044 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:39.952289104 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:40.531244993 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:40.628222942 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:41.168087006 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:41.265125036 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:44.030124903 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:44.128726006 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:44.329365015 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:44.361948967 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:47.955773115 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:48.053419113 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:48.249928951 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:48.282593966 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:48.831212997 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:48.931981087 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:49.121823072 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:49.154443979 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:49.249027967 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:49.351385117 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:49.546117067 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:49.578903913 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:50.548748970 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:50.627418041 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:50.646913052 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:50.725953102 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:50.827832937 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:50.860295057 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:51.268402100 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:40:51.375916004 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:40:51.838264942 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:51.940640926 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:52.137901068 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:52.247598886 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:52.306185961 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:52.340558052 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:53.639736891 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:53.737770081 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:53.921578884 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:53.980498075 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:58.439580917 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:40:58.537409067 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:59.072376966 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:40:59.089062929 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:00.077436924 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:00.175324917 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:00.439377069 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:00.471960068 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:00.722712040 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:41:00.820930004 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:41:01.373428106 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:41:01.470659018 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:41:04.944474936 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:04.944613934 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:05.042500019 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:05.381865025 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:05.399138927 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:09.900768042 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:09.999150038 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:10.383986950 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:10.465636015 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:10.826014042 CET60643443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:41:10.925015926 CET443606431.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:41:11.475646019 CET60644443192.168.2.41.1.1.1
                                                                                                          Mar 23, 2025 16:41:11.572335005 CET443606441.1.1.1192.168.2.4
                                                                                                          Mar 23, 2025 16:41:13.596775055 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:13.695532084 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:13.947941065 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:14.057534933 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:14.933959007 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:15.028493881 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:15.031882048 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:15.126688004 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:15.211242914 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:15.248630047 CET60645443192.168.2.4172.67.191.102
                                                                                                          Mar 23, 2025 16:41:15.319775105 CET44360645172.67.191.102192.168.2.4
                                                                                                          Mar 23, 2025 16:41:15.352224112 CET60645443192.168.2.4172.67.191.102

                                                                                                          Click to jump to process

                                                                                                          Click to jump to process

                                                                                                          • File
                                                                                                          • Registry
                                                                                                          • Network

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Target ID:0
                                                                                                          Start time:11:39:08
                                                                                                          Start date:23/03/2025
                                                                                                          Path:C:\Users\user\Desktop\ntladlklthawd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\ntladlklthawd.exe"
                                                                                                          Imagebase:0xb60000
                                                                                                          File size:3'227'136 bytes
                                                                                                          MD5 hash:6458162BB12FE032D99795E4301C1C49
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 00000000.00000002.2457055619.0000000001337000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:false
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                          Target ID:3
                                                                                                          Start time:11:39:11
                                                                                                          Start date:23/03/2025
                                                                                                          Path:C:\Windows\System32\drivers\rdpvideominiport.sys
                                                                                                          Wow64 process (32bit):
                                                                                                          Commandline:
                                                                                                          Imagebase:
                                                                                                          File size:32'600 bytes
                                                                                                          MD5 hash:77FF15B9237D62A5CBC6C80E5B20A492
                                                                                                          Has elevated privileges:
                                                                                                          Has administrator privileges:
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:4
                                                                                                          Start time:11:39:11
                                                                                                          Start date:23/03/2025
                                                                                                          Path:C:\Windows\System32\drivers\rdpdr.sys
                                                                                                          Wow64 process (32bit):
                                                                                                          Commandline:
                                                                                                          Imagebase:
                                                                                                          File size:169'984 bytes
                                                                                                          MD5 hash:64991B36F0BD38026F7589572C98E3D6
                                                                                                          Has elevated privileges:
                                                                                                          Has administrator privileges:
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:7
                                                                                                          Start time:11:39:11
                                                                                                          Start date:23/03/2025
                                                                                                          Path:C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -
                                                                                                          Imagebase:0xc90000
                                                                                                          File size:3'227'136 bytes
                                                                                                          MD5 hash:6458162BB12FE032D99795E4301C1C49
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 00000007.00000002.1234252663.0000000001467000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 53%, ReversingLabs
                                                                                                          Reputation:low
                                                                                                          Has exited:true
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                          Target ID:9
                                                                                                          Start time:11:39:11
                                                                                                          Start date:23/03/2025
                                                                                                          Path:C:\Windows\System32\drivers\tsusbhub.sys
                                                                                                          Wow64 process (32bit):
                                                                                                          Commandline:
                                                                                                          Imagebase:
                                                                                                          File size:137'728 bytes
                                                                                                          MD5 hash:CC6D4A26254EB72C93AC848ECFCFB4AF
                                                                                                          Has elevated privileges:
                                                                                                          Has administrator privileges:
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          No disassembly