Edit tour

Windows Analysis Report
n68JFxlwZl.exe

Overview

General Information

Sample name:n68JFxlwZl.exe
renamed because original name is a hash value
Original sample name:82c2baf9f06c7b0692a543be785bd630f70d1582aef54b63752bf5c97021e771.exe
Analysis ID:1656290
MD5:ae1af366dc655a30dbdd23f31f259a7d
SHA1:97e7a13e370dc2a86cd9fc31489876572e467710
SHA256:82c2baf9f06c7b0692a543be785bd630f70d1582aef54b63752bf5c97021e771
Tags:45-88-186-146exeuser-JAMESWT_WT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • n68JFxlwZl.exe (PID: 6460 cmdline: "C:\Users\user\Desktop\n68JFxlwZl.exe" MD5: AE1AF366DC655A30DBDD23F31F259A7D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
No configs have been found
SourceRuleDescriptionAuthorStrings
n68JFxlwZl.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    n68JFxlwZl.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
    • 0xc750:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
    • 0xee38:$a2: Stub.exe
    • 0xeec8:$a2: Stub.exe
    • 0x9208:$a3: get_ActivatePong
    • 0xc968:$a4: vmware
    • 0xc7e0:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    • 0xa0fe:$a6: get_SslClient
    n68JFxlwZl.exerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
    • 0x9208:$str01: get_ActivatePong
    • 0xa0fe:$str02: get_SslClient
    • 0xa11a:$str03: get_TcpClient
    • 0x8647:$str04: get_SendSync
    • 0x86f5:$str05: get_IsConnected
    • 0x8f71:$str06: set_UseShellExecute
    • 0xca76:$str07: Pastebin
    • 0xd9b2:$str08: Select * from AntivirusProduct
    • 0xee38:$str09: Stub.exe
    • 0xeec8:$str09: Stub.exe
    • 0xc860:$str10: timeout 3 > NUL
    • 0xc750:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
    • 0xc7e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    n68JFxlwZl.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xc7e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xc5e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Process Memory Space: n68JFxlwZl.exe PID: 6460JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: n68JFxlwZl.exe PID: 6460INDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x33865:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          SourceRuleDescriptionAuthorStrings
          0.0.n68JFxlwZl.exe.eb0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            0.0.n68JFxlwZl.exe.eb0000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
            • 0xc750:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0xee38:$a2: Stub.exe
            • 0xeec8:$a2: Stub.exe
            • 0x9208:$a3: get_ActivatePong
            • 0xc968:$a4: vmware
            • 0xc7e0:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0xa0fe:$a6: get_SslClient
            0.0.n68JFxlwZl.exe.eb0000.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
            • 0x9208:$str01: get_ActivatePong
            • 0xa0fe:$str02: get_SslClient
            • 0xa11a:$str03: get_TcpClient
            • 0x8647:$str04: get_SendSync
            • 0x86f5:$str05: get_IsConnected
            • 0x8f71:$str06: set_UseShellExecute
            • 0xca76:$str07: Pastebin
            • 0xd9b2:$str08: Select * from AntivirusProduct
            • 0xee38:$str09: Stub.exe
            • 0xeec8:$str09: Stub.exe
            • 0xc860:$str10: timeout 3 > NUL
            • 0xc750:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
            • 0xc7e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            0.0.n68JFxlwZl.exe.eb0000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0xc7e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-04-04T08:38:39.516223+020020355951Domain Observed Used for C2 Detected45.88.186.1467077192.168.2.949685TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-04-04T08:38:39.516223+020020356071Domain Observed Used for C2 Detected45.88.186.1467077192.168.2.949685TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-04-04T08:38:39.516223+020028424781Malware Command and Control Activity Detected45.88.186.1467077192.168.2.949685TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: n68JFxlwZl.exeAvira: detected
            Source: n68JFxlwZl.exeVirustotal: Detection: 69%Perma Link
            Source: n68JFxlwZl.exeReversingLabs: Detection: 83%
            Source: Submited SampleNeural Call Log Analysis: 98.8%
            Source: n68JFxlwZl.exeString decryptor: null
            Source: n68JFxlwZl.exeString decryptor: AWS | 3Losh
            Source: n68JFxlwZl.exeString decryptor: false
            Source: n68JFxlwZl.exeString decryptor: 1258_0021
            Source: n68JFxlwZl.exeString decryptor: MIIE8jCCAtqgAwIBAgIQAJkyWQIRCzIuTfGusD7vCTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMzI4MTYwODM5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAI3Rawx1N2xrhz/N9JpD6EUjBxFyu0F40bSPx0cpH9DWlLRoiNtcQYJC//orw9Y3hF/mJGP9fbgipW/VRGVDsA3cMQiS2tATquqRsqEZA8BRGe8olqfT1+n2/Ge+pJD4utne79xYh5/89OgjlXAnSbfBSXohMO6wUEn7UxKmYUc9FMhlwLZ9o8ADjFyY5VFdoBOaG1voJqIyADlOYR+JHmKrQHiM0YAE261Qq7ZmwQLnWFYsSat0CsSr8sozowUT9YynmN1nJ1gQGLahxMszaP/LTo6WHQosIXiZBxMs/f1NzOirS4bhdw/652RI5cClH+8WtIaqagsao9rwtQnqcJhnflfRyvFvdQM6X1AZH6Uft6sX821ggXEMUED3a5njt5fKexsn48flclPLYKLy/wwehVWIDS4W1tl63cFjJSfirtRJ/umRGfWP83sZBCrnV39H6c0GRPhETWMcQHy5ZyCoDebNr9at4vZTAUCb/WkrZRa87otSfwxOWdcxji9wXtohvk0hQLT6839m741z2/z9i2bPat/iH/3skzOHUw5Ma2GFeuZoIaG9iUFi/rsliOCt0O3LHEWYep4obaCe9I+bV2T2vL4fOi+mMjSigVgQVHvhpSRXuhDqc3RiIbhq4EePZyRIfSam2pr/dcMp9cj02zViLijsZW9yruartfc/AgMBAAGjMjAwMB0GA1UdDgQWBBTxvmzhz3t9GH5WOth9nTYoC/OntDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCFhuuMEJhlDStbttE4N3W2tL/ijKaHF02a17mc78ZYISWveXmdnPtcJ22+y+Ime8kTBh3uFOG4qaHgPZ8vAe2FxZUW17zkzTyazzCXF5RIabHNR7Phbflara/t7JMX5aN5vgNwuL3efFLcO2481YZ2hC5ozR2TNoZxS/GlJE+qsxfxSq6avyiCpPHBE/zVS/bHw6bR9MaYk6SJYbxeoXVoTUSWuqiMAhYs8Qbz/w+FIt8zRMXab+ePjOYLdOFIYlSV7kLhnWRJJ1haMjqpTU5ACuwhIlyBdxkWxZu62H8WZnKVh4ti+KYH0tb6Koof+kNIw9WRlcNz9kOvz1K3iJOSeO2DZL1fW3gI5Y+mnRGdzjyQsJq2rFp9QQEB7qVNbi0dmnbqOpXdjHIxbzY8iRdCTX99oU76OIgmgisAE3SaWOpS/HQnYS8S7jT9zQOn7ctBxTxfQra/adjPYlBdu5PhjIVXTnVtodcjqcBy0c5LyH53PCLzBNikcnzWtWbJEN7MGaKqEhDsSSq+58gZqH/uU0WOs5b8C0f2rdlslGPXSI/iM4fG8DR+IEqa8CEimHwo7mvnmW5AOPQj3m9K84bMuNwcdUJ/5LoBLKkzLcwNKYPZBAUFWvgJDxo67GPoLlXAlLGpOE6vgqXEGpLSUC6IC77AI9X+9X1Vr+iKVC5nig==
            Source: n68JFxlwZl.exeString decryptor: ICQVYuzvtoFQo6veFjqrKTcGgcBHNLUkOVoN4oCIQXDTwW2O21SAmiS2bo5nx9+i0ymVLdawyceWUh/LQmv2FmpMC5Pl+JpVpwgZAiBGD6sE94dMJy9Jj//uFP/Y3gKLaRM69Ohv6uCVjvVNYqt0MEGUkN+spdjVGb3F+A778JY5cUMxYcwiYHQYgCxo0+LNTrsbNShl4XUbmIxR5RRxyTe0wRDCfaiZTdsGX4kgVnzAvZWBHJXa0Ppb3rvJ6qHRfKwtcRreirBCRxCfPU5S5vQyt3Q71e9dZnVnI1RHGbSAyhkYRPfUztL9SgmvGliR8tDpwv0rKTeiyeRX3Con40UaIo3LQpiuymboONbCX+8BvQkKla1s8/1dy/DgA2f0lknXd4ShdqMPT3L2F0Y4OE0BCwTax3/vctvIggy6Nmvo7aVKtCcOpdWwsqgQuxoavdors0Tvvv6nCq60LHQnk0k6hR8oPPHX5jsz+V4tCCAgqZ+Q2bdVGySorkMz0VPkSViKq85TstIuxSgQvorUZVLni36WhwBeuGb3PR/r0zncX5sNvtTQoEvQC5s8xhX5Koo0xs2O74Zrd7GrL11J6s5moZjf7ySGAoiscwFSVY9kIRlZO3eOLIXqChP8tWkNOlmDQuG2OOdynHzAIhFKe6pRZJnafyxb9Ax3Ys5MMpY=
            Source: n68JFxlwZl.exeString decryptor: true
            Source: n68JFxlwZl.exeString decryptor: https://pastebin.com/raw/jkws5g0p
            Source: n68JFxlwZl.exeString decryptor: MadO_vbs
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: null
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: null
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: AWS | 3Losh
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: false
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: 1258_0021
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: MIIE8jCCAtqgAwIBAgIQAJkyWQIRCzIuTfGusD7vCTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMzI4MTYwODM5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAI3Rawx1N2xrhz/N9JpD6EUjBxFyu0F40bSPx0cpH9DWlLRoiNtcQYJC//orw9Y3hF/mJGP9fbgipW/VRGVDsA3cMQiS2tATquqRsqEZA8BRGe8olqfT1+n2/Ge+pJD4utne79xYh5/89OgjlXAnSbfBSXohMO6wUEn7UxKmYUc9FMhlwLZ9o8ADjFyY5VFdoBOaG1voJqIyADlOYR+JHmKrQHiM0YAE261Qq7ZmwQLnWFYsSat0CsSr8sozowUT9YynmN1nJ1gQGLahxMszaP/LTo6WHQosIXiZBxMs/f1NzOirS4bhdw/652RI5cClH+8WtIaqagsao9rwtQnqcJhnflfRyvFvdQM6X1AZH6Uft6sX821ggXEMUED3a5njt5fKexsn48flclPLYKLy/wwehVWIDS4W1tl63cFjJSfirtRJ/umRGfWP83sZBCrnV39H6c0GRPhETWMcQHy5ZyCoDebNr9at4vZTAUCb/WkrZRa87otSfwxOWdcxji9wXtohvk0hQLT6839m741z2/z9i2bPat/iH/3skzOHUw5Ma2GFeuZoIaG9iUFi/rsliOCt0O3LHEWYep4obaCe9I+bV2T2vL4fOi+mMjSigVgQVHvhpSRXuhDqc3RiIbhq4EePZyRIfSam2pr/dcMp9cj02zViLijsZW9yruartfc/AgMBAAGjMjAwMB0GA1UdDgQWBBTxvmzhz3t9GH5WOth9nTYoC/OntDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCFhuuMEJhlDStbttE4N3W2tL/ijKaHF02a17mc78ZYISWveXmdnPtcJ22+y+Ime8kTBh3uFOG4qaHgPZ8vAe2FxZUW17zkzTyazzCXF5RIabHNR7Phbflara/t7JMX5aN5vgNwuL3efFLcO2481YZ2hC5ozR2TNoZxS/GlJE+qsxfxSq6avyiCpPHBE/zVS/bHw6bR9MaYk6SJYbxeoXVoTUSWuqiMAhYs8Qbz/w+FIt8zRMXab+ePjOYLdOFIYlSV7kLhnWRJJ1haMjqpTU5ACuwhIlyBdxkWxZu62H8WZnKVh4ti+KYH0tb6Koof+kNIw9WRlcNz9kOvz1K3iJOSeO2DZL1fW3gI5Y+mnRGdzjyQsJq2rFp9QQEB7qVNbi0dmnbqOpXdjHIxbzY8iRdCTX99oU76OIgmgisAE3SaWOpS/HQnYS8S7jT9zQOn7ctBxTxfQra/adjPYlBdu5PhjIVXTnVtodcjqcBy0c5LyH53PCLzBNikcnzWtWbJEN7MGaKqEhDsSSq+58gZqH/uU0WOs5b8C0f2rdlslGPXSI/iM4fG8DR+IEqa8CEimHwo7mvnmW5AOPQj3m9K84bMuNwcdUJ/5LoBLKkzLcwNKYPZBAUFWvgJDxo67GPoLlXAlLGpOE6vgqXEGpLSUC6IC77AI9X+9X1Vr+iKVC5nig==
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: ICQVYuzvtoFQo6veFjqrKTcGgcBHNLUkOVoN4oCIQXDTwW2O21SAmiS2bo5nx9+i0ymVLdawyceWUh/LQmv2FmpMC5Pl+JpVpwgZAiBGD6sE94dMJy9Jj//uFP/Y3gKLaRM69Ohv6uCVjvVNYqt0MEGUkN+spdjVGb3F+A778JY5cUMxYcwiYHQYgCxo0+LNTrsbNShl4XUbmIxR5RRxyTe0wRDCfaiZTdsGX4kgVnzAvZWBHJXa0Ppb3rvJ6qHRfKwtcRreirBCRxCfPU5S5vQyt3Q71e9dZnVnI1RHGbSAyhkYRPfUztL9SgmvGliR8tDpwv0rKTeiyeRX3Con40UaIo3LQpiuymboONbCX+8BvQkKla1s8/1dy/DgA2f0lknXd4ShdqMPT3L2F0Y4OE0BCwTax3/vctvIggy6Nmvo7aVKtCcOpdWwsqgQuxoavdors0Tvvv6nCq60LHQnk0k6hR8oPPHX5jsz+V4tCCAgqZ+Q2bdVGySorkMz0VPkSViKq85TstIuxSgQvorUZVLni36WhwBeuGb3PR/r0zncX5sNvtTQoEvQC5s8xhX5Koo0xs2O74Zrd7GrL11J6s5moZjf7ySGAoiscwFSVY9kIRlZO3eOLIXqChP8tWkNOlmDQuG2OOdynHzAIhFKe6pRZJnafyxb9Ax3Ys5MMpY=
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: false
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: true
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: https://pastebin.com/raw/jkws5g0p
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: false
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpackString decryptor: MadO_vbs
            Source: n68JFxlwZl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.22.68.199:443 -> 192.168.2.9:49684 version: TLS 1.2
            Source: n68JFxlwZl.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.88.186.146:7077 -> 192.168.2.9:49685
            Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 45.88.186.146:7077 -> 192.168.2.9:49685
            Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 45.88.186.146:7077 -> 192.168.2.9:49685
            Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 45.88.186.146:7077 -> 192.168.2.9:49685
            Source: unknownDNS query: name: pastebin.com
            Source: global trafficTCP traffic: 192.168.2.9:49685 -> 45.88.186.146:7077
            Source: global trafficHTTP traffic detected: GET /raw/jkws5g0p HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 45.88.186.146 45.88.186.146
            Source: Joe Sandbox ViewIP Address: 104.22.68.199 104.22.68.199
            Source: Joe Sandbox ViewASN Name: ANONYMIZEEpikNetworkCH ANONYMIZEEpikNetworkCH
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.146
            Source: global trafficHTTP traffic detected: GET /raw/jkws5g0p HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: pastebin.com
            Source: n68JFxlwZl.exe, 00000000.00000002.3406520167.00000000056FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: n68JFxlwZl.exe, 00000000.00000002.3404793767.0000000001467000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: n68JFxlwZl.exe, 00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: n68JFxlwZl.exe, 00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/jkws5g0p
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
            Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
            Source: unknownHTTPS traffic detected: 104.22.68.199:443 -> 192.168.2.9:49684 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: Yara matchFile source: n68JFxlwZl.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: n68JFxlwZl.exe PID: 6460, type: MEMORYSTR
            Source: n68JFxlwZl.exe, LimeLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Source: n68JFxlwZl.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: n68JFxlwZl.exe, type: SAMPLEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
            Source: n68JFxlwZl.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: Process Memory Space: n68JFxlwZl.exe PID: 6460, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeCode function: 0_2_069F23480_2_069F2348
            Source: n68JFxlwZl.exe, 00000000.00000000.937128099.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs n68JFxlwZl.exe
            Source: n68JFxlwZl.exe, 00000000.00000002.3406892366.0000000005A59000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs n68JFxlwZl.exe
            Source: n68JFxlwZl.exeBinary or memory string: OriginalFilenameStub.exe" vs n68JFxlwZl.exe
            Source: n68JFxlwZl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: n68JFxlwZl.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: n68JFxlwZl.exe, type: SAMPLEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
            Source: n68JFxlwZl.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
            Source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: Process Memory Space: n68JFxlwZl.exe PID: 6460, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: n68JFxlwZl.exe, Settings.csBase64 encoded string: 'WSEeNlZSj7gii7ak+zAuutCfOpLP0AiY3okaoZVdgtEK1oJB5684IcVDZwtVFS/JPwQwd+sjTX1D4Eykp01v7g==', 'q2f057UvKk3PAZKq/BBQhWlwT9Mh18IvA9zzizlRAWCv8qf6grZC8FGurkvrXsi3AsTwkpx9pm9y/ZpEQK3+kw==', 'zZfA5GFv/UnPnFc7Dyzt77cc5HIXyKKFzNxFwPd5bdhHcdmNOhU7Y8RP/x5xHCGQYBW37JEYV9V2wv7ju2yPIY74pAMzsYeXM5/KFolYmhRACQi/ntfm1WSGtjh851aaExS9lvymqUbV/RyTU8KjjPR1L/CCtfr1rdtmNCYG+KXiGKZMJyGMFoRDeCd89y+duHQIM9bhlGXyx2HsWv96B4+htOem0KKsABLRTO3hfD2Ls1PkRt3G4K/hW8Beg5YOV9UCd854lyTjBcD0z36GAbXbqK+H4F1V6yf6+XTzuI6UtKyeanTh3FaUYuMbNOwQjdTp9UlOGO77h93u79De2a30z0SZTDT/WdkRO0q2OcQghsQk5sIdTCE4+Pmw9lrehzHc2m2iZEhVsez3W0/avLUwepJfZmJ7bCk96fJGGtSMb0cx/JwmaBD4FHNRpCezIi2OTcmmuYtfF1pRlkHNYA8byFywM/5LvSzJueoSL0eeQex5WtjC0QqVixPFL5Xh7/yAZ20RL89PifdFCx5MmCropHX2m4IJPlBkh304Zpe5BzJQiFyDNA7sl7aq+bxbrncidhpMtfGY5yiD66LLS/wS4Vq3wdGDYBsDWqDv1gpzubuQ98wghVw4yUhHH/hIiBI3n28z8/ui7Qb3CRIH9rWXV35Lto4eA01UW44EZobiSL+D1Z8JJnFp10fRCog9uOq41bYr4PIdWZ7yforOw4GrJbyL3n0AzRHdOwvBNBPRqaLUX41tYIrqqp58ZP8diCvfzofWml+qsaKf2XfYna6Io4u2l5IymR29j2qmKYd+3/iLEUCujvIOVmXq1x9sdxY7sQUrvx178j5xnAOsPIZVWrBj4+C47pqjpaq61ixDR4SWddP1M4MXmbOgIE0m9qIsu3SR3hZqBVhYKRfgUl8O/7egD5GT7wG3OxWDLvyvuz26DPnwyIWFbquYWZi9jsxCOurqz+h02JLL/dCH4pBZtfo8Vjv4TMgmnpoNAH9woQbqwdNVexEoCw5Et6ZFCIolcySUS5KWiQiPdZKmXUOolL29bP4CwO2tBMBFsLT7td/E12IkijEaI0eoB3T9RdaUqw3gAxjGXl43FDx9xIqRwjbBFlFQxqfmvDhHfawDlj6++qb+DNCvQFg99gTK5bEuHwCBwd+PYfSTS55QDXZVG2svVe/6bVQb27+f+HU3uXqoVU1S+VHFwUa1t+gdz3KSZrMa/3AVUJu+NbDPxuTG9dLmOp9e0VRffhVXd+n9as6PU3UdojTTPnVPRv+vikpqkfCNk2tV0pJfQ9W1d6pNmpic4ssa4+fJiMWuIVj4iZTBjucScPwPC95mSFYybPFFyjTM05r8V2WkTQFtM5Fefy3nH8r8wBR6I4FsE1TV9i4EoWZdzztL0oGKo+vHYAEavbG4XGfZeI0Bdgi0sEM0UslNrrIWJ2tQa2ro8MzyOdHJXG9C9KkafdOzN1Q4eqq9zUUwPXFuwctAUYeb+GAWV4AlbNn50BIOe2xHm+ZLL+XK8X2TWTJFlCfWBIAn7Dk9rwxEsvuBin8rpuX+cYQupT+2PgljjEDg7iZebq1guV1OQl7vathmoNaKkoabpURzTKVPOGlQUEWLUvtPE6yBN+qO6/8yKX5SUN4Cqo3+qDxa0rD02kfVDDb3UztrFJT86r46ha/+hFaO0dBNQAfYw8ORHO3MV1ely3Hqmm5Y9/nefisA0F/xocUKVPobkaFo0YlGx1kMxGdEYUY7ctPgLdjaBvN4KAeNBUZ9Lsd4aBB9knhKg1Jh5gVtRBf2iWhK8aJ7I8MH7lb0sqIXir4ArpKBFPjAeV8TnCTmAzt6Vf3qXd8UTrcJDlgwFRddfTC4xprSyZpONTVY8cmiLBWYg0iDm/m5HSmTLeEM27tCbSv+vfw0klHdToU1e7Gt/GDIR0Yy9OjI0m2sn63f5tvOQVWwH9dW8eTNccPY+v4cST17OfaSsL7RvEPheEXMilaPkf7CrRiK+Qt7eIcEi1GyKKNVuaOOPvRqk/VIXuyQ1gb0T11m1Gd0PjK+E1PXtdm4fmElT3DAV6nnS4OiRi9Y8FWBpaNRs0hVxxVlcCzqL0NUohbauUGOt4Bb9kSzCJRDYXwL7/jAs3haF/MQmLKCcLGAwuOHIni0kTbCZ3CSxlpwE1SucO7o/U2w9N6cEwdGIe7dK0myqpSD4awGdljB5rNIgssg8BbKhdR5y2hD43rySReqoSNjVD2NRkS+xZu6wXU/CXFwSD5m779FP0vnBm5SksdOS4A0WXIy3Ha1enT1pZHOyDFsFZubiBSoGhSXA2vFcNW/NscMgclmIwFPeIkb6LEOdsx2j5tNPE8=', 'jG+0LP8luTGw+JaxWmblky04Bfjxe95S7rMEsoa//mXjmddFprv9g1U9G08uGpCy1blvRgmVrpaQV18oBmeN+tpyWdT+Uw8d3ZGhfV+DyxL+BO9S4ZVUhnZ99/gHbtQmpQPpSWjdu8ZtSEOmBpZ5Kedd8JZOz/4LpYCqjOTIyOuGSXTOHTma1bvtcbITwmbVV3FyAUev3U0n8/zUepzmc28Zrbu85aoaP0hVrJKXnCYwoYtcXNAAQGKDDGBoMFO6qjuYL+2Df+QUOmUNLgZZaiVxsMgKhxhF+snqsivqbp+fsRZBP2dartXIh+hjTA0epMTiO/9ulHvLGG8lxsSHQxQHImDnARBA2Ro+0MEu8cZHhTBnXryY/3zVWhvaX4rXUk1jJGx83CJDaNFktf0wHxSJvs7J+9kfJ/EXy7J6ej51aeLWNN8RGwWHpTqDQsh9FShxixF9sc0DvA3
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/2@1/2
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeMutant created: \Sessions\1\BaseNamedObjects\1258_0021
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeMutant created: NULL
            Source: n68JFxlwZl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: n68JFxlwZl.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: n68JFxlwZl.exeVirustotal: Detection: 69%
            Source: n68JFxlwZl.exeReversingLabs: Detection: 83%
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: n68JFxlwZl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: n68JFxlwZl.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: n68JFxlwZl.exe, Packet.cs.Net Code: Plugins System.AppDomain.Load(byte[])

            Boot Survival

            barindex
            Source: Yara matchFile source: n68JFxlwZl.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: n68JFxlwZl.exe PID: 6460, type: MEMORYSTR
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: n68JFxlwZl.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: n68JFxlwZl.exe PID: 6460, type: MEMORYSTR
            Source: n68JFxlwZl.exeBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeMemory allocated: 1700000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeMemory allocated: 51E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeWindow / User API: threadDelayed 1054Jump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeWindow / User API: threadDelayed 8791Jump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exe TID: 6776Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exe TID: 6796Thread sleep count: 1054 > 30Jump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exe TID: 6796Thread sleep count: 8791 > 30Jump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: n68JFxlwZl.exeBinary or memory string: vmware
            Source: n68JFxlwZl.exe, 00000000.00000002.3406780232.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, n68JFxlwZl.exe, 00000000.00000002.3406520167.00000000056C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeQueries volume information: C:\Users\user\Desktop\n68JFxlwZl.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Source: Yara matchFile source: n68JFxlwZl.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.n68JFxlwZl.exe.eb0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: n68JFxlwZl.exe PID: 6460, type: MEMORYSTR
            Source: n68JFxlwZl.exe, 00000000.00000002.3406714890.0000000005776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\n68JFxlwZl.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation
            1
            Scheduled Task/Job
            1
            Scheduled Task/Job
            1
            Disable or Modify Tools
            1
            Input Capture
            1
            Query Registry
            Remote Services1
            Input Capture
            1
            Web Service
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            31
            Virtualization/Sandbox Evasion
            LSASS Memory121
            Security Software Discovery
            Remote Desktop Protocol1
            Archive Collected Data
            11
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Obfuscated Files or Information
            Security Account Manager1
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Software Packing
            NTDS31
            Virtualization/Sandbox Evasion
            Distributed Component Object ModelInput Capture1
            Ingress Tool Transfer
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA Secrets1
            Application Window Discovery
            SSHKeylogging2
            Non-Application Layer Protocol
            Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
            System Information Discovery
            VNCGUI Input Capture3
            Application Layer Protocol
            Data Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1656290 Sample: n68JFxlwZl.exe Startdate: 04/04/2025 Architecture: WINDOWS Score: 100 9 pastebin.com 2->9 11 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->11 13 bg.microsoft.map.fastly.net 2->13 19 Suricata IDS alerts for network traffic 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 27 7 other signatures 2->27 6 n68JFxlwZl.exe 15 2 2->6         started        signatures3 25 Connects to a pastebin service (likely for C&C) 9->25 process4 dnsIp5 15 45.88.186.146, 49685, 7077 ANONYMIZEEpikNetworkCH Netherlands 6->15 17 pastebin.com 104.22.68.199, 443, 49684 CLOUDFLARENETUS United States 6->17

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            n68JFxlwZl.exe69%VirustotalBrowse
            n68JFxlwZl.exe83%ReversingLabsByteCode-MSIL.Trojan.AsyncRATMarte
            n68JFxlwZl.exe100%AviraTR/Dropper.Gen
            SAMPLE100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            199.232.210.172
            truefalse
              high
              edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
              208.89.73.21
              truefalse
                high
                pastebin.com
                104.22.68.199
                truefalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  https://pastebin.com/raw/jkws5g0pfalse
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namen68JFxlwZl.exe, 00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      45.88.186.146
                      unknownNetherlands
                      34962ANONYMIZEEpikNetworkCHtrue
                      104.22.68.199
                      pastebin.comUnited States
                      13335CLOUDFLARENETUSfalse
                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1656290
                      Start date and time:2025-04-04 08:37:29 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 44s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:12
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:n68JFxlwZl.exe
                      renamed because original name is a hash value
                      Original Sample Name:82c2baf9f06c7b0692a543be785bd630f70d1582aef54b63752bf5c97021e771.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@1/2@1/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 17
                      • Number of non-executed functions: 1
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 208.89.73.21, 52.149.20.212, 184.31.69.3
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      TimeTypeDescription
                      02:38:39API Interceptor7975162x Sleep call for process: n68JFxlwZl.exe modified
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      45.88.186.146p0zAljhJrX.exeGet hashmaliciousAsyncRATBrowse
                        3gKqQWgDiq.exeGet hashmaliciousAsyncRATBrowse
                          djXdIZV2oV.ps1Get hashmaliciousAsyncRATBrowse
                            Qu6b3ubF39.ps1Get hashmaliciousAsyncRATBrowse
                              ceD2H9PZ64rf.ps1Get hashmaliciousAsyncRATBrowse
                                104.22.68.199A.ps1Get hashmaliciousAsyncRATBrowse
                                  Qu6b3ubF39.ps1Get hashmaliciousAsyncRATBrowse
                                    ceD2H9PZ64rf.ps1Get hashmaliciousAsyncRATBrowse
                                      rwgZSu7qD7.exeGet hashmaliciousUnknownBrowse
                                        install.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                          pDaxI2Csqx.exeGet hashmaliciousXWormBrowse
                                            #Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exeGet hashmaliciousLummaC StealerBrowse
                                              XCsslient.exeGet hashmaliciousXWormBrowse
                                                SystemRuntime.exeGet hashmaliciousXWormBrowse
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdropped-payload.bin.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                  • 208.89.73.31
                                                  SecuriteInfo.com.Win32.MalwareX-gen.8408.17417.exeGet hashmaliciousMSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                  • 208.89.73.19
                                                  https://1drv.ms/o/c/1ba8fd2bd98c98a8/EvE27W5Mh7VAow2Ieo_pbMoBu4sXAhtY_cHfpUmNrII9lA?e=TsgOhPGet hashmaliciousHTMLPhisherBrowse
                                                  • 208.89.73.31
                                                  rcc_themes_[15MB]_[1].bin.exeGet hashmaliciousUnknownBrowse
                                                  • 208.89.73.19
                                                  rcc_themes_[15MB]_[1].bin.exeGet hashmaliciousUnknownBrowse
                                                  • 208.89.73.29
                                                  nfee.exeGet hashmaliciousUnknownBrowse
                                                  • 208.89.73.23
                                                  NEW QUOTE.vbsGet hashmaliciousAsyncRATBrowse
                                                  • 208.89.73.23
                                                  random(1).exeGet hashmaliciousLummaC StealerBrowse
                                                  • 208.89.73.19
                                                  libcares-2_3.dll.dllGet hashmaliciousUnknownBrowse
                                                  • 208.89.73.17
                                                  https://stats.sender.net/link_click/eXzzr5-gpoZqzG-1uv25A/28201475b69bbc587107f3682383db16Get hashmaliciousUnknownBrowse
                                                  • 208.89.73.23
                                                  bg.microsoft.map.fastly.netp0zAljhJrX.exeGet hashmaliciousAsyncRATBrowse
                                                  • 199.232.210.172
                                                  1OrX2KbqM5.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 199.232.214.172
                                                  3gKqQWgDiq.exeGet hashmaliciousAsyncRATBrowse
                                                  • 199.232.210.172
                                                  1OrX2KbqM5.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 199.232.214.172
                                                  A.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 199.232.214.172
                                                  djXdIZV2oV.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 199.232.214.172
                                                  Qu6b3ubF39.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 199.232.214.172
                                                  ceD2H9PZ64rf.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 199.232.214.172
                                                  SecuriteInfo.com.Win32.MalwareX-gen.8408.17417.exeGet hashmaliciousMSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                  • 199.232.214.172
                                                  nfee.exeGet hashmaliciousUnknownBrowse
                                                  • 199.232.214.172
                                                  pastebin.comp0zAljhJrX.exeGet hashmaliciousAsyncRATBrowse
                                                  • 172.67.25.94
                                                  3gKqQWgDiq.exeGet hashmaliciousAsyncRATBrowse
                                                  • 104.22.69.199
                                                  A.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 104.22.69.199
                                                  djXdIZV2oV.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 172.67.25.94
                                                  Qu6b3ubF39.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 104.22.68.199
                                                  ceD2H9PZ64rf.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 104.22.68.199
                                                  Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 172.67.25.94
                                                  rwgZSu7qD7.exeGet hashmaliciousUnknownBrowse
                                                  • 104.22.68.199
                                                  loader.vbsGet hashmaliciousFallen Miner, XmrigBrowse
                                                  • 104.22.69.199
                                                  Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 104.22.69.199
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUSSupply Order Confirmation.pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                  • 104.21.64.1
                                                  p0zAljhJrX.exeGet hashmaliciousAsyncRATBrowse
                                                  • 172.67.25.94
                                                  3gKqQWgDiq.exeGet hashmaliciousAsyncRATBrowse
                                                  • 104.22.69.199
                                                  F2fZstrZd4.exeGet hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  quzrmlKK3S.exeGet hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  F2fZstrZd4.exeGet hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  quzrmlKK3S.exeGet hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  Qkyj67TcwT.exeGet hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  5PQo4c4NQV.exeGet hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  A.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 104.22.68.199
                                                  ANONYMIZEEpikNetworkCHp0zAljhJrX.exeGet hashmaliciousAsyncRATBrowse
                                                  • 45.88.186.146
                                                  3gKqQWgDiq.exeGet hashmaliciousAsyncRATBrowse
                                                  • 45.88.186.146
                                                  5PQo4c4NQV.exeGet hashmaliciousUnknownBrowse
                                                  • 45.88.186.198
                                                  djXdIZV2oV.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 45.88.186.146
                                                  Qu6b3ubF39.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 45.88.186.146
                                                  ceD2H9PZ64rf.ps1Get hashmaliciousAsyncRATBrowse
                                                  • 45.88.186.146
                                                  5PQo4c4NQV.exeGet hashmaliciousUnknownBrowse
                                                  • 45.88.186.198
                                                  Recently_S_S_A_Statement#640521215.wsfGet hashmaliciousUnknownBrowse
                                                  • 45.88.186.198
                                                  Nigga.exeGet hashmaliciousUnknownBrowse
                                                  • 45.88.186.38
                                                  dwm.batGet hashmaliciousBatch Injector, XWormBrowse
                                                  • 45.88.186.38
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0eSupply Order Confirmation.pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                  • 104.22.68.199
                                                  p0zAljhJrX.exeGet hashmaliciousAsyncRATBrowse
                                                  • 104.22.68.199
                                                  1OrX2KbqM5.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 104.22.68.199
                                                  3gKqQWgDiq.exeGet hashmaliciousAsyncRATBrowse
                                                  • 104.22.68.199
                                                  F2fZstrZd4.exeGet hashmaliciousUnknownBrowse
                                                  • 104.22.68.199
                                                  quzrmlKK3S.exeGet hashmaliciousUnknownBrowse
                                                  • 104.22.68.199
                                                  1OrX2KbqM5.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 104.22.68.199
                                                  F2fZstrZd4.exeGet hashmaliciousUnknownBrowse
                                                  • 104.22.68.199
                                                  quzrmlKK3S.exeGet hashmaliciousUnknownBrowse
                                                  • 104.22.68.199
                                                  Qkyj67TcwT.exeGet hashmaliciousUnknownBrowse
                                                  • 104.22.68.199
                                                  No context
                                                  Process:C:\Users\user\Desktop\n68JFxlwZl.exe
                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):73305
                                                  Entropy (8bit):7.996028107841645
                                                  Encrypted:true
                                                  SSDEEP:1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
                                                  MD5:83142242E97B8953C386F988AA694E4A
                                                  SHA1:833ED12FC15B356136DCDD27C61A50F59C5C7D50
                                                  SHA-256:D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
                                                  SHA-512:BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH*..M.KB."..rK.RQ*..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j|w..*.#.oU..Eq[..P..^..~.V...;..m...I|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8*E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....
                                                  Process:C:\Users\user\Desktop\n68JFxlwZl.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):330
                                                  Entropy (8bit):3.183651560957911
                                                  Encrypted:false
                                                  SSDEEP:6:kKMGmcvSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:EGmCkPlE99SNxAhUeq8S
                                                  MD5:872BDAFC15A7472CAB3217CD0268F881
                                                  SHA1:3C8300E7C8EB0E38792EEFE71047AE993D6BE998
                                                  SHA-256:775214A35A19D6E522102FBE56A72225D9C6BA9178E366BD71C719E79785353C
                                                  SHA-512:4748794DE5C27AFCD6EF07D735FB32AF6597513785FF9E49699DCD086AE0C08732C1EB4148AD913934EB13D6151E0819242BB903B040DB647797B5A5791B86CB
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:p...... .........5.3,...(....................................................... ..................(...........Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...
                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):5.430784909074166
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:n68JFxlwZl.exe
                                                  File size:62'976 bytes
                                                  MD5:ae1af366dc655a30dbdd23f31f259a7d
                                                  SHA1:97e7a13e370dc2a86cd9fc31489876572e467710
                                                  SHA256:82c2baf9f06c7b0692a543be785bd630f70d1582aef54b63752bf5c97021e771
                                                  SHA512:19d716b108dcf96a5c9270a7a4f386c8252cc8167e774e0800367f0c3c88345c9be1275f12b53afdbd0056787961842816e02b46132a92e1e155a5ebf61ecd94
                                                  SSDEEP:1536:M2O7qkZt7EirmQ4iMfd/1pbbpkvIdcQNs1zTidTyGdOIzIta5b6cg6ojR+iFNfWF:M2O7qkZt7Ei6DiMfd/1pbbpkvIdcQNs0
                                                  TLSH:DD53FA003BEDC525F1BE8FB465F6A1444AF9F56B2A02D94D1C8811DA1A327C29942FFF
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e............................>.... ... ....@.. .......................`............`................................
                                                  Icon Hash:90cececece8e8eb0
                                                  Entrypoint:0x41093e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x65B37383 [Fri Jan 26 08:55:31 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x108f00x4b.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xe9440xea007baf605ad3e18d879f1ccc65a0ba198bFalse0.46981837606837606data5.469700521725921IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x120000x7ff0x80033cdbc5c50f34a35b4f0e61582ac7f11False0.41650390625data4.884866150337139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x140000xc0x200a933cf2dcdf8115115cc19e769113df7False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0x120a00x2ccdata0.43575418994413406
                                                  RT_MANIFEST0x1236c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277
                                                  DLLImport
                                                  mscoree.dll_CorExeMain
                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  Comments
                                                  CompanyName
                                                  FileDescription
                                                  FileVersion1.0.0.0
                                                  InternalNameStub.exe
                                                  LegalCopyright
                                                  LegalTrademarks
                                                  OriginalFilenameStub.exe
                                                  ProductName
                                                  ProductVersion1.0.0.0
                                                  Assembly Version1.0.0.0

                                                  Download Network PCAP: filteredfull

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-04-04T08:38:39.516223+02002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)145.88.186.1467077192.168.2.949685TCP
                                                  2025-04-04T08:38:39.516223+02002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)145.88.186.1467077192.168.2.949685TCP
                                                  2025-04-04T08:38:39.516223+02002035595ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert145.88.186.1467077192.168.2.949685TCP
                                                  2025-04-04T08:38:39.516223+02002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)145.88.186.1467077192.168.2.949685TCP
                                                  • Total Packets: 282
                                                  • 7077 undefined
                                                  • 443 (HTTPS)
                                                  • 53 (DNS)
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 4, 2025 08:38:38.621967077 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:38.621984005 CEST44349684104.22.68.199192.168.2.9
                                                  Apr 4, 2025 08:38:38.622107029 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:38.633961916 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:38.633975029 CEST44349684104.22.68.199192.168.2.9
                                                  Apr 4, 2025 08:38:38.846537113 CEST44349684104.22.68.199192.168.2.9
                                                  Apr 4, 2025 08:38:38.846668959 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:38.852281094 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:38.852292061 CEST44349684104.22.68.199192.168.2.9
                                                  Apr 4, 2025 08:38:38.852615118 CEST44349684104.22.68.199192.168.2.9
                                                  Apr 4, 2025 08:38:38.892298937 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:38.909076929 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:38.952322006 CEST44349684104.22.68.199192.168.2.9
                                                  Apr 4, 2025 08:38:39.083863020 CEST44349684104.22.68.199192.168.2.9
                                                  Apr 4, 2025 08:38:39.083978891 CEST44349684104.22.68.199192.168.2.9
                                                  Apr 4, 2025 08:38:39.084120989 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:39.100280046 CEST49684443192.168.2.9104.22.68.199
                                                  Apr 4, 2025 08:38:39.102653027 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:39.227603912 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:39.228234053 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:39.228509903 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:39.357886076 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:39.357903004 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:39.358031034 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:39.388880968 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:39.516222954 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:39.564176083 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:40.391285896 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:40.561687946 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:40.561764956 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:40.732815027 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:45.846848011 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:46.016112089 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:46.016222000 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:46.142831087 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:46.189193964 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:46.313858032 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:46.323487997 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:46.498877048 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:46.499522924 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:46.670150995 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:50.203706980 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:50.251734018 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:50.381119967 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:50.439183950 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:51.315973997 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:51.485246897 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:51.485318899 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:51.611879110 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:51.658407927 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:51.783742905 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:51.785691023 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:51.951005936 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:51.951121092 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:52.122580051 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:56.783432961 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:56.950877905 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:56.950942993 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:57.078725100 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:57.126743078 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:57.251530886 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:57.253427982 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:57.420332909 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:38:57.421183109 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:38:57.591531038 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:02.266714096 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:02.435628891 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:02.435735941 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:02.569448948 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:02.611073971 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:02.739761114 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:02.741760969 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:02.919851065 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:02.919909954 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:03.091664076 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:07.723222017 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:07.888438940 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:07.888546944 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:08.013991117 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:08.067477942 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:08.192161083 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:08.194264889 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:08.373255968 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:08.373307943 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:08.544595957 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:13.189915895 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:13.357229948 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:13.357361078 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:13.483359098 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:13.532985926 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:13.658848047 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:13.660836935 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:13.826036930 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:13.826210022 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:13.998189926 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:18.658694983 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:18.825834036 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:18.825967073 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:18.952692986 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:19.001737118 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:19.126811981 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:19.129043102 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:19.294989109 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:19.295216084 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:19.466835022 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:20.220887899 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:20.267421961 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:20.391972065 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:20.439281940 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:24.128979921 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:24.295150995 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:24.295351982 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:24.420748949 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:24.470530033 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:24.595196962 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:24.598042965 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:24.764178991 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:24.764405966 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:24.935585022 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:29.702424049 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:29.874547005 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:29.874679089 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:30.044467926 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:30.103013992 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:30.142395020 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:30.267555952 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:30.314383984 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:30.595941067 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:30.763365030 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:30.763499975 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:30.935189009 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:35.158564091 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:35.325941086 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:35.326112032 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:35.453696966 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:35.501832962 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:35.626899004 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:35.631268978 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:35.811414003 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:35.811573982 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:35.982582092 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:40.627197981 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:40.794589043 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:40.794684887 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:40.919787884 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:40.970598936 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:41.095690012 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:41.098310947 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:41.279644012 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:41.279767990 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:41.450958967 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:46.096287966 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:46.266902924 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:46.266968966 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:46.392683983 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:46.439428091 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:46.566654921 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:46.568974018 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:46.751748085 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:46.751904011 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:46.919862986 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:50.234673023 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:50.314244986 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:50.439522028 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:50.611174107 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:51.675705910 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:51.841401100 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:51.841485977 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:51.968148947 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:52.025418043 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:52.150120974 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:52.151763916 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:52.326683044 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:52.326746941 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:52.498035908 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:57.049104929 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:57.216624022 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:57.216742992 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:57.343729019 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:57.392431021 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:57.521244049 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:57.523123026 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:57.705220938 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:39:57.705269098 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:39:57.873697996 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:02.517963886 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:02.686506987 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:02.686559916 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:02.811815023 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:02.970582962 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:03.095441103 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:03.097364902 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:03.263418913 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:03.263472080 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:03.439085007 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:08.083640099 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:08.269170046 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:08.269608021 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:08.394999981 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:08.470530987 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:08.595949888 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:08.599071026 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:08.779342890 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:08.785231113 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:08.950804949 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:13.518057108 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:13.693068981 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:13.693114996 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:13.818825006 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:13.876820087 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:14.002602100 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:14.004092932 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:14.172209024 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:14.172420025 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:14.344139099 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:19.003582001 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:19.171020985 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:19.173394918 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:19.308213949 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:19.486283064 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:19.613934994 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:19.638633013 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:19.970566988 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:20.099931955 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:20.255902052 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:20.397650957 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:20.525788069 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:20.673779964 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:23.205547094 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:23.376398087 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:23.376600027 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:23.508475065 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:23.580056906 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:23.709875107 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:23.712930918 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:23.893594027 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:23.893738031 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:24.063324928 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:28.676289082 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:28.843346119 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:28.845325947 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:28.973081112 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:29.017508030 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:29.144754887 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:29.147305965 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:29.326932907 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:29.327011108 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:29.501367092 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:31.361629963 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:31.529227018 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:31.533345938 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:31.659041882 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:31.704927921 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:31.832664967 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:31.834338903 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:32.017096996 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:32.017213106 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:32.187949896 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:36.830524921 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:36.999130964 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:36.999321938 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:37.125303984 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:37.173768997 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:37.299454927 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:37.304719925 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:37.482496023 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:37.482546091 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:37.657413960 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:42.299146891 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:42.467485905 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:42.467763901 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:42.593004942 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:42.645287037 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:42.770430088 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:42.772284985 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:42.952301025 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:42.952445984 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:43.123222113 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:46.381983995 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:46.561104059 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:46.561259031 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:46.687575102 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:46.736293077 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:46.866456032 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:46.868206024 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:47.045958996 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:47.046166897 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:47.217957973 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:50.264229059 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:50.303544044 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:50.430629969 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:50.489326954 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:51.848639011 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:52.013811111 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:52.013869047 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:52.140980959 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:52.189351082 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:52.315798044 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:52.317449093 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:52.483072042 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:52.485560894 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:52.656425953 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:56.439873934 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:56.607587099 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:56.607803106 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:56.737879038 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:56.919867039 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:57.046664000 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:57.048275948 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:57.216873884 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:40:57.220248938 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:40:57.388700008 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:01.908709049 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:02.076775074 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:02.076837063 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:02.202639103 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:02.346102953 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:02.471487999 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:02.517225027 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:02.685880899 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:02.689575911 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:02.858861923 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:07.377438068 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:07.544960022 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:07.545167923 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:07.670516014 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:07.751871109 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:07.877696037 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:07.880100012 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:08.060482979 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:08.061009884 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:08.233947039 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:10.768127918 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:10.935534954 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:10.935626984 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:11.060874939 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:11.251897097 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:11.376667976 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:11.378559113 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:11.547390938 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:11.547636032 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:11.718204975 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:16.248941898 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:16.420758009 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:16.421030045 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:16.547259092 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:16.595630884 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:16.722315073 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:16.723756075 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:16.904225111 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:16.904278040 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:17.076131105 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:19.971415997 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:20.138926983 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:20.140000105 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:20.265603065 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:20.314517975 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:20.439939976 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:20.441885948 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:20.607850075 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:20.608058929 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:20.781518936 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:25.440165997 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:25.608623981 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:25.608706951 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:25.734029055 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:25.783246994 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:25.908024073 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:25.909995079 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:26.077387094 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:26.077465057 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:26.249326944 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:31.033632040 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:31.201338053 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:31.201455116 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:31.326874971 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:31.376991987 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:31.505323887 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:31.507688046 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:31.685636044 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:31.686144114 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:31.858824968 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:36.502573967 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:36.670296907 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:36.670340061 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:36.795955896 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:36.845659018 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:36.970145941 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:36.971859932 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:37.138768911 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:37.138856888 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:37.310626030 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:41.596673012 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:41.764015913 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:41.764446974 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:41.891197920 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:41.939467907 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:42.063942909 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:42.065732956 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:42.232621908 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:42.232980967 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:42.404360056 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:47.078208923 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:47.249344110 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:47.249439955 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:47.380086899 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:47.423793077 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:47.549109936 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:47.551418066 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:47.920820951 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:48.050575018 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:50.078634024 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:50.248454094 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:50.249491930 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:50.280219078 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:50.333304882 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:50.375415087 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:50.458627939 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:50.458693981 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:50.461174011 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:50.639239073 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:50.639292002 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:50.810525894 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:55.533778906 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:55.701455116 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:55.701530933 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:55.827460051 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:55.923811913 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:56.048693895 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:56.054259062 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:56.233153105 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:56.233361006 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:56.404441118 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:57.127614975 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:57.295346022 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:57.295443058 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:57.427525043 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:57.524063110 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:57.648627043 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:57.650708914 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:57.826170921 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:57.826256990 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:57.999269962 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:58.615657091 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:58.797723055 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:58.800771952 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:58.928323030 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:59.033803940 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:59.159403086 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:59.165348053 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:59.342366934 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:41:59.344052076 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:41:59.514915943 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:04.080516100 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:04.251104116 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:04.251261950 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:04.377342939 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:04.423886061 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:04.549360037 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:04.555195093 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:04.733459949 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:04.733588934 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:04.905388117 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:06.283750057 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:06.452181101 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:06.452234983 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:06.577492952 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:06.627073050 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:06.752002954 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:06.755956888 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:06.938268900 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:06.938472986 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:07.108222008 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:11.752597094 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:11.921399117 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:11.921444893 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:12.047683001 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:12.111357927 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:12.238617897 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:12.240411997 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:12.419934034 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:12.420386076 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:12.592093945 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:17.227988005 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:17.405155897 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:17.405513048 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:17.531071901 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:17.611385107 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:17.736443996 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:17.738610029 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:18.111401081 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:18.236344099 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:19.705647945 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:19.876069069 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:19.876142025 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:20.001621008 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:20.111464977 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:20.236459970 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:20.248372078 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:20.373498917 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:20.373557091 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:20.551009893 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:25.174282074 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:25.342478991 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:25.342524052 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:25.467819929 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:25.517620087 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:25.642380953 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:25.647433043 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:25.829454899 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:25.831743956 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:25.999083042 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:29.629379034 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:29.799113989 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:29.799487114 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:29.924513102 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:29.973368883 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:30.098546028 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:30.100230932 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:30.280086994 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:30.280152082 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:30.451587915 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:35.096395016 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:35.263772011 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:35.263948917 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:35.389417887 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:35.439562082 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:35.567190886 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:35.569353104 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:35.751482010 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:35.757745981 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:35.935786963 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:39.314918995 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:39.483305931 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:39.483431101 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:39.655642033 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:39.667239904 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:39.861406088 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:39.968938112 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:39.969234943 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:39.970596075 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:39.986983061 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:39.987081051 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:40.139054060 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:40.139122963 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:40.310677052 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:41.299251080 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:41.468151093 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:41.468198061 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:41.593342066 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:41.658773899 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:41.784279108 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:41.785141945 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:41.951301098 CEST70774968545.88.186.146192.168.2.9
                                                  Apr 4, 2025 08:42:41.955705881 CEST496857077192.168.2.945.88.186.146
                                                  Apr 4, 2025 08:42:42.123315096 CEST70774968545.88.186.146192.168.2.9
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 4, 2025 08:38:38.516710997 CEST5391453192.168.2.91.1.1.1
                                                  Apr 4, 2025 08:38:38.616662979 CEST53539141.1.1.1192.168.2.9
                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Apr 4, 2025 08:38:38.516710997 CEST192.168.2.91.1.1.10x2291Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Apr 4, 2025 08:38:38.616662979 CEST1.1.1.1192.168.2.90x2291No error (0)pastebin.com104.22.68.199A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:38.616662979 CEST1.1.1.1192.168.2.90x2291No error (0)pastebin.com104.22.69.199A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:38.616662979 CEST1.1.1.1192.168.2.90x2291No error (0)pastebin.com172.67.25.94A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:39.747662067 CEST1.1.1.1192.168.2.90x305No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.21A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:39.747662067 CEST1.1.1.1192.168.2.90x305No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.25A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:39.747662067 CEST1.1.1.1192.168.2.90x305No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.23A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:39.747662067 CEST1.1.1.1192.168.2.90x305No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.19A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:39.747662067 CEST1.1.1.1192.168.2.90x305No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.17A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:39.747662067 CEST1.1.1.1192.168.2.90x305No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.31A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:39.747662067 CEST1.1.1.1192.168.2.90x305No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.27A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:39.747662067 CEST1.1.1.1192.168.2.90x305No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.29A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:51.327999115 CEST1.1.1.1192.168.2.90x92b0No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                  Apr 4, 2025 08:38:51.327999115 CEST1.1.1.1192.168.2.90x92b0No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                  • pastebin.com
                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.949684104.22.68.1994436460C:\Users\user\Desktop\n68JFxlwZl.exe
                                                  TimestampBytes transferredDirectionData
                                                  2025-04-04 06:38:38 UTC74OUTGET /raw/jkws5g0p HTTP/1.1
                                                  Host: pastebin.com
                                                  Connection: Keep-Alive
                                                  2025-04-04 06:38:39 UTC399INHTTP/1.1 200 OK
                                                  Date: Fri, 04 Apr 2025 06:38:39 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  x-frame-options: DENY
                                                  x-content-type-options: nosniff
                                                  x-xss-protection: 1;mode=block
                                                  cache-control: public, max-age=14400
                                                  CF-Cache-Status: HIT
                                                  Age: 1478
                                                  Last-Modified: Fri, 04 Apr 2025 06:14:01 GMT
                                                  Server: cloudflare
                                                  CF-RAY: 92aecdd5e91e558a-EWR
                                                  2025-04-04 06:38:39 UTC24INData Raw: 31 32 0d 0a 34 35 2e 38 38 2e 31 38 36 2e 31 34 36 3a 37 30 37 37 0d 0a
                                                  Data Ascii: 1245.88.186.146:7077
                                                  2025-04-04 06:38:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  050100150200s020406080100

                                                  Click to jump to process

                                                  050100150200s0.00102030MB

                                                  Click to jump to process

                                                  • File
                                                  • Registry
                                                  • Network

                                                  Click to dive into process behavior distribution

                                                  Target ID:0
                                                  Start time:02:38:33
                                                  Start date:04/04/2025
                                                  Path:C:\Users\user\Desktop\n68JFxlwZl.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\n68JFxlwZl.exe"
                                                  Imagebase:0xeb0000
                                                  File size:62'976 bytes
                                                  MD5 hash:AE1AF366DC655A30DBDD23F31F259A7D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.937104634.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.3405345217.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  Execution Graph

                                                  Execution Coverage

                                                  Dynamic/Packed Code Coverage

                                                  Signature Coverage

                                                  Execution Coverage:7.2%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:14
                                                  Total number of Limit Nodes:2
                                                  Show Legend
                                                  Hide Nodes/Edges
                                                  execution_graph 16119 1702dd0 16120 1702e14 SetWindowsHookExW 16119->16120 16122 1702e5a 16120->16122 16123 1708130 DuplicateHandle 16124 17081c6 16123->16124 16125 1707ee8 16126 1707f2e GetCurrentProcess 16125->16126 16128 1707f80 GetCurrentThread 16126->16128 16129 1707f79 16126->16129 16130 1707fbd GetCurrentProcess 16128->16130 16131 1707fb6 16128->16131 16129->16128 16134 1707ff3 16130->16134 16131->16130 16132 170801b GetCurrentThreadId 16133 170804c 16132->16133 16134->16132

                                                  Executed Functions

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 01707F66
                                                  • GetCurrentThread.KERNEL32 ref: 01707FA3
                                                  • GetCurrentProcess.KERNEL32 ref: 01707FE0
                                                  • GetCurrentThreadId.KERNEL32 ref: 01708039
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3405046962.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1700000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 2e29862142ba261f9f0aa30e247a20b8907208b42a229c3efa3311a1e9ad75d6
                                                  • Instruction ID: 057050cd89eea50e1f58c74d3cdb31d083f35a30b243ffce4381a1b7172f4cf1
                                                  • Opcode Fuzzy Hash: 2e29862142ba261f9f0aa30e247a20b8907208b42a229c3efa3311a1e9ad75d6
                                                  • Instruction Fuzzy Hash: DD5168B0910349CFDB08CFAAD548B9EBBF1EB48314F208559E409A7390DB35A944CB66

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 01707F66
                                                  • GetCurrentThread.KERNEL32 ref: 01707FA3
                                                  • GetCurrentProcess.KERNEL32 ref: 01707FE0
                                                  • GetCurrentThreadId.KERNEL32 ref: 01708039
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3405046962.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1700000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: ade871aea4a51e5c5feb84e3762b7a6d993c33d7967ba8cd377303aaf4808a7a
                                                  • Instruction ID: 974dcf428c235c2677fd6eb2b82ecdea6e504e48c4d7a73291d6022c1c4b05c7
                                                  • Opcode Fuzzy Hash: ade871aea4a51e5c5feb84e3762b7a6d993c33d7967ba8cd377303aaf4808a7a
                                                  • Instruction Fuzzy Hash: 015159B0910349CFDB18DFAAD548B9EFBF5EB48314F208059E409A7390DB356944CB66

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 460 1708130-17081c4 DuplicateHandle 461 17081c6-17081cc 460->461 462 17081cd-17081ea 460->462 461->462
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017081B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3405046962.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1700000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 42af50b75c9369101b3dccdb362828ea2837d53f1e6b9801dcc7df3519829de5
                                                  • Instruction ID: 9564cbff5361a00f7889fdbe2a354fb1ceb04b2a1e36d91e9a3acb0cac7c10d2
                                                  • Opcode Fuzzy Hash: 42af50b75c9369101b3dccdb362828ea2837d53f1e6b9801dcc7df3519829de5
                                                  • Instruction Fuzzy Hash: 1F21BFB5D00259DFDB10CFAAD984ADEFBF8EB48320F14841AE914A3350D374A944CFA5

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 455 170812d-17081c4 DuplicateHandle 456 17081c6-17081cc 455->456 457 17081cd-17081ea 455->457 456->457
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017081B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3405046962.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1700000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 51bda361d8afd3076bb812e73c42a13fba530b5bf923e6a92271fa563b9a3ff3
                                                  • Instruction ID: 209cfda0ce7b0aafce7e54c6d99d65d7637addee2fc0a2cb3e6021a123e5cb65
                                                  • Opcode Fuzzy Hash: 51bda361d8afd3076bb812e73c42a13fba530b5bf923e6a92271fa563b9a3ff3
                                                  • Instruction Fuzzy Hash: 4F21E0B5D00248DFDB10CFAAD984AEEFBF4EB48320F14841AE914A3350C374A940CFA5

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 465 1702dc8-1702e1a 468 1702e26-1702e58 SetWindowsHookExW 465->468 469 1702e1c 465->469 470 1702e61-1702e86 468->470 471 1702e5a-1702e60 468->471 472 1702e24 469->472 471->470 472->468
                                                  APIs
                                                  • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01702E4B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3405046962.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1700000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID: HookWindows
                                                  • String ID:
                                                  • API String ID: 2559412058-0
                                                  • Opcode ID: 910aabbb00dfeea838e9f7a12829a2e911c346415bf6ac0226ea26ae5e61f7ea
                                                  • Instruction ID: 1c8543ca60edd5105e958b426e136a347043c281d8d6c4c30fcbccf461de4eac
                                                  • Opcode Fuzzy Hash: 910aabbb00dfeea838e9f7a12829a2e911c346415bf6ac0226ea26ae5e61f7ea
                                                  • Instruction Fuzzy Hash: 04213475D00209DFDB14CFAAC948BEEFBF5EB88320F10842AE415A7290C775A944CFA1

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 476 1702dd0-1702e1a 478 1702e26-1702e58 SetWindowsHookExW 476->478 479 1702e1c 476->479 480 1702e61-1702e86 478->480 481 1702e5a-1702e60 478->481 482 1702e24 479->482 481->480 482->478
                                                  APIs
                                                  • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01702E4B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3405046962.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1700000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID: HookWindows
                                                  • String ID:
                                                  • API String ID: 2559412058-0
                                                  • Opcode ID: bbabee48199f51bc7e61bb67b493f0735fcf47b40bfe40b49f3229a95a8262ec
                                                  • Instruction ID: 137f1caeeedb641d33d0b47a4b60146125622c8d8eac35c5697619b9d22f2b97
                                                  • Opcode Fuzzy Hash: bbabee48199f51bc7e61bb67b493f0735fcf47b40bfe40b49f3229a95a8262ec
                                                  • Instruction Fuzzy Hash: 66210475D00209CFDB15CFAAD948BDEFBF5EB88320F10842AE415A7290C775A944CFA1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3407612284.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_69f0000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 33379c5f46bd95c196ac32143ecfa7701fc5d9ec910bdc15f44f249ca113bfd3
                                                  • Instruction ID: 4908e459f9c1c1bd8772d612ace12a75b921bd935d15945166609d101aaba4f3
                                                  • Opcode Fuzzy Hash: 33379c5f46bd95c196ac32143ecfa7701fc5d9ec910bdc15f44f249ca113bfd3
                                                  • Instruction Fuzzy Hash: E2D22C39710200CFDB98EB78E46866E37E3EB89705B24856ED506CB350EF399D82DB51

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1014 69f0448-69f0470 1016 69f047b-69f0482 1014->1016 1017 69f0472-69f0479 1014->1017 1019 69f07e6-69f07ed 1016->1019 1017->1016 1018 69f0487-69f049b 1017->1018 1021 69f07cc-69f07d3 1018->1021 1022 69f04a1-69f04ee 1018->1022 1021->1019 1023 69f075d-69f0764 1022->1023 1024 69f04f4-69f051b 1022->1024 1025 69f0766 1023->1025 1026 69f0771-69f0778 1023->1026 1030 69f051d 1024->1030 1031 69f0530-69f054c 1024->1031 1028 69f077a-69f07c4 1025->1028 1029 69f0768-69f076f 1025->1029 1026->1019 1047 69f07ca 1028->1047 1029->1026 1029->1028 1033 69f06f8-69f0714 1030->1033 1034 69f0523-69f052a 1030->1034 1035 69f054e-69f0555 1031->1035 1036 69f055d-69f0564 1031->1036 1037 69f0716-69f071d 1033->1037 1038 69f0725-69f072c 1033->1038 1034->1031 1034->1033 1039 69f055b 1035->1039 1040 69f07d5-69f07da 1035->1040 1036->1040 1041 69f056a-69f0586 1036->1041 1037->1040 1043 69f0723 1037->1043 1038->1040 1044 69f0732-69f075b 1038->1044 1039->1041 1040->1019 1050 69f059b-69f05b5 1041->1050 1051 69f0588 1041->1051 1043->1044 1044->1028 1047->1019 1055 69f05bb-69f05bf 1050->1055 1053 69f058e-69f0595 1051->1053 1054 69f064b-69f0689 1051->1054 1053->1050 1053->1054 1068 69f0690-69f06c0 1054->1068 1057 69f05cd-69f0616 1055->1057 1058 69f05c1-69f05c8 1055->1058 1059 69f0618 1057->1059 1060 69f0623-69f062a 1057->1060 1058->1019 1062 69f062f-69f0636 1059->1062 1063 69f061a-69f0621 1059->1063 1060->1019 1062->1054 1064 69f0638 1062->1064 1063->1060 1063->1062 1064->1050 1066 69f063e-69f0645 1064->1066 1066->1050 1066->1054 1069 69f06c2-69f06c9 1068->1069 1070 69f06d1-69f06d8 1068->1070 1069->1040 1071 69f06cf 1069->1071 1070->1040 1072 69f06de-69f06f3 1070->1072 1071->1072 1072->1028
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3407612284.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_69f0000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: xKr
                                                  • API String ID: 0-3643198288
                                                  • Opcode ID: d4bf0e8a41653ad01d6f6f73606f45792968bb7cc1060e2199ad9103b237fe7e
                                                  • Instruction ID: 4b151fda45ea1e5adb59cc8c07df6b905a9cb218ff45405fd0e442c3d1b76d4d
                                                  • Opcode Fuzzy Hash: d4bf0e8a41653ad01d6f6f73606f45792968bb7cc1060e2199ad9103b237fe7e
                                                  • Instruction Fuzzy Hash: 22912674A11300CFEBB4CB2AF8147253BEAB789314F264659D916CFAC9E7749884CF81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3407612284.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_69f0000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: TeGr
                                                  • API String ID: 0-704940016
                                                  • Opcode ID: 61284006ce07a9ae144871321d2e4ae1419ff241b69bae34ee1a24f39ae97c98
                                                  • Instruction ID: 989b0ce899035f6d8da59facd60ec47beea10bebfe6c3a84b9437a350e75e05a
                                                  • Opcode Fuzzy Hash: 61284006ce07a9ae144871321d2e4ae1419ff241b69bae34ee1a24f39ae97c98
                                                  • Instruction Fuzzy Hash: 3D11C2317102009FDB089F58C959BEE7BF6AB8C700F220059E206E7391CF755D01CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3407612284.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_69f0000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: TeGr
                                                  • API String ID: 0-704940016
                                                  • Opcode ID: 960886b99075089d55ab9db98b65e6a3ac9ba007eff6e429f5f348de6361565c
                                                  • Instruction ID: c04491501b4e53682db9e5281ed7a84b477c3387c7d34cf9c334ae664fdf0da4
                                                  • Opcode Fuzzy Hash: 960886b99075089d55ab9db98b65e6a3ac9ba007eff6e429f5f348de6361565c
                                                  • Instruction Fuzzy Hash: 210180317201049FDB189F58C959BAEBBF6AB8C700F214069E602EB3A1CFB19D01CB95
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3407612284.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_69f0000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aa8cb487ed7be93904cdac717a56c7853f9291cd726225f94272cf69cc038104
                                                  • Instruction ID: 441b5b8b6861cf2005dcdb64347aeafd61f42eb5c934f0b4c2cb45af06e72ad5
                                                  • Opcode Fuzzy Hash: aa8cb487ed7be93904cdac717a56c7853f9291cd726225f94272cf69cc038104
                                                  • Instruction Fuzzy Hash: 6D514A35A21145CBCB648B68D46433D77E9EB46309B39847AD60ACFB01D773CD82C792
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3407612284.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_69f0000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 79f15f8feeca14f2cbd683c91fb991ff15d486dc71de55b5baee5da4e3eb8256
                                                  • Instruction ID: e6f3436c46d3d6fb51adf36d97a4144e753617894a0b8dcb5d23004adaf28b9d
                                                  • Opcode Fuzzy Hash: 79f15f8feeca14f2cbd683c91fb991ff15d486dc71de55b5baee5da4e3eb8256
                                                  • Instruction Fuzzy Hash: 55414A75A25240CBCB644768D46433977E9EB42305B3A887BD606CFA42D777CD82C792
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3404455612.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_13dd000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a20453bd0067c829bf9cc6af015049ee1dc01a7d2b9d9d88ddb640711feef6de
                                                  • Instruction ID: a453b1b2bf84117fdd35d1c70ef7b27eb5fc2899ea8395b4a790c296e92e1c0c
                                                  • Opcode Fuzzy Hash: a20453bd0067c829bf9cc6af015049ee1dc01a7d2b9d9d88ddb640711feef6de
                                                  • Instruction Fuzzy Hash: D1212873504244DFDB05DF94E9C0B26BF66FB8831CF24C169E9090B296C336D456CBA2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3404520921.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_13ed000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d1376f41bafe40d67a208e27fc1e4042ea4ec3f2972bb177120494e1bbf9a7a2
                                                  • Instruction ID: a7d8cd988e0816168754ef4c1d01ef7a78442279480462ca897013384f223e30
                                                  • Opcode Fuzzy Hash: d1376f41bafe40d67a208e27fc1e4042ea4ec3f2972bb177120494e1bbf9a7a2
                                                  • Instruction Fuzzy Hash: 84212271600344DFEB45DF94C988B26BBA5FB88318F20C56DE80A4B396C33BD446CA62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3404455612.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_13dd000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9f90c8ebd869c7f5da3640548ba0032c22cbf5c37ed481a294d31329acf6dc3
                                                  • Instruction ID: b4e7f75c48e8a0cd81b4a9c858906661196de1b8418b278a4b1d4d84f6d18c36
                                                  • Opcode Fuzzy Hash: e9f90c8ebd869c7f5da3640548ba0032c22cbf5c37ed481a294d31329acf6dc3
                                                  • Instruction Fuzzy Hash: 0111B176504280DFDB16CF58D9C4B16BF72FB84328F24C6A9D9050B267C336D456CBA2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3404520921.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_13ed000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbd8ad200daf28bb2644830fdd12e80a5c04529fd798695066194654e59fde9d
                                                  • Instruction ID: 626dc365a06fff2696b737a797b6100b749ff16f2e4e32b9e1fec9a827ae5696
                                                  • Opcode Fuzzy Hash: dbd8ad200daf28bb2644830fdd12e80a5c04529fd798695066194654e59fde9d
                                                  • Instruction Fuzzy Hash: 4B119D75504380DFDB06CF54D9C8B15BFB1FB84318F24C6AAD8494B696C33AD45ACB61
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3407612284.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_69f0000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af97d2f9a87040ad5545262d1ff826ad3418ac8affd3f3a49e4b930958f34f87
                                                  • Instruction ID: 72b10548667914992cda0785dfab8597a804c93cb10947ce280d5d3c5a97128b
                                                  • Opcode Fuzzy Hash: af97d2f9a87040ad5545262d1ff826ad3418ac8affd3f3a49e4b930958f34f87
                                                  • Instruction Fuzzy Hash: D2D05B7190010DEFCB40EFB9E94155DB7F5EB55104B104199E40DD7340EA312F009B52

                                                  Non-executed Functions

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3407612284.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_69f0000_n68JFxlwZl.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 612a0ec736d3f3666badae30bcf3cab482e33bebf535e413f1b078c9eb0bfa3a
                                                  • Instruction ID: 77537ddd764e7bf46d11c6f95d474b926567c3da66ca275fb16bf45dfe215503
                                                  • Opcode Fuzzy Hash: 612a0ec736d3f3666badae30bcf3cab482e33bebf535e413f1b078c9eb0bfa3a
                                                  • Instruction Fuzzy Hash: D682CF74B002058FDB84DFB9C89472EB7E2FF84304F60856DE10A8B7A5DA759D46CB92