Edit tour

Windows Analysis Report
t90RvrDNvz.exe

Overview

General Information

Sample name:	t90RvrDNvz.exe renamed because original name is a hash value
Original sample name:	f660778402a3bb138486c84706d69a00ee03818437d6dac0fed4ea276561e84a.exe
Analysis ID:	1562121
MD5:	05ce896e3a0a78a9bf1f12a51d83d215
SHA1:	f7e32c1dc592e3c185fece729ebcc0266e86e0cc
SHA256:	f660778402a3bb138486c84706d69a00ee03818437d6dac0fed4ea276561e84a
Tags:	AdwareTechsnabexeTRADETRUSTLLCuser-JAMESWT_MHT
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Contains functionality to call native functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

t90RvrDNvz.exe (PID: 1444 cmdline: "C:\Users\user\Desktop\t90RvrDNvz.exe" MD5: 05CE896E3A0A78A9BF1F12A51D83D215)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T08:33:06.925259+0100	2028371	3	Unknown Traffic	192.168.2.6	49718	172.67.204.237	443	TCP
2024-11-25T08:33:09.961854+0100	2028371	3	Unknown Traffic	192.168.2.6	49720	18.213.123.165	443	TCP
2024-11-25T08:33:19.458372+0100	2028371	3	Unknown Traffic	192.168.2.6	49737	172.67.204.237	443	TCP
2024-11-25T08:33:21.485008+0100	2028371	3	Unknown Traffic	192.168.2.6	49743	18.213.123.165	443	TCP
2024-11-25T08:33:31.005204+0100	2028371	3	Unknown Traffic	192.168.2.6	49765	172.67.204.237	443	TCP
2024-11-25T08:33:33.113123+0100	2028371	3	Unknown Traffic	192.168.2.6	49772	18.213.123.165	443	TCP
2024-11-25T08:33:44.023543+0100	2028371	3	Unknown Traffic	192.168.2.6	49807	172.67.204.237	443	TCP
2024-11-25T08:33:46.140180+0100	2028371	3	Unknown Traffic	192.168.2.6	49813	18.213.123.165	443	TCP
2024-11-25T08:33:56.612862+0100	2028371	3	Unknown Traffic	192.168.2.6	49837	172.67.204.237	443	TCP
2024-11-25T08:33:58.724023+0100	2028371	3	Unknown Traffic	192.168.2.6	49843	18.213.123.165	443	TCP
2024-11-25T08:34:08.367518+0100	2028371	3	Unknown Traffic	192.168.2.6	49871	172.67.204.237	443	TCP
2024-11-25T08:34:10.838070+0100	2028371	3	Unknown Traffic	192.168.2.6	49881	18.213.123.165	443	TCP
2024-11-25T08:34:20.987632+0100	2028371	3	Unknown Traffic	192.168.2.6	49904	172.67.204.237	443	TCP
2024-11-25T08:34:23.097771+0100	2028371	3	Unknown Traffic	192.168.2.6	49910	18.213.123.165	443	TCP
2024-11-25T08:34:33.352021+0100	2028371	3	Unknown Traffic	192.168.2.6	49935	172.67.204.237	443	TCP
2024-11-25T08:34:35.888799+0100	2028371	3	Unknown Traffic	192.168.2.6	49939	18.213.123.165	443	TCP
2024-11-25T08:34:45.817476+0100	2028371	3	Unknown Traffic	192.168.2.6	49963	172.67.204.237	443	TCP
2024-11-25T08:34:47.912181+0100	2028371	3	Unknown Traffic	192.168.2.6	49969	18.213.123.165	443	TCP
2024-11-25T08:34:57.503711+0100	2028371	3	Unknown Traffic	192.168.2.6	49992	172.67.204.237	443	TCP
2024-11-25T08:34:59.589060+0100	2028371	3	Unknown Traffic	192.168.2.6	49996	18.213.123.165	443	TCP
2024-11-25T08:35:10.225666+0100	2028371	3	Unknown Traffic	192.168.2.6	50022	172.67.204.237	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: t90RvrDNvz.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:50022 version: TLS 1.2

Source: t90RvrDNvz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49720 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49765 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49743 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49737 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49772 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49837 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49843 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49881 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49871 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49910 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49813 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49935 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49969 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49807 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49939 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49904 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50022 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49992 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49963 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49996 -> 18.213.123.165:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org

Source: global traffic	DNS traffic detected: DNS query: eth0.cdn-serveri2004-ns.shop
Source: global traffic	DNS traffic detected: DNS query: httpbin.org

Source: t90RvrDNvz.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0
Source: t90RvrDNvz.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0
Source: t90RvrDNvz.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0
Source: t90RvrDNvz.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: t90RvrDNvz.exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: t90RvrDNvz.exe	String found in binary or memory: http://www.burnaware.com
Source: t90RvrDNvz.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3100967300.00000000038A3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/
Source: t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop//
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2352772201.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/011t
Source: t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/3
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/Jt
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/O
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php)
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php3
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php7aU
Source: t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpCc
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpO
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpT
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpWc
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpkc
Source: t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.php
Source: t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003891000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpRS
Source: t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&del
Source: t90RvrDNvz.exe, 00000000.00000003.2352751790.000000000388C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.00000000038B1000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101382322.0000000003898000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2352751790.000000000388C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10LocationETagAuthentication-InfoAgeAc
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10f
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.php
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.phpM
Source: t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/p
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10
Source: t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10gv
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10jD
Source: t90RvrDNvz.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:50022 version: TLS 1.2

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Code function: 0_2_0087C7BB NtQuerySystemInformation,		0_2_0087C7BB
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Code function: 0_2_0087C3EB NtDelayExecution,		0_2_0087C3EB

Source: t90RvrDNvz.exe

Static PE information: invalid certificate

Source: t90RvrDNvz.exe

Static PE information: Number of sections : 11 > 10

Source: t90RvrDNvz.exe, 00000000.00000002.3395384110.0000000004CBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe
Source: t90RvrDNvz.exe, 00000000.00000000.2144326512.0000000000B5D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe
Source: t90RvrDNvz.exe	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe

Source: classification engine

Classification label: mal56.evad.winEXE@1/0@3/2

Source: t90RvrDNvz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: t90RvrDNvz.exe

ReversingLabs: Detection: 18%

Source: t90RvrDNvz.exe	String found in binary or memory: Africa/Addis_Ababa
Source: t90RvrDNvz.exe	String found in binary or memory: Try to re-install the software.

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

File read: C:\Users\user\Desktop\t90RvrDNvz.exe

Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: t90RvrDNvz.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: t90RvrDNvz.exe

Static file information: File size 26869672 > 1048576

Source: t90RvrDNvz.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x53b800

Source: t90RvrDNvz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: t90RvrDNvz.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe TID: 7040

Thread sleep time: -270000s >= -30000s

Jump to behavior

Source: t90RvrDNvz.exe	Binary or memory string: 1998-2023 VMware, Inc.@
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7sP
Source: t90RvrDNvz.exe	Binary or memory string: CompanyNameVMware, Inc.F
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: t90RvrDNvz.exe	Binary or memory string: ProductNameVMware WorkstationP
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

NtDelayExecution: Indirect: 0x87C429

Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
t90RvrDNvz.exe	18%	ReversingLabs	Win64.Trojan.Giant

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://eth0.cdn-serveri2004-ns.shop/011t	0%	Avira URL Cloud	safe
https://httpbin.org/drip?code=200&del	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/O	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.php	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/Jt	0%	Avira URL Cloud	safe
https://httpbin.org/p	0%	Avira URL Cloud	safe
https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10gv	0%	Avira URL Cloud	safe
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.phpM	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpWc	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php3	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpCc	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php)	0%	Avira URL Cloud	safe
https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10	0%	Avira URL Cloud	safe
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpRS	0%	Avira URL Cloud	safe
http://www.burnaware.com	0%	Avira URL Cloud	safe
https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10jD	0%	Avira URL Cloud	safe
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.php	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop//	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/3	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpT	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php7aU	0%	Avira URL Cloud	safe
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10f	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0P	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpkc	0%	Avira URL Cloud	safe
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpO	0%	Avira URL Cloud	safe
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10LocationETagAuthentication-InfoAgeAc	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
eth0.cdn-serveri2004-ns.shop	172.67.204.237	true	false	unknown
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
httpbin.org	18.213.123.165	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.phpM	t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/	t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3100967300.00000000038A3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/p	t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10gv	t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/O	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/drip?code=200&del	t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0	t90RvrDNvz.exe	false		high
https://eth0.cdn-serveri2004-ns.shop/011t	t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2352772201.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/Jt	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpWc	t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/	t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsps.ssl.com0	t90RvrDNvz.exe	false		high
https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.php	t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0	t90RvrDNvz.exe	false		high
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php3	t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php)	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpRS	t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003891000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0	t90RvrDNvz.exe	false		high
http://www.burnaware.com	t90RvrDNvz.exe	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpCc	t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10jD	t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.php	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop//	t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	t90RvrDNvz.exe	false		high
https://eth0.cdn-serveri2004-ns.shop/3	t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php7aU	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0	t90RvrDNvz.exe	false		high
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpO	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpT	t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10LocationETagAuthentication-InfoAgeAc	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2352751790.000000000388C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10f	t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpkc	t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0P	t90RvrDNvz.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.213.123.165	httpbin.org	United States		14618	AMAZON-AESUS	false
172.67.204.237	eth0.cdn-serveri2004-ns.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562121
Start date and time:	2024-11-25 08:32:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	t90RvrDNvz.exe renamed because original name is a hash value
Original Sample Name:	f660778402a3bb138486c84706d69a00ee03818437d6dac0fed4ea276561e84a.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@1/0@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: t90RvrDNvz.exe

Simulations

Behavior and APIs

Time	Type	Description
02:33:13	API Interceptor	11x Sleep call for process: t90RvrDNvz.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	VM2ICvV5qQ.pdf	Get hash	malicious	Unknown	Browse	34.228.248.173
	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Get hash	malicious	Unknown	Browse	34.236.15.216
	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Get hash	malicious	Unknown	Browse	107.22.40.220
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	54.84.32.120
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	54.84.32.120
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	3.224.101.31
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	52.86.188.217
	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse	34.199.14.71
	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse	34.199.14.71
	file.exe	Get hash	malicious	LummaC	Browse	18.206.19.26
ax-0001.ax-msedge.net	asegurar.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	150.171.28.10
	2Wr5r2e9vo.msi	Get hash	malicious	Unknown	Browse	150.171.28.10
	RFQ AE 3003910999.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	150.171.27.10
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	150.171.27.10
	file.exe	Get hash	malicious	Stealc	Browse	150.171.27.10
	file.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	file.exe	Get hash	malicious	Stealc	Browse	150.171.27.10
	file.exe	Get hash	malicious	Stealc	Browse	150.171.28.10
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	150.171.28.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	file (1).txt.bat	Get hash	malicious	Unknown	Browse	34.193.227.236
	FGQ-667893.pdf	Get hash	malicious	Unknown	Browse	54.227.187.23
	apep.mpsl.elf	Get hash	malicious	Mirai	Browse	54.128.146.146
	apep.arm6.elf	Get hash	malicious	Mirai	Browse	34.196.147.238
	https://og.oomaal.in/	Get hash	malicious	Unknown	Browse	50.19.252.172
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	44.206.94.170
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.233.89.80
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.206.13.133
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.164.156.159
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.23.34.251
CLOUDFLARENETUS	segura.vbs	Get hash	malicious	Remcos	Browse	172.67.187.200
	asegurar.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.84.67
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	2Brb1DnRS6.wsf	Get hash	malicious	Unknown	Browse	172.67.204.2
	pm4ozz83c4.vbs	Get hash	malicious	Unknown	Browse	172.67.204.2
	Cargo Invoice_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.191.199
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	Synliggre.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.212.23
	Salary_Increase_Letter_Nov'24.vbs	Get hash	malicious	Unknown	Browse	172.67.191.199

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	docx008.docx.doc	Get hash	malicious	Unknown	Browse	18.213.123.165 172.67.204.237
	docx002.docx.doc	Get hash	malicious	Unknown	Browse	18.213.123.165 172.67.204.237
	docx009.docx.doc	Get hash	malicious	Unknown	Browse	18.213.123.165 172.67.204.237
	docx007.docx.doc	Get hash	malicious	Unknown	Browse	18.213.123.165 172.67.204.237
	file.exe	Get hash	malicious	LummaC Stealer	Browse	18.213.123.165 172.67.204.237
	P0-4856383648383364838364836483.xls	Get hash	malicious	Unknown	Browse	18.213.123.165 172.67.204.237
	file.exe	Get hash	malicious	LummaC Stealer	Browse	18.213.123.165 172.67.204.237
	file.exe	Get hash	malicious	Unknown	Browse	18.213.123.165 172.67.204.237
	file.exe	Get hash	malicious	LummaC Stealer	Browse	18.213.123.165 172.67.204.237
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	18.213.123.165 172.67.204.237

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.716970124470014
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	t90RvrDNvz.exe
File size:	26'869'672 bytes
MD5:	05ce896e3a0a78a9bf1f12a51d83d215
SHA1:	f7e32c1dc592e3c185fece729ebcc0266e86e0cc
SHA256:	f660778402a3bb138486c84706d69a00ee03818437d6dac0fed4ea276561e84a
SHA512:	3b2190ab1517baab830836aaab84ad30e90017e36293167fbc9d3739793afa7ea2a3a1c2e93f2305a8bc2d60358f5be86eeff8d6ee5f4634a52d1efc22717c33
SSDEEP:	786432:ubi6R+4Tf4lAt2BpdjzaDJws42F2Tt1s/QM:upRpj4lG2BWDJws5F2h1dM
TLSH:	8247016F72A8916DC12DC1BBC4A78F50E533B0796B36C5FB52A202650F16AC85E3F760
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	74509878e0f8b0f0

Static PE Info

General

Entrypoint:	0x92ae50
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66FBCD2B [Tue Oct 1 10:21:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e48acacf71d9ad44306c0021c6e39bc1

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA ECC R2, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	18/11/2024 04:47:36 18/11/2025 04:47:36
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=UA, OID.2.5.4.15=Private Organization, CN=TRADE TRUST LLC, SERIALNUMBER=37058412, O=TRADE TRUST LLC, L=Dnipro, C=UA
Version:	3
Thumbprint MD5:	534B9DBCF3BB2DFA2DAD06DA0709841E
Thumbprint SHA-1:	FEA61825376A364886B5236EFCB3EDD1B23E9441
Thumbprint SHA-256:	BD193172C9C4775190F1C906FF5B47D9FB1A342DB35AC211A1A4AC8A9B07B914
Serial:	4C46DCF5B0C4357F05806830DBA932FD

Entrypoint Preview

Instruction
push ebp
dec eax
add esp, FFFFFF80h
dec eax
mov ebp, esp
dec eax
mov dword ptr [ebp+28h], 00000000h
dec eax
mov dword ptr [ebp+20h], 00000000h
dec eax
mov dword ptr [ebp+38h], 00000000h
dec eax
mov dword ptr [ebp+30h], 00000000h
dec eax
mov dword ptr [ebp+48h], 00000000h
dec eax
mov dword ptr [ebp+40h], 00000000h
dec eax
mov dword ptr [ebp+58h], 00000000h
dec eax
mov dword ptr [ebp+50h], 00000000h
dec eax
mov dword ptr [ebp+68h], 00000000h
dec eax
mov dword ptr [ebp+60h], 00000000h
dec eax
mov dword ptr [ebp+70h], 00000000h
dec eax
mov dword ptr [ebp+78h], ebp
nop
dec eax
lea ecx, dword ptr [0000023Ch]
call 00007F7C8C69F464h
nop
nop
dec eax
mov eax, dword ptr [000B100Eh]
dec eax
mov ecx, dword ptr [eax]
call 00007F7C8C9967A3h
dec eax
mov eax, dword ptr [000B0FFFh]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007F7C8C9990A2h
dec eax
mov eax, dword ptr [000B0FEEh]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFDFABCh]
dec esp
mov eax, dword ptr [000B113Dh]
call 00007F7C8C9967A5h
dec eax
lea ecx, dword ptr [ebp+70h]
mov edx, 00000001h
call 00007F7C8C68FB27h
dec eax
cmp dword ptr [ebp+70h], 00000000h
jne 00007F7C8CBB0F64h
dec eax
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x75b000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x754000	0x4dac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e1000	0x7eb44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7a6000	0x3a548	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x199f600	0x9a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x75e000	0x474f0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x75d000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x755368	0x1238	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x759000	0x1244	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x53b7d0	0x53b800	d281706cbc69a9664a5c169a8afcb0f5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x53d000	0x9f780	0x9f800	b6438bf6d7d03c3f60ca850e9e0f47f2	False	0.23962976342084638	data	4.356329368111319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x5dd000	0x1760a4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x754000	0x4dac	0x4e00	470f797341277ad9ffa11407d0ed6c01	False	0.25931490384615385	data	4.284835127185531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x759000	0x1244	0x1400	354cc5439968d32091f071d4c6c8df38	False	0.2478515625	data	3.2490610880265134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x75b000	0x9a	0x200	346c31c06f477564c1fd57506a4a227f	False	0.259765625	data	1.9042232128311023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x75c000	0x280	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x75d000	0x6d	0x200	6ef7f2860a434feb9fb0e4f4981c4c1f	False	0.193359375	data	1.379943032279798	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x75e000	0x474e8	0x47600	7ef5ed284d6cfdaf5fafb7ec578613d3	False	0.4766890597635727	data	6.477238149065975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x7a6000	0x3a548	0x3a600	a16ed171e886db87694667ed8d26a71b	False	0.49873695128479656	data	6.416734311414888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7e1000	0x7eb44	0x7ec00	93f74e39358c7296565f286c0c353f7c	False	0.6715167344674556	data	7.674095407137192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
COLOR	0x7e2b38	0x4	data			3.0
COLOR	0x7e2b3c	0x4	data			3.0
COLOR	0x7e2b40	0x4	data			3.0
RT_CURSOR	0x7e2b44	0x134	data	English	United States	0.43506493506493504
RT_CURSOR	0x7e2c78	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x7e2dac	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x7e2ee0	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x7e3014	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x7e3148	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x7e327c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x7e33b0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x7e34e4	0x528	Device independent bitmap graphic, 20 x 16 x 32, image size 1280			0.048484848484848485
RT_BITMAP	0x7e3a0c	0x468	Device independent bitmap graphic, 17 x 16 x 32, image size 1088			0.07446808510638298
RT_BITMAP	0x7e3e74	0x5a8	Device independent bitmap graphic, 16 x 22 x 32, image size 1408			0.0738950276243094
RT_BITMAP	0x7e441c	0x600	Device independent bitmap graphic, 17 x 22 x 32, image size 1496			0.043619791666666664
RT_BITMAP	0x7e4a1c	0x4e8	Device independent bitmap graphic, 19 x 16 x 32, image size 1216			0.05015923566878981
RT_BITMAP	0x7e4f04	0x5a8	Device independent bitmap graphic, 16 x 22 x 32, image size 1408			0.06284530386740332
RT_BITMAP	0x7e54ac	0x5a8	Device independent bitmap graphic, 16 x 22 x 32, image size 1408			0.08287292817679558
RT_BITMAP	0x7e5a54	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.33270676691729323
RT_BITMAP	0x7e5e7c	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.23966165413533835
RT_BITMAP	0x7e62a4	0x468	Device independent bitmap graphic, 8 x 8 x 8, image size 64			0.424645390070922
RT_BITMAP	0x7e670c	0x468	Device independent bitmap graphic, 8 x 8 x 8, image size 64			0.4228723404255319
RT_ICON	0x7e6b74	0x26126	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9963255569378359
RT_STRING	0x80cc9c	0x3b8	data			0.3697478991596639
RT_STRING	0x80d054	0xb40	data			0.25972222222222224
RT_STRING	0x80db94	0x8e4	data			0.28866432337434095
RT_STRING	0x80e478	0x414	data			0.36398467432950193
RT_STRING	0x80e88c	0x41c	data			0.33460076045627374
RT_STRING	0x80eca8	0x384	data			0.43444444444444447
RT_STRING	0x80f02c	0x44c	data			0.40636363636363637
RT_STRING	0x80f478	0x15c	data			0.5747126436781609
RT_STRING	0x80f5d4	0xd0	data			0.6778846153846154
RT_STRING	0x80f6a4	0x120	data			0.6041666666666666
RT_STRING	0x80f7c4	0x310	data			0.44005102040816324
RT_STRING	0x80fad4	0x3f8	data			0.375
RT_STRING	0x80fecc	0x34c	data			0.3755924170616114
RT_STRING	0x810218	0x548	data			0.3143491124260355
RT_STRING	0x810760	0x204	data			0.28294573643410853
RT_STRING	0x810964	0x430	data			0.40578358208955223
RT_STRING	0x810d94	0x5d4	data			0.3371313672922252
RT_STRING	0x811368	0x43c	data			0.3404059040590406
RT_STRING	0x8117a4	0x338	data			0.4223300970873786
RT_STRING	0x811adc	0x338	data			0.3883495145631068
RT_STRING	0x811e14	0x430	data			0.4039179104477612
RT_STRING	0x812244	0x174	data			0.5161290322580645
RT_STRING	0x8123b8	0xcc	data			0.6225490196078431
RT_STRING	0x812484	0x1d0	data			0.5344827586206896
RT_STRING	0x812654	0x3a8	data			0.358974358974359
RT_STRING	0x8129fc	0x344	data			0.39593301435406697
RT_STRING	0x812d40	0x2dc	data			0.38114754098360654
RT_STRING	0x81301c	0x334	data			0.3280487804878049
RT_RCDATA	0x813350	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x8140b0	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x814e08	0xcfc	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003309265944645
RT_RCDATA	0x815b04	0xcd9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033444816053512
RT_RCDATA	0x8167e0	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x817540	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x818298	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x818ee8	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x819b38	0xcb5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033814940055334
RT_RCDATA	0x81a7f0	0xcb0	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033866995073892
RT_RCDATA	0x81b4a0	0xd56	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032220269478618
RT_RCDATA	0x81c1f8	0xd47	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032362459546926
RT_RCDATA	0x81cf40	0xdc2	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031232254400908
RT_RCDATA	0x81dd04	0xdc5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031205673758865
RT_RCDATA	0x81eacc	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x81f7c0	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x8204b0	0xda9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031455533314269
RT_RCDATA	0x82125c	0xda6	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031482541499714
RT_RCDATA	0x822004	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x822cf8	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x8239e8	0x10	data			1.5
RT_RCDATA	0x8239f8	0x148b	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0020916524054002
RT_RCDATA	0x824e84	0x111e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0025102692834322
RT_RCDATA	0x825fa4	0xd8c	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0031718569780854
RT_RCDATA	0x826d30	0xc58	data			0.5126582278481012
RT_RCDATA	0x827988	0x2	data	English	United States	5.0
RT_RCDATA	0x82798c	0xa5e1	Delphi compiled form 'Tfrm_About'			0.9672671611915695
RT_RCDATA	0x831f70	0x8e9	Delphi compiled form 'Tfrm_Add'			0.43095133713283645
RT_RCDATA	0x83285c	0x50d	Delphi compiled form 'Tfrm_Adding'			0.4300077339520495
RT_RCDATA	0x832d6c	0x3cbe	Delphi compiled form 'Tfrm_DiscInfo'			0.8445659163987138
RT_RCDATA	0x836a2c	0x45d	Delphi compiled form 'Tfrm_Discs'			0.5344673231871083
RT_RCDATA	0x836e8c	0xc96	Delphi compiled form 'Tfrm_Erase'			0.9130974549968963
RT_RCDATA	0x837b24	0x793	Delphi compiled form 'Tfrm_Init'			0.853017019082001
RT_RCDATA	0x8382b8	0xa4f	Delphi compiled form 'Tfrm_InitFix'			0.9041303524062144
RT_RCDATA	0x838d08	0x2c7	Delphi compiled form 'Tfrm_Input'			0.5836849507735584
RT_RCDATA	0x838fd0	0xc7a	Delphi compiled form 'Tfrm_Insert'			0.9001252348152786
RT_RCDATA	0x839c4c	0x20ba6	Delphi compiled form 'Tfrm_Main'			0.6749071269786803
RT_RCDATA	0x85a7f4	0x829	Delphi compiled form 'Tfrm_MultiProperties'			0.6251795117280996
RT_RCDATA	0x85b020	0x22df	Delphi compiled form 'Tfrm_Options'			0.30928643441245657
RT_RCDATA	0x85d300	0x95d	Delphi compiled form 'Tfrm_Prepare'			0.7563621193158114
RT_RCDATA	0x85dc60	0x753	Delphi compiled form 'Tfrm_Properties'			0.3984
RT_RCDATA	0x85e3b4	0xce0	Delphi compiled form 'Tfrm_ReadDisc'			0.9293082524271845
RT_GROUP_CURSOR	0x85f094	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x85f0a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x85f0bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x85f0d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x85f0e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x85f0f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x85f10c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x85f120	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x85f134	0x14	data	English	United States	1.1
RT_VERSION	0x85f148	0x320	data	English	United States	0.46625
RT_MANIFEST	0x85f468	0x6dc	XML 1.0 document, ASCII text, with CRLF line terminators	English	Great Britain	0.3331435079726651

Imports

DLL	Import
shlwapi.dll	StrCmpLogicalW, StrFormatByteSizeW, PathMatchSpecW, StrRetToStrW, StrFormatKBSizeW, SHAutoComplete
winspool.drv	DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
comdlg32.dll	ChooseColorW, GetSaveFileNameW, GetOpenFileNameW
comctl32.dll	FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, ImageList_GetDragImage, FlatSB_SetScrollProp, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
shell32.dll	SHBindToParent, DragQueryFileW, SHGetSpecialFolderLocation, ILCombine, Shell_NotifyIconW, SHCreateShellItem, SHGetDataFromIDListW, SHGetPathFromIDListW, ILFindLastID, ILGetNext, SHChangeNotifyDeregister, ILCreateFromPathW, ILFindChild, SHGetFileInfoW, SHGetDesktopFolder, ILRemoveLastID, SHChangeNotify, ILFree, ILClone, IsUserAnAdmin, SHChangeNotification_Unlock, ShellExecuteW
user32.dll	MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoExW, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, PtInRect, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, GetComboBoxInfo, GetWindowLongPtrW, SetWindowLongPtrW, LoadStringW, CreateMenu, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, IsRectEmpty, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, GetMenuItemRect, CreateIconIndirect, CreateWindowExW, ChildWindowFromPoint, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, MessageBoxA, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, InflateRect, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClassLongPtrW, GetClassLongPtrW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, SetKeyboardState, GetKeyboardState, ScreenToClient, DrawFrameControl, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CountClipboardFormats, CallWindowProcW, CloseClipboard, DestroyCursor, PostQuitMessage, ShowScrollBar, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, InsertMenuW, IsWindowEnabled, IsDialogMessageA, GetMenuDefaultItem, FindWindowW, GetKeyboardLayout, DeleteMenu
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	GetErrorInfo, VariantInit, SysFreeString, VariantClear, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType, VariantCopyInd
advapi32.dll	RegEnumKeyExW, CheckTokenMembership, RegFlushKey, RegEnumValueW, RegQueryValueExW, RegCloseKey, RegQueryInfoKeyW, RegOpenKeyExW, AllocateAndInitializeSid, FreeSid
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
msvcrt.dll	memcpy, memset
kernel32.dll	SetFileAttributesW, RtlUnwindEx, QueryDosDeviceW, GetACP, GetExitCodeProcess, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, GetCPInfoExW, GetLongPathNameW, RtlUnwind, GetCPInfo, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToTzSpecificLocalTime, GetModuleHandleW, FreeLibrary, HeapDestroy, FileTimeToDosDateTime, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, SetThreadExecutionState, RaiseException, GlobalAddAtomW, FormatMessageW, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, GetFileAttributesExW, ExpandEnvironmentStringsW, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, UnmapViewOfFile, GetModuleFileNameA, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcpyW, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, EnumResourceNamesW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
ole32.dll	RevokeDragDrop, CreateBindCtx, CoCreateInstance, CoUninitialize, OleGetClipboard, CLSIDFromString, ReleaseStgMedium, RegisterDragDrop, IsEqualGUID, OleInitialize, CoInitializeEx, OleUninitialize, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, DoDragDrop, StringFromCLSID
gdi32.dll	Pie, SetPaletteEntries, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, GetTextColor, StretchBlt, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, SetPixelV, CreatePalette, CreateDCW, PolyBezierTo, CreateICW, GetStockObject, CreateSolidBrush, GetBkMode, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetCurrentObject, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, SetGraphicsMode, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, GetViewportOrgEx, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, BitBlt, SetWorldTransform, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, CombineRgn, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, CreateDIBSection, SetStretchBltMode, GetDIBits, ExtCreateRegion, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, CreateRoundRectRgn, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x50d530
__dbk_fcall_wrapper	2	0x419090
dbkFCallWrapperAddr	1	0x9e3290

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T08:33:06.925259+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49718	172.67.204.237	443	TCP
2024-11-25T08:33:09.961854+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49720	18.213.123.165	443	TCP
2024-11-25T08:33:19.458372+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49737	172.67.204.237	443	TCP
2024-11-25T08:33:21.485008+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49743	18.213.123.165	443	TCP
2024-11-25T08:33:31.005204+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49765	172.67.204.237	443	TCP
2024-11-25T08:33:33.113123+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49772	18.213.123.165	443	TCP
2024-11-25T08:33:44.023543+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49807	172.67.204.237	443	TCP
2024-11-25T08:33:46.140180+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49813	18.213.123.165	443	TCP
2024-11-25T08:33:56.612862+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49837	172.67.204.237	443	TCP
2024-11-25T08:33:58.724023+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49843	18.213.123.165	443	TCP
2024-11-25T08:34:08.367518+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49871	172.67.204.237	443	TCP
2024-11-25T08:34:10.838070+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49881	18.213.123.165	443	TCP
2024-11-25T08:34:20.987632+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49904	172.67.204.237	443	TCP
2024-11-25T08:34:23.097771+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49910	18.213.123.165	443	TCP
2024-11-25T08:34:33.352021+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49935	172.67.204.237	443	TCP
2024-11-25T08:34:35.888799+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49939	18.213.123.165	443	TCP
2024-11-25T08:34:45.817476+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49963	172.67.204.237	443	TCP
2024-11-25T08:34:47.912181+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49969	18.213.123.165	443	TCP
2024-11-25T08:34:57.503711+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49992	172.67.204.237	443	TCP
2024-11-25T08:34:59.589060+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49996	18.213.123.165	443	TCP
2024-11-25T08:35:10.225666+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50022	172.67.204.237	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:33:05.616060972 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:05.616112947 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:05.616185904 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:05.617739916 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:05.617757082 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:06.925177097 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:06.925259113 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:06.927339077 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:06.927350044 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:06.927606106 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:06.977803946 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:07.170506001 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:07.211328030 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:07.855070114 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:07.855129004 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:07.855197906 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:07.855498075 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:07.855513096 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:07.855565071 CET	49718	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:07.855571032 CET	443	49718	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:08.155848980 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:08.155879974 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:08.155945063 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:08.156272888 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:08.156281948 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:09.961770058 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:09.961853981 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:09.966078997 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:09.966089964 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:09.966367006 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:09.968384981 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:10.015333891 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:12.298209906 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:12.352866888 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:12.352881908 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:12.399699926 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:12.499188900 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:12.540371895 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:12.818989992 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:12.868554115 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:13.020883083 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:13.071643114 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:13.220962048 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:13.274760962 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:13.422166109 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:13.462168932 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:13.623356104 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:13.665355921 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:13.824054003 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:13.868437052 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:14.025018930 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:14.071547031 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:14.224091053 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:14.224196911 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:14.224291086 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:14.224325895 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:14.224342108 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:14.224364042 CET	49720	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:14.224370956 CET	443	49720	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:18.230859041 CET	49737	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:18.230901003 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:18.231043100 CET	49737	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:18.231338024 CET	49737	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:18.231350899 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:19.458226919 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:19.458372116 CET	49737	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:19.459692955 CET	49737	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:19.459705114 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:19.459983110 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:19.460920095 CET	49737	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:19.503343105 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:20.242748976 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:20.242891073 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:20.242945910 CET	49737	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:20.243170977 CET	49737	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:20.243187904 CET	443	49737	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:20.244745016 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:20.244785070 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:20.244884014 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:20.245178938 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:20.245192051 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:21.484920979 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:21.485008001 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:21.486299038 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:21.486309052 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:21.486571074 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:21.487390995 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:21.531338930 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:23.923090935 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:23.977823019 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:23.977843046 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:24.024719000 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:24.124185085 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:24.165327072 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:24.324650049 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:24.368472099 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:24.525207043 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:24.571597099 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:25.204109907 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:25.259068966 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:25.259097099 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:25.305939913 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:25.328190088 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:25.384147882 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:25.529894114 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:25.571624994 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:25.730036974 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:25.730128050 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:25.730200052 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:25.730232954 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:25.730252028 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:25.730262995 CET	49743	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:25.730269909 CET	443	49743	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:29.747086048 CET	49765	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:29.747114897 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:29.747211933 CET	49765	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:29.747524023 CET	49765	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:29.747556925 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:31.005047083 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:31.005203962 CET	49765	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:31.006568909 CET	49765	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:31.006583929 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:31.006834030 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:31.007518053 CET	49765	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:31.055341005 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:31.800642014 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:31.800703049 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:31.800785065 CET	49765	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:31.800960064 CET	49765	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:31.800987005 CET	443	49765	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:31.802169085 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:31.802196980 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:31.802303076 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:31.802557945 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:31.802571058 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:33.112922907 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:33.113122940 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:33.121598005 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:33.121611118 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:33.121818066 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:33.125711918 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:33.171330929 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:36.097349882 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:36.149728060 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:36.308438063 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:36.352849960 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:36.640544891 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:36.680982113 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:36.850734949 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:36.899718046 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:37.061073065 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:37.102850914 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:37.286087036 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:37.337215900 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:37.498334885 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:37.540348053 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:37.896447897 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:37.946604013 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:38.403079987 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:38.446604013 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:38.613399982 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:38.665369987 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:38.805963993 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:38.806034088 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:38.806184053 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:38.806251049 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:38.806266069 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:38.806283951 CET	49772	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:38.806288958 CET	443	49772	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:42.808998108 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:42.809039116 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:42.809114933 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:42.809480906 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:42.809503078 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.023473024 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.023542881 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:44.055746078 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:44.055782080 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.056744099 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.062602043 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:44.107340097 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.844790936 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.844865084 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.844913006 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:44.847290993 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:44.847317934 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.847331047 CET	49807	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:44.847338915 CET	443	49807	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:44.867259026 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:44.867290020 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:44.867372036 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:44.867686033 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:44.867691994 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:46.140088081 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:46.140180111 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:46.141491890 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:46.141503096 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:46.142061949 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:46.143089056 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:46.183337927 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:49.148375988 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:49.196948051 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:49.196970940 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:49.243602037 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:49.519988060 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:49.571815968 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:49.722652912 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:49.774817944 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:49.922118902 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:49.977863073 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:50.123210907 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:50.165389061 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:50.324148893 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:50.368530989 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:50.912367105 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:50.962230921 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:51.113398075 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:51.165405035 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:51.315449953 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:51.315547943 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:51.315644979 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:51.315768003 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:51.315768003 CET	49813	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:51.315798998 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:51.315812111 CET	443	49813	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:55.355592012 CET	49837	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:55.355629921 CET	443	49837	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:55.355767965 CET	49837	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:55.356106997 CET	49837	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:55.356121063 CET	443	49837	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:56.612788916 CET	443	49837	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:56.612862110 CET	49837	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:56.614089012 CET	49837	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:56.614108086 CET	443	49837	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:56.614356995 CET	443	49837	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:56.615047932 CET	49837	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:56.655333042 CET	443	49837	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:57.410990953 CET	443	49837	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:57.411070108 CET	443	49837	172.67.204.237	192.168.2.6
Nov 25, 2024 08:33:57.411225080 CET	49837	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:57.411493063 CET	49837	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:33:57.412728071 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:57.412771940 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:57.412894011 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:57.413163900 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:57.413177967 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:58.723942995 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:58.724023104 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:58.725898027 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:58.725909948 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:58.726164103 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:33:58.726854086 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:33:58.767338037 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:01.180512905 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:01.227902889 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:01.227926970 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:01.274802923 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:01.390765905 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:01.431009054 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:01.600805998 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:01.650276899 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:01.833204031 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:01.884141922 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:02.107414961 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:02.150912046 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:02.317641973 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:02.368508101 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:02.528168917 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:02.583797932 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:02.746386051 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:02.790395975 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:02.956703901 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:03.040400982 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:03.111121893 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:03.111186981 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:03.111248016 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:03.111351013 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:03.111366987 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:03.111388922 CET	49843	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:03.111394882 CET	443	49843	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:07.155491114 CET	49871	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:07.155534029 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:07.155883074 CET	49871	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:07.155883074 CET	49871	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:07.155924082 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:08.367420912 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:08.367517948 CET	49871	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:08.435570955 CET	49871	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:08.435607910 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:08.436022043 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:08.447581053 CET	49871	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:08.495331049 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:09.192337036 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:09.192408085 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:09.192457914 CET	49871	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:09.192548990 CET	49871	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:09.192568064 CET	443	49871	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:09.494111061 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:09.494152069 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:09.494230032 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:09.494627953 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:09.494657040 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:10.837984085 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:10.838069916 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:10.839464903 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:10.839477062 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:10.839730978 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:10.840758085 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:10.887341022 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:13.294425964 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:13.337291956 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:13.337312937 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:13.384152889 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:13.558449984 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:13.602895975 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:13.939359903 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:13.993573904 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:14.165025949 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:14.212291956 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:14.375588894 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:14.415427923 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:14.585916996 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:14.634205103 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:14.796014071 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:14.837272882 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:15.006598949 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:15.054111004 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:15.340363026 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:15.384170055 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:15.538738966 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:15.538822889 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:15.538929939 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:15.539007902 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:15.539027929 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:15.539046049 CET	49881	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:15.539064884 CET	443	49881	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:19.544065952 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:19.544101954 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:19.544183969 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:19.544543028 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:19.544548988 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:20.987550020 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:20.987632036 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:20.989485025 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:20.989497900 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:20.989778042 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:20.990760088 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:21.035339117 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:21.786613941 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:21.786675930 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:21.786808014 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:21.787189960 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:21.787189960 CET	49904	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:21.787216902 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:21.787236929 CET	443	49904	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:21.788502932 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:21.788535118 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:21.788724899 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:21.789288998 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:21.789302111 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:23.097697020 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:23.097770929 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:23.099081039 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:23.099097013 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:23.099395037 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:23.100151062 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:23.143328905 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:25.916294098 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:25.962276936 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:25.962291002 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:26.009152889 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:26.126641989 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:26.181025028 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:26.336982965 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:26.384157896 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:26.547394037 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:26.587400913 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:26.757699966 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:26.806058884 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:26.968038082 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:27.009172916 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:27.178442001 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:27.227920055 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:27.388835907 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:27.431029081 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:27.599046946 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:27.649776936 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:28.082204103 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:28.082292080 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:28.082380056 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:28.082535028 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:28.082556009 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:28.082571030 CET	49910	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:28.082576990 CET	443	49910	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:32.093511105 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:32.093565941 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:32.093661070 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:32.094084024 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:32.094098091 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:33.351425886 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:33.352020979 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:33.353077888 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:33.353102922 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:33.353404045 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:33.354413986 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:33.399336100 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:34.153793097 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:34.153851032 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:34.153942108 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:34.154099941 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:34.154120922 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:34.154186010 CET	49935	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:34.154195070 CET	443	49935	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:34.155854940 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:34.155900955 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:34.156011105 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:34.156311989 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:34.156327963 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:35.888274908 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:35.888798952 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:36.013237953 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:36.013267040 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:36.013617992 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:36.021287918 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:36.063342094 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:38.439547062 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:38.494818926 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:38.494854927 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:38.540477037 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:38.728410006 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:38.778805017 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:39.029016018 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:39.078638077 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:39.230034113 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:39.274821997 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:39.430603027 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:39.477942944 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:39.631154060 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:39.681070089 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:39.830854893 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:39.884212971 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:40.030791044 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:40.071701050 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:40.354468107 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:40.399873972 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:40.553952932 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:40.554027081 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:40.554085016 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:40.554140091 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:40.554157019 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:40.554182053 CET	49939	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:40.554189920 CET	443	49939	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:44.607307911 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:44.607379913 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:44.607724905 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:44.608207941 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:44.608232975 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:45.817372084 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:45.817476034 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:45.818881989 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:45.818892956 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:45.819143057 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:45.819963932 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:45.867332935 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:46.600929976 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:46.600996017 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:46.601042986 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:46.601284027 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:46.601284027 CET	49963	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:46.601305008 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:46.601314068 CET	443	49963	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:46.602634907 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:46.602663994 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:46.602721930 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:46.603707075 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:46.603714943 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:47.912074089 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:47.912180901 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:47.913727045 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:47.913764000 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:47.914047956 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:47.914877892 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:47.959335089 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:50.369471073 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:50.415838957 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:50.415852070 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:50.462357998 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:50.579741001 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:50.634227991 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:50.790024042 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:50.837482929 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:51.000686884 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:51.056099892 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:51.211082935 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:51.259208918 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:51.421399117 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:51.478028059 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:51.631905079 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:51.681075096 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:51.842335939 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:51.884238958 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:52.052606106 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:52.096777916 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:52.234466076 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:52.234549046 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:52.234615088 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:52.234800100 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:52.234827042 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:52.234855890 CET	49969	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:52.234863043 CET	443	49969	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:56.246331930 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:56.246366024 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:56.246720076 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:56.246766090 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:56.246773005 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:57.503614902 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:57.503710985 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:57.550328970 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:57.550345898 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:57.550682068 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:57.561714888 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:57.603370905 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:58.323116064 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:58.323205948 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:58.323257923 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:58.323463917 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:58.323484898 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:58.323502064 CET	49992	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:34:58.323507071 CET	443	49992	172.67.204.237	192.168.2.6
Nov 25, 2024 08:34:58.324839115 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:58.324882030 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:58.324942112 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:58.325292110 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:58.325301886 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:59.588593006 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:59.589060068 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:59.603188038 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:59.603225946 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:59.603604078 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:34:59.606271982 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:34:59.647339106 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:03.081573009 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:03.134893894 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:03.134907961 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:03.181104898 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:03.282349110 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:03.337413073 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:03.483371973 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:03.525881052 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:03.689202070 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:03.743578911 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:03.892050028 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:03.946887016 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:04.092952013 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:04.134315968 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:04.604098082 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:04.649869919 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:04.805397987 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:04.852984905 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:05.020538092 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:05.071835995 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:05.226661921 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:05.226763964 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:05.227068901 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:05.227238894 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:05.227261066 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:05.227324009 CET	49996	443	192.168.2.6	18.213.123.165
Nov 25, 2024 08:35:05.227332115 CET	443	49996	18.213.123.165	192.168.2.6
Nov 25, 2024 08:35:08.965668917 CET	50022	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:35:08.965708017 CET	443	50022	172.67.204.237	192.168.2.6
Nov 25, 2024 08:35:08.965929985 CET	50022	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:35:08.966453075 CET	50022	443	192.168.2.6	172.67.204.237
Nov 25, 2024 08:35:08.966464043 CET	443	50022	172.67.204.237	192.168.2.6
Nov 25, 2024 08:35:10.225570917 CET	443	50022	172.67.204.237	192.168.2.6
Nov 25, 2024 08:35:10.225666046 CET	50022	443	192.168.2.6	172.67.204.237

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:33:05.234813929 CET	57312	53	192.168.2.6	1.1.1.1
Nov 25, 2024 08:33:05.610373974 CET	53	57312	1.1.1.1	192.168.2.6
Nov 25, 2024 08:33:07.856807947 CET	51048	53	192.168.2.6	1.1.1.1
Nov 25, 2024 08:33:08.154922009 CET	53	51048	1.1.1.1	192.168.2.6
Nov 25, 2024 08:34:09.193829060 CET	53789	53	192.168.2.6	1.1.1.1
Nov 25, 2024 08:34:09.492912054 CET	53	53789	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 08:33:05.234813929 CET	192.168.2.6	1.1.1.1	0x89ac	Standard query (0)	eth0.cdn-serveri2004-ns.shop	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:33:07.856807947 CET	192.168.2.6	1.1.1.1	0x8c90	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:34:09.193829060 CET	192.168.2.6	1.1.1.1	0xbb48	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 08:33:05.610373974 CET	1.1.1.1	192.168.2.6	0x89ac	No error (0)	eth0.cdn-serveri2004-ns.shop		172.67.204.237	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:33:05.610373974 CET	1.1.1.1	192.168.2.6	0x89ac	No error (0)	eth0.cdn-serveri2004-ns.shop		104.21.52.225	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:33:08.154922009 CET	1.1.1.1	192.168.2.6	0x8c90	No error (0)	httpbin.org		18.213.123.165	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:33:08.154922009 CET	1.1.1.1	192.168.2.6	0x8c90	No error (0)	httpbin.org		18.208.8.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:34:03.071160078 CET	1.1.1.1	192.168.2.6	0xfb1d	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:34:03.071160078 CET	1.1.1.1	192.168.2.6	0xfb1d	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:34:03.071160078 CET	1.1.1.1	192.168.2.6	0xfb1d	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:34:09.492912054 CET	1.1.1.1	192.168.2.6	0xbb48	No error (0)	httpbin.org		18.213.123.165	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:34:09.492912054 CET	1.1.1.1	192.168.2.6	0xbb48	No error (0)	httpbin.org		18.208.8.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

eth0.cdn-serveri2004-ns.shop

httpbin.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49718	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:07 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:33:07 UTC	888	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:33:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zQbc6eMR4j%2F9ELWRML7EY2lS9a67hz%2BJagbh2M5XuOK5RSVd7%2FfKBcGEOhbGc%2FHS701tZjnmCuWwZryjfnahHf2kAF%2FzGHoxsnsQwEoTn8vXZeCsZ1%2BkxRUj0q%2FNszrBfAXOeCEu6KBrNLpXcKS6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff2e0d89dde9b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1490&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=725&delivery_rate=1921052&cwnd=146&unsent_bytes=0&cid=f45ec54b4728b46c&ts=940&x=0"
2024-11-25 07:33:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49720	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:09 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:33:12 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:33:12 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:33:12 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:12 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:12 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:13 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:13 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:13 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:13 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:13 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:14 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:14 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49737	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:19 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:33:20 UTC	888	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:33:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XO1IQkT1g14BQbF%2BH8rYd23sOLbrJ2QDWraZDexIRlpPYpC%2FscuI%2FWnEwCqjKESTotThfWq%2FinUfzVIR0QiRrYvnvf%2FwCcoHl97t3TFt7cDp6g74L1Z7WGW1oHSrXwnFEIgnN%2F%2FVnmRhM6AUnUSG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff32e4a6c726b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1779&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=725&delivery_rate=1587819&cwnd=237&unsent_bytes=0&cid=644912e9d70a44e9&ts=796&x=0"
2024-11-25 07:33:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49743	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:21 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:33:23 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:33:23 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:33:23 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:24 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:24 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:24 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:25 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:25 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:25 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:25 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:25 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:25 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49765	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:31 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:33:31 UTC	878	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:33:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=frClXEllGXGCIcZww2XNnbzhcXTiiyv67VUhZtREG1duJ3XW2%2Fg1HZdZBP1tMtu7UHtNbkxhIGqzl%2BsvxtoMPPSYlQkQ6DMOiTqgA1rKTYTGfvjRod7qVvIsjPfDKSEz2mZR6CsAm2zWKdI7MUjs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff3768d390f63-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1510&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=725&delivery_rate=1868202&cwnd=219&unsent_bytes=0&cid=13ffcf8d916166ff&ts=802&x=0"
2024-11-25 07:33:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49772	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:33 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:33:36 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:33:35 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:33:36 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:36 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:36 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:37 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:37 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:37 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:37 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:38 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:38 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:38 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49807	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:44 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:33:44 UTC	882	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:33:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BqMzzIb7lQW6Q2fmV2GkwQjIN9HE%2B4xIgbYctROkzI1kIk1IaNpsMRwu0gGEGLcr3e5jn1q4rcRanzK8Ac5XIrNlQUcQGi8cVMPe8GXL1t3OIVfnpFYS0NXf%2BAjv6NeDvx%2BLwKpkijTxh0gpbl3H"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff3c7ea40421f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=725&delivery_rate=1790312&cwnd=239&unsent_bytes=0&cid=f76cd8915e899473&ts=799&x=0"
2024-11-25 07:33:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49813	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:46 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:33:49 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:33:48 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:33:49 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:49 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:49 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:49 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:49 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:50 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:50 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:50 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:51 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:33:51 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49837	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:56 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:33:57 UTC	884	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:33:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vgl306Wf%2BKp6bkpGac0gzrlKFksO6N7R1VYEIynypqmk8zecMDCLEdCuUgws3o4dnYHBwjutcXl8L%2FI2OfXe9oJ2AyKSJWGU3YfIjs7jiI%2B79bqTO3DY1t2FcR%2FlvtAALI1nTMratlQ8czse3%2FfK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff4169eb9c44a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1473&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=725&delivery_rate=1959731&cwnd=223&unsent_bytes=0&cid=e0e3d36bf2df9516&ts=804&x=0"
2024-11-25 07:33:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49843	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:33:58 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:34:01 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:34:01 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:34:01 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:01 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:01 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:01 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:02 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:02 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:02 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:02 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:02 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:03 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49871	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:08 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:34:09 UTC	878	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:34:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UeQMhRp7kEodQwcsU5Qve083lqjmqfKVN3R9Q04cT4nRd1NXJ66sJs1AZxAH6ieHk5oBKhxddLmg6HXXNRb4%2B46tASTuaTL6c8QZLq2mlnAqs2oZRqWOk1Q3rOvBbqBRUgcGH%2FNU8SZ30V6ATVQr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff4600ff632e2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1815&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=725&delivery_rate=1584373&cwnd=159&unsent_bytes=0&cid=5b9b84561fb463f4&ts=831&x=0"
2024-11-25 07:34:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49881	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:10 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:34:13 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:34:13 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:34:13 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:13 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:13 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:14 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:14 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:14 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:14 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:15 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:15 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:15 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49904	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:20 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:34:21 UTC	882	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:34:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OO3fmGhWROLJm%2FG4k6z4tpEbUg%2BdEHeWJupXdODSkuVMuU7jJfUr0gXv2hBX7XlsRre0qwhAdEbhz2OTu%2BKfbPc1YEDtdWo8%2BJ0xBmi5GVIAqA5p8b576K8u4LVGOqUPuhvebQzCSnvC9XDNQ4KC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff4aefdc67c7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1812&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=725&delivery_rate=1516883&cwnd=207&unsent_bytes=0&cid=264f87521c68c6fc&ts=805&x=0"
2024-11-25 07:34:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49910	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:23 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:34:25 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:34:25 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:34:25 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:26 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:26 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:26 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:26 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:26 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:27 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:27 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:27 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:28 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49935	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:33 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:34:34 UTC	878	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:34:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wMN9wP9GeEsy3m4jMKCT8AxOQiTPXgFCdkRysCy2qcErQQ6yQXmceTXfWQhGxOW52R24IoyZpKATztzVTNmbPSoy1l9sV1BOgoKkelVQGhxUSoYO8wnHTjbzgKnGYobwquC%2F%2FWTvsYVWWbb20rgc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff4fc2a165e82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=725&delivery_rate=1812538&cwnd=216&unsent_bytes=0&cid=03c982f71abf6517&ts=808&x=0"
2024-11-25 07:34:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49939	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:36 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:34:38 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:34:38 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:34:38 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:38 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:39 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:39 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:39 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:39 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:39 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:40 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:40 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:40 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49963	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:45 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:34:46 UTC	882	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:34:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TYC19sJyK3GrvTwdSrxlRMYmc5vrSPI1EL5uodkA9uEHU7S5Zouq4j1E2aYLvOnITlztq3o%2FXcwwTs2EGuM%2B9ed6Tefw0LJvETIME%2FVHLDOk%2BfGGpin9kUQXUZLJvaj0IyyASZxKpYnAKUtrTCXI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff54a1ce5429e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1596&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2860&recv_bytes=725&delivery_rate=1777236&cwnd=192&unsent_bytes=0&cid=930ac95c2dfa93fa&ts=788&x=0"
2024-11-25 07:34:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49969	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:47 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:34:50 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:34:50 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:34:50 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:50 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:50 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:50 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:51 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:51 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:51 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:51 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:52 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:34:52 UTC	1	IN	Data Raw: 2a Data Ascii: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49992	172.67.204.237	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:57 UTC	111	OUT	GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1 Connection: Keep-Alive Host: eth0.cdn-serveri2004-ns.shop
2024-11-25 07:34:58 UTC	880	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 07:34:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store Location: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3%2BxULBPHEQdALM2hdaC5JsNpRTAziaO9%2BZ%2FxttjZq0gAmcPV3kKdm7IMOOlElbHNz3RLMoK3hSxvcBh8Ovg6q0Lwbwop4la06OgnuaPk3Ukbrw1Bn67vMr0mc9HnWoggm2LGj3rNxprMYhi4y7WE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7ff5931df54346-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1590&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=725&delivery_rate=1849271&cwnd=252&unsent_bytes=0&cid=46e51ecc901e884a&ts=826&x=0"
2024-11-25 07:34:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49996	18.213.123.165	443	1444	C:\Users\user\Desktop\t90RvrDNvz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:34:59 UTC	105	OUT	GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1 Connection: Keep-Alive Host: httpbin.org
2024-11-25 07:35:03 UTC	232	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:35:02 GMT Content-Type: application/octet-stream Content-Length: 10 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-11-25 07:35:03 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:03 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:03 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:03 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:03 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:04 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:04 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:04 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:05 UTC	1	IN	Data Raw: 2a Data Ascii: *
2024-11-25 07:35:05 UTC	1	IN	Data Raw: 2a Data Ascii: *

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: t90RvrDNvz.exePID: 1444, Parent PID: 4004

General

Target ID:	0
Start time:	02:33:04
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\t90RvrDNvz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\t90RvrDNvz.exe"
Imagebase:	0x400000
File size:	26'869'672 bytes
MD5 hash:	05CE896E3A0A78A9BF1F12A51D83D215
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: t90RvrDNvz.exePID: 1444, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	206
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0087C7BB Relevance: 1.6, APIs: 1, Instructions: 149
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0087C71B: GlobalAlloc.KERNELBASE ref: 0087C764

NtQuerySystemInformation.NTDLL ref: 0087C83F

Memory Dump Source

Source File: 00000000.00000002.3391193513.000000000087A000.00000020.00000001.01000000.00000003.sdmp, Offset: 0087A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87a000_t90RvrDNvz.jbxd

Similarity

API ID: AllocGlobalInformationQuerySystem
String ID:
API String ID: 3737350999-0
Opcode ID: 2c2e1b94ccae692e9845cdce1a74e634185cc8c57d145ea3b73e9c048b3ae931
Instruction ID: f6c76592d22a96d4037c69e842e85df42ae5dcab228c5d997eeb3086835044c2
Opcode Fuzzy Hash: 2c2e1b94ccae692e9845cdce1a74e634185cc8c57d145ea3b73e9c048b3ae931
Instruction Fuzzy Hash: A451AE70618B888FC394EB2CC484B6ABBE1FB98345F50896DF58DC3264DB74D980CB42

Function 0087C3EB Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDelayExecution.NTDLL ref: 0087C425

Memory Dump Source

Source File: 00000000.00000002.3391193513.000000000087A000.00000020.00000001.01000000.00000003.sdmp, Offset: 0087A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87a000_t90RvrDNvz.jbxd

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: eb39c1d72cbe717bc85fca09b74d458cc1ecfe8a19ab4362ccb154eff7b4d154
Instruction ID: bea07ff878a7e0f3c9803b5a3905d7fe5fe5e5b03164ae5baaef54e3eb0d0a5f
Opcode Fuzzy Hash: eb39c1d72cbe717bc85fca09b74d458cc1ecfe8a19ab4362ccb154eff7b4d154
Instruction Fuzzy Hash: 53E0E530408B458BC704EF28C44914ABBE0FBD8214F808B1EF499D61A0DB79C2098B42

Function 0087BDCB Relevance: 4.6, APIs: 3, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 0087BE14

Memory Dump Source

Source File: 00000000.00000002.3391193513.000000000087A000.00000020.00000001.01000000.00000003.sdmp, Offset: 0087A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87a000_t90RvrDNvz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1b9ca64b6430e35908f15df3b6d45bcbbbc675b5257bb09dcee137a8955b3737
Instruction ID: bb3dc0bf853825555a397f8288fed7a09d565e5cce377e41af48e8fd5d868265
Opcode Fuzzy Hash: 1b9ca64b6430e35908f15df3b6d45bcbbbc675b5257bb09dcee137a8955b3737
Instruction Fuzzy Hash: A531C530118B488FDB94DF28C498B6ABBF1FF99345F50496DE189C3260CB75D845CB02

Function 0087B8AB Relevance: 1.5, APIs: 1, Instructions: 29
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0087C71B: GlobalAlloc.KERNELBASE ref: 0087C764

LoadLibraryExW.KERNELBASE ref: 0087B8E3

Memory Dump Source

Source File: 00000000.00000002.3391193513.000000000087A000.00000020.00000001.01000000.00000003.sdmp, Offset: 0087A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87a000_t90RvrDNvz.jbxd

Similarity

API ID: AllocGlobalLibraryLoad
String ID:
API String ID: 3361179946-0
Opcode ID: f19f65336d6bf89c575e026b19d1e6ffc759ff68260c591b755dcf2ac8b3e4d3
Instruction ID: 20eff9beefd7556c31b5b4bc3f09812d3ca2352c1b8b4b9756fbf8c9c13c0db5
Opcode Fuzzy Hash: f19f65336d6bf89c575e026b19d1e6ffc759ff68260c591b755dcf2ac8b3e4d3
Instruction Fuzzy Hash: 82F09870518A488F8684EF1CC448A1ABBE1FBD8355F504A2DA48CD3234CB35D944CB42

Function 0087C71B Relevance: 1.3, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE ref: 0087C764

Memory Dump Source

Source File: 00000000.00000002.3391193513.000000000087A000.00000020.00000001.01000000.00000003.sdmp, Offset: 0087A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87a000_t90RvrDNvz.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: ba1b9466268fe03848d5d9d10af9dd6cf040b6a4df980d2f73a2bd1ec1c171d8
Instruction ID: 84b6eb4d5f7fd24f2af21fe74643d858a0fb54b32e1b5a907ba47e51dea684e9
Opcode Fuzzy Hash: ba1b9466268fe03848d5d9d10af9dd6cf040b6a4df980d2f73a2bd1ec1c171d8
Instruction Fuzzy Hash: DEF048346086488FCB84EB28C488A1ABBF1FB99314F504A6DE58DD7261D736E985CB02

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report t90RvrDNvz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
t90RvrDNvz.exe

Function 0087C7BB Relevance: 1.6, APIs: 1, Instructions: 149
nativeCOMMON

Function 0087C3EB Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 0087BDCB Relevance: 4.6, APIs: 3, Instructions: 95
fileCOMMON

Function 0087B8AB Relevance: 1.5, APIs: 1, Instructions: 29
libraryCOMMON

Function 0087C71B Relevance: 1.3, APIs: 1, Instructions: 28
memoryCOMMON