Edit tour

Windows Analysis Report
ntladlklthawd.exe

Overview

General Information

Sample name:	ntladlklthawd.exe
Analysis ID:	1646207
MD5:	6458162bb12fe032d99795e4301c1c49
SHA1:	41e42ecd45f58b6cea1ee4891afd60fb913831b7
SHA256:	fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899
Tags:	exeuser-tcains1
Infos:

Detection

Salat Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Salat Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Uses 32bit PE files

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

ntladlklthawd.exe (PID: 7680 cmdline: "C:\Users\user\Desktop\ntladlklthawd.exe" MD5: 6458162BB12FE032D99795E4301C1C49)

ntladlklthawd.exe (PID: 8124 cmdline: "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" - MD5: 6458162BB12FE032D99795E4301C1C49)

rdpvideominiport.sys (PID: 4 cmdline: MD5: 77FF15B9237D62A5CBC6C80E5B20A492)

rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)

tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2457055619.0000000001337000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
00000007.00000002.1234252663.0000000001467000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ntladlklthawd.exe PID: 7680	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ntladlklthawd.exe PID: 7680	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Process Memory Space: ntladlklthawd.exe PID: 8124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ntladlklthawd.exe PID: 8124	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.ntladlklthawd.exe.c90000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.ntladlklthawd.exe.c90000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
0.2.ntladlklthawd.exe.b60000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ntladlklthawd.exe.b60000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ntladlklthawd.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/8text/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/text/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/ehttps://sa1at.ru/sa1at/etext/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/etext/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/8text/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/8https://sa1at.ru/sa1at/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: ntladlklthawd.exe	Virustotal: Detection: 65%			Perma Link
Source: ntladlklthawd.exe	ReversingLabs: Detection: 52%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: ntladlklthawd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Directory created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe

Jump to behavior

Source: ntladlklthawd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View	IP Address: 172.67.191.102 172.67.191.102

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102

Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002352000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crthttp://crl3.digicert.com/DigiCertGlobalRootG2.cr
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: ntladlklthawd.exe, 00000007.00000002.1236677545.0000000001888000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: ntladlklthawd.exe, 00000007.00000002.1236677545.0000000001888000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl(c)
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0H
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crlhttp://crl4.digicert.com/DigiCertG
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl00
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002352000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crtGlobalSign
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Yak
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Yak0%
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crt
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0Q
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comDigiCert
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B5E000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B44000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018DE000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B44000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.orgChambers
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018D2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: https://1.1.1.1/dns-query?name=failed
Source: ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/8https://sa1at.ru/sa1at/
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/8text/html;
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/ehttps://sa1at.ru/sa1at/etext/html;
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/etext/html;
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/8text/html;
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html;
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htm
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/text/html;

Source: ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unsafe.Pointerreflect.Value.RCodeNameErrorResourceHeaderunreachable: Accept-CharsetDkim-Signatureneed more dataREQUEST_METHODInstEmptyWidthmax-age=604800NO_VIABLE_PATHpacing limitedsqlite3_errstrsqlite3_errmsggo_commit_hookgo_update_hookgo_vtab_creatego_vtab_updatego_vtab_renamego_vtab_commitunixepoch_fracunixepoch_nano15:04:05Z07:00mime/multipartmutable-globalgo_sector_sizego_shm_barrierf32.demote_f64i32.extend16_si64.extend16_si64.extend32_sv128.load8x8_sv128.load8x8_uv128.bitselecti8x16.all_truei16x8.all_truei32x4.all_truei64x2.all_trueread block: %wfunc[%s.%s] %winvalid %s: %wunknown memoryalready closedI32WrapFromI64read value: %vsection %s: %vglobal[%d]: %wProcess32FirstWDispatchMessageSetWinEventHookHarmonyOutdatedchunk confirmedunzipping file winsta0\defaultgot dExec code:found tg:// urlActive window: Build Version: Browsers\Token_Network\Cookieszipinsecurepathrecord overflowbad certificatePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512ClientAuthType(client finishedserver finishedunknown versionmissing address/etc/mdns.allowunknown networknegative updateaccept-encodingaccept-languagex-forwarded-forAccept-Encodingrecv_rststream_Idempotency-KeyPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandlenegative offsetGetMonitorInfoW476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWUnmapViewOfFileFailed to load Failed to find : cannot parse ,M3.2.0,M11.1.0general failuredata before FINbad close code ExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreatePopupMenuCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetRawInputDataInsertMenuItemWIsWindowEnabledIsWindowVisiblePostQuitMessageSetActiveWindowTrackMouseEventWindowFromPointDrawThemeTextExGetSecurityInfoImpersonateSelfOpenThreadTokenSetSecurityInfoAddDllDirectoryFindNextVolumeWFindVolumeCloseGetCommTimeoutsIsWow64Process2QueryDosDeviceWSetCommTimeoutsSetVolumeLabelWRtlDefaultNpAclCLSIDFromStringStringFromGUID2IsWindowUnicodetimeBeginPeriodNTSTATUS 0x%08xRegCreateKeyExWRegDeleteValueWx509usepoliciesnothing to packIgnoring Retry.invalid boolean0601021504Z0700non-minimal tagunknown Go typeHanifi_RohingyaPsalter_Pahlavireflectlite.Set is unavailableallocmRInternalwrite heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockmalloc deadlockruntime error: elem size wrong with GC prog

memstr_d4364461-3

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys

Source: ntladlklthawd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@3/2@0/2

Source: C:\Users\user\Desktop\ntladlklthawd.exe

File created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe

Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\WEBR_7V2IMQ37RRTG

Source: C:\Users\user\Desktop\ntladlklthawd.exe

File created: C:\Users\user\AppData\Local\Temp\30adc6d5-a2d0-cb85-059e-e9cb3c09d5a2

Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor

Source: C:\Users\user\Desktop\ntladlklthawd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ntladlklthawd.exe, 00000000.00000002.2478764369.0000000026DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479088032.000000002CDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000000.00000002.2478981217.000000002ADFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000003.1251149342.0000000030E00000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002D92000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478662879.0000000024DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478872702.0000000028DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479280576.000000002EDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ntladlklthawd.exe, 00000000.00000002.2478764369.0000000026DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479088032.000000002CDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000000.00000002.2478981217.000000002ADFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000003.1251149342.0000000030E00000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002D92000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478662879.0000000024DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478872702.0000000028DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479280576.000000002EDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: ntladlklthawd.exe, 00000000.00000002.2478764369.0000000026E30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ntladlklthawd.exe, 00000000.00000002.2478764369.0000000026DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479088032.000000002CDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000000.00000002.2478981217.000000002ADFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000003.1251149342.0000000030E00000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002D92000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478662879.0000000024DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2478872702.0000000028DFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2479280576.000000002EDFF000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: ntladlklthawd.exe	Virustotal: Detection: 65%
Source: ntladlklthawd.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\ntladlklthawd.exe

File read: C:\Users\user\Desktop\ntladlklthawd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ntladlklthawd.exe "C:\Users\user\Desktop\ntladlklthawd.exe"
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -	Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Directory created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe

Jump to behavior

Source: ntladlklthawd.exe

Static file information: File size 3227136 > 1048576

Source: ntladlklthawd.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x313a00

Source: ntladlklthawd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ntladlklthawd.exe	Static PE information: section name: UPX2
Source: ntladlklthawd.exe.0.dr	Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\ntladlklthawd.exe

File created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe

Jump to dropped file

Source: C:\Windows\System32\drivers\tsusbhub.sys

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select TotalPhysicalMemory from Win32_ComputerSystem

Source: C:\Users\user\Desktop\ntladlklthawd.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor

Source: ntladlklthawd.exe, 00000000.00000003.1248694520.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ntladlklthawd.exe, 00000000.00000002.2456275793.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1233987861.000000000081E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\drivers\tsusbhub.sys

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Process created: C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -

Jump to behavior

Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000473A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.00000000039DA000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager'
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: USUSProgram Manager'
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000049AE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7i08f7clVH7QzAWkhT50sj5euv%2BZB5WnEaWt9t2O4rJCkT6g30EKBMUDnN%{"1":"5","2":"30adc6d5a2d0cb85059ee9cb3c0944b2","3":"Program Manager","4":"1"}
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000473A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.00000000039DA000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000004900000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Sun, 23 Mar 2025 15:39:46 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:56 GMTProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:09 GMTSun, 23 Mar 2025 15:40:15 GMTSun, 23 Mar 2025 15:40:19 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:48 GMTSun, 23 Mar 2025 15:40:50 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:41:00 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:41:05 GMT
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BhProgram Managerh
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000004900000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: XLmHProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:36 GMT
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000039DA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BlProgram Manager
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 'Program ManagerSun, 23 Mar 2025 15:39:38 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:58 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:05 GMTSun, 23 Mar 2025 15:40:07 GMTSun, 23 Mar 2025 15:40:08 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:25 GMTlProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:38 GMTlSun, 23 Mar 2025 15:40:39 GMTnalProgram ManagerSun, 23 Mar 2025 15:40:44 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:53 GMTProgram ManagerSun, 23 Mar 2025 15:40:59 GMTi32i32i32i32i32i32i32_i32n%
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DGlobalSign Root CA"Program Manager"https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OS_CRYPTENCRYPTED_KEYJUSUSProgram ManagerKUSLMProgram ManagerN
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: "Program Manager"
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:41:13 GMT500 Internal Server ErrorProgram Manager
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000473A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qProgram ManagerProgram Manageri32i32i32i32i32i32i32i32i32_v
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000486E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\Roamingdd^bSun, 23 Mar 2025 15:39:17 GMTSun, 23 Mar 2025 15:39:17 GMTProgram ManagerSun, 23 Mar 2025 15:39:22 GMTSun, 23 Mar 2025 15:39:27 GMTProgram ManagerProgram Manager
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000473A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BjProgram Manager
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BgProgram Managerg
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000004900000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RProgram ManagerProgram ManagerProgram Manager%
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Sun, 23 Mar 2025 15:39:35 GMTSun, 23 Mar 2025 15:39:37 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:41 GMTProgram ManagerSun, 23 Mar 2025 15:39:51 GMTProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:39:59 GMTProgram ManagerSun, 23 Mar 2025 15:40:01 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:05 GMTProgram ManagerSun, 23 Mar 2025 15:40:10 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:20 GMTSun, 23 Mar 2025 15:40:20 GMTSun, 23 Mar 2025 15:40:29 GMTSun, 23 Mar 2025 15:40:29 GMTSun, 23 Mar 2025 15:40:31 GMTProgram ManagerProgram ManagerSun, 23 Mar 2025 15:40:34 GMTSun, 23 Mar 2025 15:40:39 GMTProgram ManagerSun, 23 Mar 2025 15:40:49 GMTProgram ManagerSun, 23 Mar 2025 15:40:49 GMTProgram ManagerSun, 23 Mar 2025 15:40:52 GMTProgram ManagerProgram ManagerProgram ManagerProgram Manager
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerSun, 23 Mar 2025 15:41:10 GMTi32i32i32i32i32i32i32i32i32_i32Program ManagerSun, 23 Mar 2025 15:41:15 GMTSun, 23 Mar 2025 15:41:15 GMTi32i32i32i32i32i32i32i32_v
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000039DA000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DF2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BiProgram Manager
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.00000000049AE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: +{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7i08f7clVH7QzAWkhT50sj5euv%2BZB5WnEaWt9t2O4rJCkT6g30EKBMUDnN%{"1":"5","2":"30adc6d5a2d0cb85059ee9cb3c0944b2","3":"Program Manager","4":"1"}
Source: ntladlklthawd.exe, 00000000.00000002.2459603049.0000000004900000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager:

Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Last Browser VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\Desktop\ntladlklthawd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AmountExtractionHeuristicRegexes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\HistorySearch VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OpenCookieDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\PKIMetadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\OriginTrials VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ntladlklthawd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Salat Stealer

Source: Yara match	File source: 7.2.ntladlklthawd.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ntladlklthawd.exe.b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2457055619.0000000001337000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1234252663.0000000001467000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ntladlklthawd.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ntladlklthawd.exe PID: 8124, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ntladlklthawd.exe, 00000000.00000003.1243768227.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: : ` %#xPUT103503/302403421425getackanyenvneti32i64f32f64nopu32u64s32s64EqzAddSubMulClzCtzDivRemAndXorShlShrAbsNegMinMaxBUG:%dstrJaxxCoreEverMathNamiTronUranEdgesent.zip-q:vtrue%s%cLAltRAltLWinRWinAppsDownLeftHomeNum0Num1Num2Num3Num4Num5Num6Num7Num8Num9Num*Num+Num-Num.Num/bibawinv.exedataOS: IP: .jpg.txtTRUEopen/PIDwmiccallPATH:443readnullbooljson'\''eEpPRGBAGrayCMYKjpeg
Source: ntladlklthawd.exe, 00000000.00000003.1241951511.0000000000A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:sse41sse42ssse3int16int32int64uint8slicekind= (at ClassRetryparseutf-8%s*%dtext/bad nmatchrune 0-RTT1-RTTclear15:04tableblockbr_if%d Ki%d Mi%d Gi%d TilabelLoad8StoreFloorTrunc%s %d%s %s%s.%s%s %fI8x16I16x8I32x4I64x2F32x4F64x2stdin%#x: Attr(ArmoryExodusGuardaBitappCoin98FewchaFinnieIconexKaikasOxygenPontemSaturnSolletWombatXMR.PTXinPayChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsc.execreatedeletestart $temp\chunk!audio=video=LShiftRShiftPageUpInsertDelete[AFK] 0.22.4acceptAnswer GB
Source: ntladlklthawd.exe, 00000000.00000003.1241951511.0000000000A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: ntladlklthawd.exe, 00000000.00000003.1238913173.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
Source: ntladlklthawd.exe, 00000000.00000003.1241951511.0000000000A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehm	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jblndlipeogpafnldhgmapagcccfchpi	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\ntladlklthawd.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior

Source: Yara match	File source: 7.2.ntladlklthawd.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ntladlklthawd.exe.b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ntladlklthawd.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ntladlklthawd.exe PID: 8124, type: MEMORYSTR

Remote Access Functionality

Yara detected Salat Stealer

Source: Yara match	File source: 7.2.ntladlklthawd.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ntladlklthawd.exe.b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2457055619.0000000001337000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1234252663.0000000001467000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ntladlklthawd.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ntladlklthawd.exe PID: 8124, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Windows Service	1 Windows Service	2 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 LSASS Driver	12 Process Injection	2 Virtualization/Sandbox Evasion	11 Input Capture	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	3 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 LSASS Driver	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ntladlklthawd.exe	66%	Virustotal		Browse
ntladlklthawd.exe	53%	ReversingLabs	Win32.Trojan.GenSteal
ntladlklthawd.exe	100%	Avira	TR/Crypt.XPACK.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe	53%	ReversingLabs	Win32.Trojan.GenSteal

Source	Detection	Scanner	Label
https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/8text/html;	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/text/html;	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/ehttps://sa1at.ru/sa1at/etext/html;	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html;	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/etext/html;	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/8text/html;	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/8https://sa1at.ru/sa1at/	100%	Avira URL Cloud	malware
http://crl.chambersign.org/chambersroot.crl	0%	Avira URL Cloud	safe
http://www.chambersign.org	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://1.1.1.1/dns-query?name=failed	ntladlklthawd.exe, 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, ntladlklthawd.exe, 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.chambersign.org/chambersroot.crl0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://o.pki.goog/s/we1/Yak0%	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://repository.luxtrust.lu0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B5E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/r4.crtGlobalSign	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/we1.crt0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/gsr1.crl0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018DE000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/r4.crl	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.chambersign.orgChambers	ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B44000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B5E000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018E4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/ehttps://sa1at.ru/sa1at/etext/html;	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htm	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/we1/2DqfS24kcdI.crl	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/gsr1.crt	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com	ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html;	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.securetrust.com/STCA.crl0	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018C4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.securetrust.com/STCA.crl	ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/rhttps://sa1at.ru/sa1at/text/html;	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.quovadisglobal.com/cps0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018D2000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/gsr1.crt0-	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/r4.crl0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002352000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018CC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/8text/html;	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sa1at.ru/sa1at/etext/html;	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/r4.crt0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002070000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002352000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/gsr1.crl	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/8text/html;	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/8https://sa1at.ru/sa1at/	ntladlklthawd.exe, 00000000.00000002.2459603049.0000000002DBA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://o.pki.goog/s/we1/Yak	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/we1/2DqfS24kcdI.crl0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000205A000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000000.00000002.2459603049.000000000242E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl	ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018F8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chambersign.org	ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B44000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i.pki.goog/we1.crt	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crt	ntladlklthawd.exe, 00000000.00000002.2459603049.000000000200C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	ntladlklthawd.exe, 00000000.00000002.2459603049.00000000022C8000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1237748518.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, ntladlklthawd.exe, 00000007.00000002.1236677545.00000000018AC000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia		13335	CLOUDFLARENETUS	false
172.67.191.102	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1646207
Start date and time:	2025-03-23 16:38:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ntladlklthawd.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@3/2@0/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.204.23.20, 204.79.197.222, 20.12.23.50
Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:39:10	API Interceptor	4x Sleep call for process: ntladlklthawd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.1.1.1	watchdog.elf	Get hash	malicious	Xmrig	Browse	1.1.1.1:8080/
	6fW0GedR6j.xls	Get hash	malicious	Unknown	Browse	1.1.1.1/ctrl/playback.php
	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
172.67.191.102	ktkhkawkdtykg6ta.exe	Get hash	malicious	Salat Stealer	Browse
	fffffffsa.exe	Get hash	malicious	Salat Stealer	Browse
	KoaguarLoader.exe	Get hash	malicious	Salat Stealer, XWorm	Browse
	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Get hash	malicious	Salat Stealer	Browse
	hf9tYzF.exe	Get hash	malicious	Salat Stealer	Browse
	noytjhjsefsae.exe	Get hash	malicious	Unknown	Browse
	flilphbvd.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Win64.Evo-gen.11723.19544.exe	Get hash	malicious	Skuld Stealer	Browse	172.67.74.152
	http://nzoc.687528.visualizingportugal.com/rd/4ToofA5868OIkN622gzjkvfrpol7063XIAYRDEKUOPDYMP135953VFSU40170l13	Get hash	malicious	Phisher	Browse	104.21.9.91
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	162.159.136.234
	SynovaDarkX.exe	Get hash	malicious	XWorm	Browse	162.159.129.233
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	Test(1).exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Version_64.exe	Get hash	malicious	LummaC Stealer, RHADAMANTHYS	Browse	104.21.89.125
	GreenHat (1).zip	Get hash	malicious	Unknown	Browse	172.67.203.114
	1eXH2alpsb.bat	Get hash	malicious	Unknown	Browse	104.21.96.1
	dupe script.bat	Get hash	malicious	Unknown	Browse	104.21.96.1
CLOUDFLARENETUS	SecuriteInfo.com.Win64.Evo-gen.11723.19544.exe	Get hash	malicious	Skuld Stealer	Browse	172.67.74.152
	http://nzoc.687528.visualizingportugal.com/rd/4ToofA5868OIkN622gzjkvfrpol7063XIAYRDEKUOPDYMP135953VFSU40170l13	Get hash	malicious	Phisher	Browse	104.21.9.91
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	162.159.136.234
	SynovaDarkX.exe	Get hash	malicious	XWorm	Browse	162.159.129.233
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	Test(1).exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Version_64.exe	Get hash	malicious	LummaC Stealer, RHADAMANTHYS	Browse	104.21.89.125
	GreenHat (1).zip	Get hash	malicious	Unknown	Browse	172.67.203.114
	1eXH2alpsb.bat	Get hash	malicious	Unknown	Browse	104.21.96.1
	dupe script.bat	Get hash	malicious	Unknown	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\ntladlklthawd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	modified
Size (bytes):	3227136
Entropy (8bit):	7.999885603947816
Encrypted:	true
SSDEEP:	98304:Ag011QHFHJzHonSPYG3BqEa1vIwrza9OrlbDlj:AgRHNhUSAGIE0ai
MD5:	6458162BB12FE032D99795E4301C1C49
SHA1:	41E42ECD45F58B6CEA1EE4891AFD60FB913831B7
SHA-256:	FDF471649EF052E9A1C5B1F10C7C15F43F6DF548E3CAD8299FF5317ABFFB3899
SHA-512:	1D5F3725FAFFB97C3651E29F8EF2F987D9143CBA0128424120BA81D23253FD81521D5FEDB6513BF7EB1FF88014C3BF516E1B87581F1F150DE751D36F2861FBA5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................@1......p..P.............@......................................@.........................................................................................................................................................UPX0.....p..............................UPX1.....@1......:1.................@...UPX2.................<1.............@...4.10.UPX!....Q.=..(.....0,1.....&$.@...E..g..58.y..<]7{=. ......QE@.1E....6.&.o...M...%b.....J"._....H.Ax(...\..u;.\..Nf..g..'._Fw..a.yd.....).?....\..xO-H..a.>^i.(......S[...1...yA...g.K\|...h...h.*O(.+....p..Rg.$...?.\|...S#..+.,....;Z.D...HM..LI.(.h9?H..o;....+...>..>?6(s.i....?..........8..Yr...>&..D.*...V)..y']../.7.$.).c)X?......gEI.k.l......x.X.\%....T........\.9'=."Y.....2..$0g:i......_\R..B.....C....f\.X......1....E..h.3Ff.W.(...[S..8....7..\|.+n..'..-.^+..PN....Z.s].

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\ntladlklthawd.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.053374040827532
Encrypted:	false
SSDEEP:	3:rmHD/tH//lllLGlA1yqGlgZty:rmH2oty
MD5:	080E701E8B8E2E9C68203C150AC7C6B7
SHA1:	4EF041621388B805758AE1D3B122F9D364705223
SHA-256:	FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
SHA-512:	C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........t.......................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.999885603947816
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ntladlklthawd.exe
File size:	3'227'136 bytes
MD5:	6458162bb12fe032d99795e4301c1c49
SHA1:	41e42ecd45f58b6cea1ee4891afd60fb913831b7
SHA256:	fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899
SHA512:	1d5f3725faffb97c3651e29f8ef2f987d9143cba0128424120ba81d23253fd81521d5fedb6513bf7eb1ff88014c3bf516e1b87581f1f150de751d36f2861fba5
SSDEEP:	98304:Ag011QHFHJzHonSPYG3BqEa1vIwrza9OrlbDlj:AgRHNhUSAGIE0ai
TLSH:	22E533385B960BB4EEA4DF7F1F0758450F40ADA004ED645AC24CF799B5332ADBDD828A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................@1......p..P.............@.......................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0xf3ac50
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6ed4f5f04d62b18d96b26d6db7c18840

Entrypoint Preview

Instruction
pushad
mov esi, 00C28015h
lea edi, dword ptr [esi-00827015h]
push edi
mov ebp, esp
lea ebx, dword ptr [esp-00003E80h]
xor eax, eax
push eax
cmp esp, ebx
jne 00007F591CDADC8Dh
inc esi
inc esi
push ebx
push 00B38EF6h
push edi
add ebx, 04h
push ebx
push 00312C2Eh
push esi
add ebx, 04h
push ebx
push eax
mov dword ptr [ebx], 00020003h
push ebp
push edi
push esi
push ebx
sub esp, 7Ch
mov edx, dword ptr [esp+00000090h]
mov dword ptr [esp+74h], 00000000h
mov byte ptr [esp+73h], 00000000h
mov ebp, dword ptr [esp+0000009Ch]
lea eax, dword ptr [edx+04h]
mov dword ptr [esp+78h], eax
mov eax, 00000001h
movzx ecx, byte ptr [edx+02h]
mov ebx, eax
shl ebx, cl
mov ecx, ebx
dec ecx
mov dword ptr [esp+6Ch], ecx
movzx ecx, byte ptr [edx+01h]
shl eax, cl
dec eax
mov dword ptr [esp+68h], eax
mov eax, dword ptr [esp+000000A8h]
movzx esi, byte ptr [edx]
mov dword ptr [ebp+00h], 00000000h
mov dword ptr [esp+60h], 00000000h
mov dword ptr [eax], 00000000h
mov eax, 00000300h
mov dword ptr [esp+64h], esi
mov dword ptr [esp+5Ch], 00000001h
mov dword ptr [esp+58h], 00000001h
mov dword ptr [esp+54h], 00000001h
mov dword ptr [esp+50h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3c000	0x88	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb3c088	0xc	UPX2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x827000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x828000	0x314000	0x313a00	152f8ba6bc352806226fbd26e06b838f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0xb3c000	0x1000	0x200	4ce37912b1ab5cf465de26b9802f2621	False	0.21484375	data	1.4657272498218852	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 16:39:09.300596952 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.398093939 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.398542881 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.398730993 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.398770094 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.398807049 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.398844957 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.399349928 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.402029037 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.402065992 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.405837059 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.405966997 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.406006098 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.502513885 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.502553940 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.503022909 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.503057003 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.503475904 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.503598928 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.503635883 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.503784895 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.505990982 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.536371946 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.602408886 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.604723930 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.605232000 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.605319023 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.605575085 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.605614901 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.605649948 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.606338024 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.608663082 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.608696938 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.609839916 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.609905005 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.609930038 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.708117962 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.708156109 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.708188057 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.708220959 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.708487988 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.708525896 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:09.805175066 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.948374987 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:09.961312056 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:09.993377924 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:10.059154987 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.061773062 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.061913013 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.061969042 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.062058926 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.062804937 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:10.063293934 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:10.105467081 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:10.106878996 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:10.203135014 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.203178883 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.203274965 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.203309059 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.204988003 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.205198050 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:10.209202051 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:10.306644917 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.468456984 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:10.487684965 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:11.500158072 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:11.500210047 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:11.598114014 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:11.799052000 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:11.817949057 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:12.314979076 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:12.314979076 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:12.415148020 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:12.416188955 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:12.602885008 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:12.626812935 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:12.815845013 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:12.914387941 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:12.915185928 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:13.017035007 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:13.097543001 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:13.145612001 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.206892967 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.206979990 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.206979990 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.207032919 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.207032919 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.207135916 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.207205057 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.207206011 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.207329035 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.207329035 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.207437038 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.225797892 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.225960970 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.226048946 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.226217985 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.226265907 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.226265907 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.226324081 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.226324081 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.226373911 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.226819038 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.263231039 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.263273001 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.263314962 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.263588905 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.263634920 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.263658047 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.263698101 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.263891935 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.264041901 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.264075994 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.264111996 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.294233084 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.303936958 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.303992987 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.304099083 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.304416895 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.304807901 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.304949045 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.323383093 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.323421001 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.323576927 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.323776960 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.323824883 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.323858976 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.323894024 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.323999882 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.324031115 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.324385881 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.346328020 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346432924 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346474886 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346476078 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346497059 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346522093 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346543074 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346564054 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346632004 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346925020 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346956015 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.346981049 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.347014904 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.347033024 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.360887051 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.360939026 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.360991955 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.361025095 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.361062050 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.361094952 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.361129045 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.361160040 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.361380100 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.361450911 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.362375975 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.362560034 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.362591028 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.362612009 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.362674952 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.362695932 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.362714052 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.362740993 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.379504919 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.379543066 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.379580975 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.379611969 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.392163992 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.393346071 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.393376112 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.445619106 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.445656061 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.446150064 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446187973 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446212053 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446240902 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446269035 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446291924 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446337938 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446363926 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446382999 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446609974 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.446644068 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.461484909 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.461522102 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.461555004 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.461675882 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.461730003 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.461849928 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.462802887 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.479178905 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.479213953 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.479531050 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.479531050 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.479593992 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.479693890 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.479875088 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.495914936 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.496536016 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.544929028 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.544980049 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545013905 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545047045 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545080900 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545238018 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545272112 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545466900 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545511961 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.545576096 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.545588970 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545620918 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545723915 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.545762062 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.545780897 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.545813084 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.545826912 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.545826912 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.545855999 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.545936108 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.546168089 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.546197891 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.563146114 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.563612938 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.577649117 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.577682972 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.577789068 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.577963114 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.578006029 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.578269005 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.578298092 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.594578028 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.594921112 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.647597075 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.647634983 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.647667885 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.647703886 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.647735119 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.647768974 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.647802114 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.648097992 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.648243904 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.663372040 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.676059008 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.676495075 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.676527977 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.686212063 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.686260939 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.686260939 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.686300993 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.686336994 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.686357021 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.686393023 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.686412096 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.686453104 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.689694881 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.689735889 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.689764977 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.693881989 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.694473028 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.786046982 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.786252022 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.786286116 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.786319971 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.786334991 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.786587000 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.786601067 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.786678076 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.786686897 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.786711931 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.786802053 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.786875963 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.790597916 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.790632010 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.790666103 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.791030884 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.791062117 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.791098118 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.799844980 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.800187111 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.800215960 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.884911060 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.884946108 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.884978056 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.885010958 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.885044098 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.885699987 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.885783911 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.885816097 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.885840893 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.889281988 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.889317036 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.889517069 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:16.889610052 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.900885105 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.900922060 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.985131025 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.985168934 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:16.988646030 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:17.165055037 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:17.262979984 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:17.538837910 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:17.539021015 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:17.666220903 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:17.792017937 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:19.614576101 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:19.614684105 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:19.711674929 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:19.949649096 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:19.949742079 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:20.046576977 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:22.301362038 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:22.399702072 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:22.593105078 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:22.625375032 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:27.097719908 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:27.198174000 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:27.392671108 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:27.392726898 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:27.393140078 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:29.710834980 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:29.710834980 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:29.808121920 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:29.808191061 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:30.044641972 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:30.044936895 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:30.141325951 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:30.141807079 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:31.907268047 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:31.907423973 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:32.005779028 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:32.206187963 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:32.228744030 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:35.637840986 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:35.740353107 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:35.929958105 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:35.962368965 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:36.698261023 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:36.796211958 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:36.938905001 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:36.982422113 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:36.999037027 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:37.040884018 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:37.227582932 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:37.259902000 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:38.229420900 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:38.328356981 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:38.526279926 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:38.543068886 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:39.528520107 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:39.632107973 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:39.814812899 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:39.815243959 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:39.815340996 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:39.831536055 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:39.911413908 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:39.912708044 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:40.149255037 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:40.149360895 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:40.246068954 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:40.246128082 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:41.484963894 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:41.584980011 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:41.780273914 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:41.813057899 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:46.311383963 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:46.409616947 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:46.610800982 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:46.627862930 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:49.930042982 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:49.930042982 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:50.026767015 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:50.026830912 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:50.386749983 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:50.386837006 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:39:50.485358000 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:50.485718012 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:39:51.161536932 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:51.259251118 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:51.449026108 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:51.481571913 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:55.960679054 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:55.960680008 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:56.059205055 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:56.249836922 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:56.282311916 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:57.971599102 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:58.069468975 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:58.268079042 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:58.300434113 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:59.270176888 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:59.270297050 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:39:59.368927956 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:59.566308022 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:39:59.600289106 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:00.101021051 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:00.199063063 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:00.483540058 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:00.580167055 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:00.773027897 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:00.871453047 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:01.072477102 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:01.104984045 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:05.596379042 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:05.690579891 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:05.698462963 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:05.789001942 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:05.890611887 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:05.923314095 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:05.975065947 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:06.007596016 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:06.977737904 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:07.075778008 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:07.275613070 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:07.308196068 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:08.282419920 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:08.380345106 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:08.582192898 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:08.623424053 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:09.625509024 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:09.723764896 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:09.917898893 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:09.952698946 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:10.203754902 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:10.301048040 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:10.412303925 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:10.511394024 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:10.577318907 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:10.674115896 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:10.706986904 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:10.739525080 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:15.222970963 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:15.325066090 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:15.530626059 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:15.563211918 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:18.988362074 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:19.086318970 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:19.286974907 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:19.319936037 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:20.040369987 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:20.040462017 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:20.138782978 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:20.302792072 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:20.319577932 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:20.321288109 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:20.353904963 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:20.400948048 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:20.417294025 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:20.603272915 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:20.620351076 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:20.683759928 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:20.782366991 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:24.836497068 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:24.936384916 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:25.131289959 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:25.160582066 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:29.633471966 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:29.672804117 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:29.731976032 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:29.770776987 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:29.918874025 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:29.951879025 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:29.987854958 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:30.036922932 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:30.135385036 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:30.180145979 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:30.431787014 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:30.530600071 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:30.924253941 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:31.009171963 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:31.021302938 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:31.107414961 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:31.298605919 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:31.333900928 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:34.429840088 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:34.527923107 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:34.728087902 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:34.760353088 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:38.326179028 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:38.424532890 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:38.628740072 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:38.652630091 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:39.233622074 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:39.331415892 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:39.522810936 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:39.522866011 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:39.523435116 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:39.633800030 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:39.633881092 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:39.633881092 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:39.731817961 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:39.919836044 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:39.952289104 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:40.531244993 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:40.628222942 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:41.168087006 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:41.265125036 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:44.030124903 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:44.128726006 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:44.329365015 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:44.361948967 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:47.955773115 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:48.053419113 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:48.249928951 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:48.282593966 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:48.831212997 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:48.931981087 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:49.121823072 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:49.154443979 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:49.249027967 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:49.351385117 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:49.546117067 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:49.578903913 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:50.548748970 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:50.627418041 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:50.646913052 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:50.725953102 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:50.827832937 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:50.860295057 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:51.268402100 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:40:51.375916004 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:40:51.838264942 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:51.940640926 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:52.137901068 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:52.247598886 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:52.306185961 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:52.340558052 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:53.639736891 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:53.737770081 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:53.921578884 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:53.980498075 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:58.439580917 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:40:58.537409067 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:59.072376966 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:40:59.089062929 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:00.077436924 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:00.175324917 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:00.439377069 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:00.471960068 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:00.722712040 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:41:00.820930004 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:41:01.373428106 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:41:01.470659018 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:41:04.944474936 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:04.944613934 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:05.042500019 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:05.381865025 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:05.399138927 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:09.900768042 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:09.999150038 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:10.383986950 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:10.465636015 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:10.826014042 CET	60643	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:41:10.925015926 CET	443	60643	1.1.1.1	192.168.2.4
Mar 23, 2025 16:41:11.475646019 CET	60644	443	192.168.2.4	1.1.1.1
Mar 23, 2025 16:41:11.572335005 CET	443	60644	1.1.1.1	192.168.2.4
Mar 23, 2025 16:41:13.596775055 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:13.695532084 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:13.947941065 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:14.057534933 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:14.933959007 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:15.028493881 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:15.031882048 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:15.126688004 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:15.211242914 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:15.248630047 CET	60645	443	192.168.2.4	172.67.191.102
Mar 23, 2025 16:41:15.319775105 CET	443	60645	172.67.191.102	192.168.2.4
Mar 23, 2025 16:41:15.352224112 CET	60645	443	192.168.2.4	172.67.191.102

Statistics

Click to jump to process

Memory Usage

• ntladlklthawd.exe
• rdpvideominiport.sys
• rdpdr.sys
• ntladlklthawd.exe
• tsusbhub.sys

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• ntladlklthawd.exe
• rdpvideominiport.sys
• rdpdr.sys
• ntladlklthawd.exe
• tsusbhub.sys

Click to jump to process

Target ID:	0
Start time:	11:39:08
Start date:	23/03/2025
Path:	C:\Users\user\Desktop\ntladlklthawd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ntladlklthawd.exe"
Imagebase:	0xb60000
File size:	3'227'136 bytes
MD5 hash:	6458162BB12FE032D99795E4301C1C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 00000000.00000002.2457055619.0000000001337000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2457055619.0000000000B61000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:39:11
Start date:	23/03/2025
Path:	C:\Windows\System32\drivers\rdpvideominiport.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	32'600 bytes
MD5 hash:	77FF15B9237D62A5CBC6C80E5B20A492
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	4
Start time:	11:39:11
Start date:	23/03/2025
Path:	C:\Windows\System32\drivers\rdpdr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	169'984 bytes
MD5 hash:	64991B36F0BD38026F7589572C98E3D6
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	11:39:11
Start date:	23/03/2025
Path:	C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -
Imagebase:	0xc90000
File size:	3'227'136 bytes
MD5 hash:	6458162BB12FE032D99795E4301C1C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 00000007.00000002.1234252663.0000000001467000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1234252663.0000000000C91000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:39:11
Start date:	23/03/2025
Path:	C:\Windows\System32\drivers\tsusbhub.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	137'728 bytes
MD5 hash:	CC6D4A26254EB72C93AC848ECFCFB4AF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ntladlklthawd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
ntladlklthawd.exe